[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
ASSESSING HIPAA: HOW FEDERAL MEDICAL RECORD PRIVACY REGULATIONS CAN BE
IMPROVED
=======================================================================
HEARING
before the
SUBCOMMITTEE ON HEALTH
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
MARCH 22, 2001
__________
Serial No. 107-15
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
71-494 WASHINGTON : 2001
_______________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing
Office
Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan
JOE BARTON, Texas HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma BART GORDON, Tennessee
RICHARD BURR, North Carolina PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia BART STUPAK, Michigan
BARBARA CUBIN, Wyoming ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois TOM SAWYER, Ohio
HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING, KAREN McCARTHY, Missouri
Mississippi TED STRICKLAND, Ohio
VITO FOSSELLA, New York DIANA DeGETTE, Colorado
ROY BLUNT, Missouri THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia BILL LUTHER, Minnesota
ED BRYANT, Tennessee LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska
David V. Marventano, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Health
MICHAEL BILIRAKIS, Florida, Chairman
JOE BARTON, Texas SHERROD BROWN, Ohio
FRED UPTON, Michigan HENRY A. WAXMAN, California
JAMES C. GREENWOOD, Pennsylvania TED STRICKLAND, Ohio
NATHAN DEAL, Georgia THOMAS M. BARRETT, Wisconsin
RICHARD BURR, North Carolina LOIS CAPPS, California
ED WHITFIELD, Kentucky RALPH M. HALL, Texas
GREG GANSKE, Iowa EDOLPHUS TOWNS, New York
CHARLIE NORWOOD, Georgia FRANK PALLONE, Jr., New Jersey
Vice Chairman PETER DEUTSCH, Florida
BARBARA CUBIN, Wyoming ANNA G. ESHOO, California
HEATHER WILSON, New Mexico BART STUPAK, Michigan
JOHN B. SHADEGG, Arizona ELIOT L. ENGEL, New York
CHARLES ``CHIP'' PICKERING, ALBERT R. WYNN, Maryland
Mississippi GENE GREEN, Texas
ED BRYANT, Tennessee JOHN D. DINGELL, Michigan,
ROBERT L. EHRLICH, Jr., Maryland (Ex Officio)
STEVE BUYER, Indiana
JOSEPH R. PITTS, Pennsylvania
W.J. ``BILLY'' TAUZIN, Louisiana
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Appelbaum, Paul, Chairman, Department of Psychiatry,
University of Massachusetts Medical School................. 47
Clough, John D., Director of Health Affairs, Cleveland Clinic
Foundation................................................. 34
Foley, Mary E., President, American Nurses Association....... 37
Goldman, Janlori, Director, Health Privacy Project, Institute
for Health Care Research and Policy, Georgetown University. 57
Heird, Robert, Senior Vice President, Anthem Bluecross
Blueshield................................................. 69
Melski, John, Medical Director of Informatics, Marshfield
Clinic..................................................... 40
Ortiz, Carlos R., Director of Government Affairs, CVS
Pharmacy................................................... 53
Material submitted for the record by:
American Association of Health Plans, prepared statement of.. 111
American Association of Occupational Health Nurses, Inc.,
letter dated March 26, 2001, providing comments for the
record..................................................... 113
Lower, Robert C., Alston & Bird LLP, prepared statement of... 109
(iii)
ASSESSING HIPAA: HOW FEDERAL MEDICAL RECORD PRIVACY REGULATIONS CAN BE
IMPROVED
----------
THURSDAY, MARCH 22, 2001
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Health,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:05 a.m. In
Room 2123, Rayburn House Office Building, Hon. Michael
Bilirakis (chairman) presiding.
Members present: Representatives Bilirakis, Upton,
Greenwood, Whitfield, Ganske, Norwood, Shadegg, Bryant, Buyer,
Pitts, Tauzin (ex officio), Brown, Waxman, Barrett, Capps,
Stupak, Engel, Wynn, Green, and Dingell (ex officio).
Also present: Representative Markey.
Staff present: Marc Wheat, majority counsel; Brent
Delmonte, majority counsel; Kristi Gillis, legislative clerk;
and John Ford, minority counsel.
Mr. Bilirakis. Can we have order please? Good morning.
Today the subcommittee tackles a very complex issue, the
medical records privacy rule issued last year by the outgoing
administration.
This is an issue of great importance to both health care
consumers and the regulated community, and we will hear the
views of expert witnesses about whether the rule adequately
balances the interests involved.
Americans should feel secure in knowing that their medical
records are kept confidential in virtually every instance,
unless disclosure of their record is authorized by the patients
themselves. The best way to ensure open and honest
communication between providers and patients is to guarantee
that the information shared during such exchanges is kept out
of the public domain.
That being said, I have concerns that the regulation issued
late last year which is presently undergoing a comment period
may not strike the balance appropriately. For example, some
local pharmacists from our districts have said that the rule
may prevent from them filling prescriptions unless they have
received a signed authorization from the patient. While that
requirement may sound reasonable, we must think of the elderly
shut-in who needs her son or daughter to pick up her
prescriptions. Under the rule, she could not get her
prescriptions filled without going to the pharmacy to fill out
the form and pick up the prescription in person. This may not
be difficult for most people, but it could be a major problem
for a frail elderly individual.
Likewise, concerns have been raised about the burdens this
may place on small rural hospitals. I am told that the rule
requires them to keep written consent for 6 years. This raises
several questions: Is it necessary to keep these records? Does
this recordkeeping requirement help or hurt patients and
providers? We should be concerned if money that would otherwise
be spent on patient care would be diverted to other efforts to
comply with this regulation. Whether that result is likely or
possible is a question we must explore today.
I would also like to explore why statutory authorization
language was dropped from the proposed rule. When the Clinton
administration first proposed its regulations, there was no
requirement to obtain the specific consent of the patient
before disclosing information for treatment and payment. In
fact, the proposed rule indicated that such a requirement could
impair care. Subsequently, however, this provision was replaced
by a requirement to obtain specific consent. Certainly there
are instances when specific consent should be required before
medical information is shared with others. However, it may not
be necessary in other situations, such as when calling
patients, when scheduling appointments, or answering questions
about medication interactions when patients call providers.
Finally, I want to address one concern up front. We will
not hear today from an administration witness. When an initial
inquiry was made by us, the Department of Health and Human
Services indicated that it could not provide a witness to
testify on the regulation until the comment period ended. We
have since learned that the Department does not face any legal
obstacle but, rather, that the regulation issued by the
previous administration is currently under review and policy
analysis by the new administration.
In light of the change in leadership at HHS and the
complexity of these issues, I understand the Department's
position. However, I also appreciate very much the concerns
raised by a number of our colleagues. I know we will hear those
concerns in opening statements this morning from members who
would like to hear from the current administration on these
important issues; and we all want to hear from the current
administration regarding these issues.
We have asked them to provide their views on this issue at
a future hearing, and we are making every effort to have that
done before the April break.
In closing, I want to thank all of the witnesses who have
appeared today to help educate us on this very important
subject. Your input is vital to this committee's ability to
ensure the Federal policies and medical records privacy truly
serve the best interest of the American people.
The Chair yields to Mr. Brown for an opening statement.
Mr. Brown. I thank you Mr. Chairman. Not to disappoint, I
would like to point out that a lot of us are concerned that
there is not a witness from the Department of Health and Human
Services. We do welcome your willingness, in fact, to include a
witness from HHS to tell their side of the story and to get the
input we need from the key government agency that is working on
this issue. I am confident that this lapse in cooperation with
the minority is an aberration. Our relationship has been very
good and will continue to be, and we will continue to work well
together.
I look forward to hearing from the impressive list of
witnesses, especially John Clough of Cleveland Clinic, who are
in attendance this morning. Medical records privacy, to be
sure, is not a partisan issue. I am confident that every member
of this subcommittee favors strong privacy rules even if we
disagree on some of the specifics. And discussing the current
regulation need not, and I think will not, be a partisan
exercise.
Ironically, one of the major concerns I have heard about
the privacy regulations is that they are too open to multiple
interpretation and the world there too vague. That is another
way of saying that the regulations are not prescriptive enough,
that they are too flexible. You rarely hear that concern raised
about government regulation generally. Still, I think it is a
valid concern based on my conversations with providers and with
insurers.
There are provisions that need further clarification. That
can be accomplished without delaying implementation of the
regulation. There may be other provisions that need to be
rewritten. That, too, can be accomplished without undue delay
in implementation of these privacy regulations. If at all
possible, we should try to resolve any of these concerns with
this legislation without undue delay in implementation.
We have need of medical privacy protections. We are almost
there. And on behalf of every person who uses the health care
system in this country, we should do everything in our power in
this committee to complete the job.
That said, we need to listen with an open mind to the
concerns raised today by providers, by insurers, and other
stakeholders. In addition to concerns, I hope our witnesses
will provide specific suggestions on how to address these
concerns, and the more explicit the better. Again, our
fundamental objective should be to publish a set of objectives
that are meaningful and realistic and to do so as soon as
possible. If that means modifying the current regulations,
there are mechanisms to do that. We should explore those
mechanisms before exposing consumers to serious breaches of
their personal privacy.
I thank you, Mr. Chairman.
Mr. Bilirakis. I thank the gentleman. The Chair recognizes
the gentleman from Indiana, Mr. Buyer, for an opening
statement.
Mr. Buyer. I yield back my time.
Mr. Bilirakis. The Chair appreciates that. Mr. Waxman.
Mr. Waxman. Last year, the Clinton administration issued a
medical privacy rule that provides essential protection for
American families. The rule is long overdue and it is a welcome
step toward establishing privacy rules that ensure the
effective operation of our health care system. We should be
moving forward to put this rule into effect and build on the
solid foundation of privacy protections it establishes.
Unfortunately, we are now going in the wrong direction.
This situation is accurately described in the title of
Tuesday's USA Today editorial: Bogus Scare Tactics Delay
Medical Privacy Reforms. I would like to ask unanimous consent
that this be inserted in the record.
Mr. Bilirakis. Without objection.
[The editorial follows:]
[Tuesday, March 20, 2001--USA Today]
BOGUS SCARE TACTICS DELAY MEDICAL-PRIVACY REFORMS
A couple of years ago, North Carolina resident Terri Seargent got a
genetic test showing that she is susceptible to a respiratory disease.
When her employer learned of the results, she got a pink slip.
Last year, a Maryland school board member's medical records were
sent to school officials as part of an attack campaign. And more
recently, a hacker downloaded medical records from patients at the
University of Washington Medical Center.
All of this and much more came in the wake of Congress' decision
back in 1996 to make protecting medical privacy a priority. Medical
records once safely housed in doctors' offices were, lawmakers
recognized, too easily collected, sold and disclosed in the Internet
age. Since then, however, intense lobbying by groups that benefit from
the status quo has delayed reforms, leaving sensitive medical records
exposed to marketers, employers and others who want a peek.
Now those delays are being compounded by the Bush administration's
decision to take a fresh look at new federal privacy rules--just weeks
before they were to take effect.
The history: The 1996 law gave Congress three years to develop
privacy protections. When Congress missed the deadline, the law ordered
federal regulators to write rules.
Slated to take effect April 14, these regulations combat some of
the worst privacy abuses. For instance, HMOs and doctors would have to
tell patients who is looking at their records. They'd have to get
written consent before sharing records with anyone not involved in the
treatment or payment for care. And patients could see their records and
fix mistakes.
Critics--mainly health insurers, pharmacists and marketers--argue
that the regulations are needlessly heavy-handed and costly. They are
circulating several horror stories to make their case. But most of
these claims wither under scrutiny. Among them:
that hospitals might have to build soundproof walls between
patients in recovery rooms to avoid ``inadvertent disclosure''
of health information. Yet the rule requires only that
reasonable privacy safeguards be used, such as keeping voices
down.
that husbands wouldn't be able to pick up a prescription for
their sick wives because of the restrictions on access to
records. But the rules specifically allow family members to
pick up prescriptions.
that quality care would suffer because of restrictions on what
doctors can tell each other. However, the restrictions are
lifted when data are needed for patient treatment.
More importantly, ensuring a modicum of privacy will go a long way
toward improving the quality of health care. Roughly one in six
patients try to protect privacy by, among other things, dodging doctors
or lying to them, according to a 1999 Princeton Survey Research
Associates poll. Forty percent won't give doctors online access to
their medical records, a California HealthCare Foundation survey found.
Critics say the rules just need a fresh scrubbing. Indeed, the
regulations could be improved. That's often the case with a new,
complex set of rules. And that's why Congress specifically authorized
regulators to fine-tune the privacy regulations as needed ``to permit
compliance.''
Given their long opposition to any meaningful privacy protection,
critics are more likely looking for ways to weaken the regulations.
They want, for instance, a federal rule that overturns stronger state
privacy mandates. The Bush administration has given them until the end
of this month to voice complaints, and has indicated it might delay the
regulations to accommodate them.
Five years after Congress promised better privacy protections for
medical records, it's patients who need to be accommodated--not those
lobbying for further delays. Today's debate: Medical records Critics
work overtime to undermine pending regulations.
Mr. Waxman. Well-funded interest groups are engaged in
concerted efforts to unravel or put off altogether the privacy
protections in the rule. The administration should be focused
on working with affected parties to answer questions and issue
any guidance necessary to ensure effective implementation of
the rule. Instead, Secretary Thompson reopened the rule for
comment, raising the possibility that implementation of the
rule would be delayed beyond the April 14 effective date.
Congress should be looking at filling in the gaps in
privacy protection, because even if this rule were put into
effect, it does not cover all entities that handle an
individual's health information and it does not have effective
enforcement mechanisms. So we should be moving forward with
steps, instead of looking for ways to delay or weaken this
regulation.
Let's be clear about this. While almost every Member of
Congress pays lip service to the importance of privacy of
medical records, over a period of 20 years we have shown that
we were uniquely unable to enact detailed legislation. That is
precisely why the Congress gave authority to the Department of
Health and Human Services to issue a rule if we have failed
once again to act.
HHS has now done that. This medical privacy rule is the
product not only of many prior years of deliberation by
Congress but extensive public involvement as well. In fact, HHS
received and considered over 52,000 comments. There is no
excuse to delay any further.
Mr. Bilirakis. Would the gentleman please summarize?
Mr. Waxman. I will, Mr. Chairman. I just want to say that
if we do not have privacy protections in place, we are going to
continue to see 1 out of every 6 American adults take
counterproductive steps, such as giving inaccurate information
to their physicians or avoiding health care altogether, because
of privacy fears.
And Americans are avoiding genetic testing because of
concerns about privacy and discrimination. I think some of the
arguments that have been used by the industry groups that are
fighting this have been almost laughable. They talk about
things they would like to do, like build news walls and so
forth, even though the rule says take reasonable efforts.
Mr. Bilirakis. With all due----
Mr. Waxman. Mr. Chairman, I want to close my comments by
saying when these rules were pending, the Department of Health
and Human Services went to the Ways and Means Committee and
sent a representative to talk about this issue. They did not
have to stay away from commenting before the Congress because a
rule was pending. I don't think Secretary Thompson should stay
away from Congress and use that as an excuse because a rule is
pending. We should be working with them.
[The prepared statement of Hon. Henry A. Waxman follows:]
Prepared Statement of Hon. Henry A. Waxman, a Representative in
Congress from the State of California
Last December, the Clinton Administration issued a medical privacy
rule that provides essential protections for American families. The
rule is a long-overdue and welcome step toward establishing privacy
rules that ensure the effective operation of our health care system.
We should be moving forward to put this rule into effect and build
on the solid foundation of privacy protections it establishes.
Unfortunately, we are now going in the wrong direction. This situation
is accurately described in the title of Tuesday's USA Today editorial:
``Bogus Scare Tactics Delay Medical Privacy Reforms.'' Well-funded
interest groups are engaged in concerted efforts to unravel or put off
altogether the privacy protections in the rule.
The Administration should be focused on working with affected
parties to answer questions and issue any guidance necessary to ensure
effective implementation of the rule. Instead, Secretary Thompson re-
opened the rule for comment, raising the possibility that
implementation of the rule will be delayed beyond the April 14
effective date.
Congress should be focused on filling the remaining gaps in privacy
protection. For example, we should be strengthening the regulation by
covering all entities that handle an individual's health information,
and augmenting the law's enforcement mechanisms. We should move forward
with such steps instead of looking for ways to delay or weaken the
regulation.
Let's be clear about this. While almost every Member of Congress
pays lip service to the importance of privacy of medical records, over
a period of over 20 years, we have shown that we are uniquely unable to
enact detailed legislation. That is precisely why we gave the authority
to HHS to issue a rule if we failed once again to act. HHS has now done
that.
This medical privacy rule is the product not only of many prior
years of deliberation by the Congress but extensive public involvement
as well. In fact, HHS received and considered over 52,000 comments.
There is no excuse to delay further.
The current absence of privacy protection is not without
consequences. A recent survey showed that one out of every six American
adults takes counterproductive steps, such as giving inaccurate
information to their physicians or avoiding health care altogether,
because of privacy fears. Other studies show that Americans are
avoiding genetic testing because of concerns about privacy and
discrimination.
Increased confidence in health privacy protections will mean that
more American consumers will be willing to seek out health care that
could prevent or result in early screening of conditions that are
significantly more costly to treat at later stages.
I believe that policymakers should carefully examine the various
questions that have been raised regarding the rule. But I have heard no
good argument for delaying the rule during this process.
And as we go through this process, I urge that we avoid indulging
silly hypothetical scenarios that spread misinformation about the rule.
We've heard a lot of these in recent weeks.
For example, as pointed out by the USA Today editorial, the rule
requires ``reasonable'' safeguards to prevent inappropriate
disclosures. Yet some are claiming this means ``hospitals might have to
build soundproof walls between patients in recovery rooms.'' The rule
also requires ``reasonable efforts'' to limit the disclosure of a
patient's health record to the minimum amount necessary. Yet at a
recent industry briefing for congressional staff, one speaker claimed
this means covered entities might have to ``clip a microphone on every
employee to record what he or she says so we could audit that
information.'' These kinds of comments are difficult to take seriously.
I hope that this hearing provides for a productive discussion of
medical privacy issues. Given that there are pressing questions
regarding why Secretary Thompson opened up the rule for additional
comment and what his intentions are regarding implementation, it would
have made sense for the majority to ask the Secretary to testify at
this hearing. I want to note that I'm disappointed that this invitation
was not extended.
That said, I look forward to hearing from the witnesses who are
before us today.
Mr. Bilirakis. The gentleman's time has expired. Secretary
Thompson will appear before this committee or the full
committee, whatever the case may be, and respond regarding
their position on these regulations.
Dr. Norwood.
Mr. Norwood. Thank you very much, Mr. Chairman. I do
appreciate you holding this hearing. A few weeks ago the House
took up consideration of the regulations on ergonomics. Many of
us felt that the regulation on ergonomics was ill conceived and
would have led to a tremendous disruption in a range of
industries. It did not mean we do not believe that there is
such a thing as repetitive motion syndrome. We did not believe
that rule, that regulation was correct. We feel strongly that
those regulations were the wrong thing to do, and Congress
voted to rescind the regulations.
So here we are this morning, considering another rule with
the potential to have a tremendous impact on a wide range of
industries in the health care system. While I do not have
feelings about medical records privacy as strongly as I do
about ergonomics, I feel that we do not fully understand yet
the potential negative impact that privacy regulations can
actually have on health care; and, thus, an important hearing
this morning, hearing from people who are involved in it.
I hear the concerns many of our witnesses have expressed in
their testimony and I share some of those concerns. We may not
know just how extensive the difficulty in complying with and
implementing the privacy regulations are until the health care
system tries to meet them. Then we may find ourselves back here
considering a revision or even rescinding those rules. I hope
that is not the case.
Let's be clear about this. We all know how important
medical privacy is, but it is equally important to do the rules
and regulations in a correct way so that we avoid as many of
the pitfalls as we possibly can.
I thank you again for having this hearing and look forward
to hearing our witnesses and thank them for being here.
Mr. Bilirakis. I thank the gentleman.
Mr. Dingell, for an opening statement.
Mr. Dingell. Mr. Chairman, thank you. First of all, I
commend you for holding this hearing. Second of all, I applaud
your announcement that we will hear from the Secretary prior to
the Easter recess. I think that is very much in the public
interest.
Mr. Bilirakis. Every effort is being made toward that end,
sir. We have not had a 100 percent assurance. That is certainly
our goal, and they know that.
Mr. Dingell. I certainly commend you for that. I hope it
will be the strong position of this subcommittee and this
committee that until the Secretary has had an opportunity to
explain these matters to the committee in great detail, that we
will expect that the rule or the regulation will not be set
aside.
I would observe to you, Mr. Chairman, that the story of
Pandora's box provides to us a useful analogy to the situation
in which we find ourselves. When a person's medical privacy is
taken from them and their personal information is made
available for use against them, then that person is
irretrievably injured. I would point out that there is no hope
whatsoever that once a person's medical information is released
and put into the marketplace, that there is no hope that that
person has that it will not be used against him in connection
with employment, in connection with purchase of large capital
items, homes, refrigerators, things of that kind, or in
connection with retirement or insurance or any other economic
question which might affect that individual, including, I would
note again, his job.
So I think it is extremely important that if there is to be
error on this matter, that that error occur on the side of
protecting the privacy of an individual. Americans constantly
come to me and talk to me about protection of their privacy,
their family's privacy, their concerns about their medical
privacy, and there are a large number of people who constantly
feel that there are people out there spying on them. It isn't
necessary to spy on people. All you do is go to the records,
and the records are abundant, and it is very easy to get the
information without tapping telephones or things of that kind.
I can no longer tell American people that their personal
records or their personal information, medical, financial, or
other, are adequately protected and that they are safe in their
personal privacy. And I have regrets about that, because that
is been a very important component of being an American.
I have a long statement which I would put in the record. I
will conclude Mr. Chairman, by pointing out Americans distrust
the system, Americans are going and paying out of their own
pocket for medical care rather than utilize something which may
finance their medical care, but which might generate
information which can be used against them. This is a serious
matter and Americans should be able to have greater confidence
in the system than they have now.
I know, Mr. Bilirakis, Mr. Chairman, you will keep your
word and we will hear from HHS before the April break. I would
observe that if the Secretary puts these matters that he has
discussed with regard to this regulation into play and into
motion prior to the time he has been heard before this
committee, I will regard it as a breach of faith on his part
and as an unfriendly act, not just to me and to this committee,
but also to each and every American who is concerned about his
or her medical privacy. And I will view it as another example
of this administration rushing to undo a large number of
regulations and steps which were taken that would protect the
interests of the American people with regard to health, with
regard to personal privacy, with regard to protection of the
environment and other matters. And I simply observe this, Mr.
Secretary: We will keep an eye on you and you will be judged by
what you are doing on this particular matter.
Thank you Mr. Chairman.
[The prepared statement of Hon. John D. Dingell follows:]
PREPARED STATEMENT OF HON. JOHN D. DINGELL, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Chairman, the subject of this hearing is one of importance to
every American. According to a 1999 study by Princeton Research
Associates, one in six Americans has done something out of the ordinary
to keep personal medical information confidential. Improper disclosure
of medical information can result in embarrassment, discrimination, and
denial of proper health care. According to another survey by Louis
Harris & Associates, twenty-seven percent of those polled believed
their medical information had been improperly disclosed. Eleven percent
of consumers polled said they or a family member paid out-of-pocket for
health care in order to protect their privacy.
There's more. One survey estimated that seven percent of consumers
chose not to seek care because they did not want to jeopardize their
job prospects or other life opportunities. Sixty-three percent of
respondents in another survey said they would not take genetic tests
for diseases if insurers or employers could obtain the test result.
We will hear some complaints about the regulation today, but I want
to remind everyone that this rule provides important safeguards for
people's health. I am not aware of any organization representing
persons whose medical information would be protected by this rule that
has urged a delay in the implementation of this regulation. Indeed,
many providers support the regulation and support its implementation.
I am pleased that we will hear from the American Nurses
Association. Nurses are the front line of our health care system. They
are overworked. The nursing profession faces crucial recruitment and
retention problems. If this regulation presented some undue burden, or
was vague, I think the nurses would tell us. What they will tell us is
that health care suffers without strong privacy protections.
We will also hear from the American Psychiatric Association. Each
year, an estimated 56 million Americans--one in five people--experience
diagnosable mental disorders. Too much of this goes untreated. Why?
Effective psychotherapy depends upon an atmosphere of confidence and
trust in which the patient is willing to make a frank and complete
disclosure of facts, emotions, memories, and fears. Because of the
sensitive nature of the problems for which individuals may consult a
psychotherapist, disclosure of confidential communications made during
counseling sessions may cause embarrassment or disgrace. For this
reason, the mere possibility of disclosure may impede development of
the confidential relationship necessary for successful treatment.
Each profession that provides mental health treatment embraces
confidentiality as a core ethical principle. Confidentiality generally
is considered to be a cornerstone of a doctor-patient relationship.
Therefore, the basic requirements of the regulation are not new.
Changes in the health care industry and advances in technology
present a complex environment in which to implement the regulation. The
regulation is characterized by a rule of reason and flexibility. Many
of the concerns raised today are based on worst-case, but unrealistic,
scenarios. Simple common-sense implementation should resolve these
matters.
Where we go from here depends upon the Secretary. He has, unwisely
in my judgment, reopened this matter for comment. Moreover, I note that
no witness from the Department of Health and Human Services is before
us today. I take Chairman Bilirakis at his word that we will hear from
HHS before the April break.
Mr. Bilirakis. I appreciate the gentleman's remarks. I
would reiterate what I said earlier, and that is we have said
to the Secretary we want him here. We are going to do
everything we can to get him here before the April break. But I
don't want to mislead the gentleman that we have 100 percent
assurance that he will be here. But you do have 100 percent
assurance that that is what we intend and that intention has
gotten to and will continue to get to the Secretary.
Mr. Dingell. Mr. Chairman, if you would yield to me, I
would observe that I respect you, I view you as an honorable
man and as a capable chairman. The minority stands ready to
assist you in assuring the cooperation of the Secretary, and we
will show you a number of things that we have found in times
past to be useful in assuring the presence of Secretaries who
might have otherwise some more recalcitrant approach to the
business before us. I also will assure you that we will seek to
raise the pain level for the Secretary if he does not wish to
cooperate in this matter.
Mr. Bilirakis. That having been said, we will continue to
do what we intend to do here today, and that is to learn as
much as we can about this subject.
Mr. Bilirakis. The Chair recognizes Mr. Upton.
Mr. Upton. Thank you, Mr. Chairman. I will submit my full
statement for the record.
Mr. Bilirakis. I might add that the opening statement of
all members will be made part of the record, without objection.
Mr. Upton. Thank you. I would just note that I am behind
your efforts to get Secretary Thompson to testify on this very
important issue before the April break. It might also be
somewhat revealing to have now Florida resident and former
Secretary Shalala come as well. That might be appropriate. I
would just like to note that as I have talked to a number of
providers and folks back in my district, this is a very
important issue. I look forward to the testimony and would like
to submit comments from one of my administrators back home as
part of my statement as well, and I yield back the balance of
my time.
Mr. Bilirakis. Without objection, that is the case.
[The prepared statement of Hon. Fred Upton and the
information referred to follow:]
PREPARED STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN CONGRESS
FROM THE STATE OF MICHIGAN
Thank you, Mr. Chairman, for holding today's hearing on the medical
records privacy regulation mandated under the Health Insurance
Portability and Accountability Act (HIPAA). I am sure that all of us
here today would agree that our first priority is the best interests of
patients. But since the final regulation was issued last December, I
have heard from a number of health care providers in my district who,
while not questioning and in fact sharing the good intent behind the
regulation, have raised serious concerns about the practical effects of
the regulation on their ability to provide timely, coordinated acute
and preventive care to their patients.
Last month, in fact, the two largest hospitals in my district gave
me a fascinating demonstration of their telehealth/telemedicine systems
work to improve the quality, coordination, and continuity of patient
care. It's clear that the electronic medical record and beside hospital
chart are the future of health care in this country as our basic
telecommunications infrastructure expands to bring 21st century
medicine into even isolated rural communities. The need for patient
protections in this brave new world are clear and pressing, but we must
ensure that we ``first do no harm'' as we structure and implement these
protections.
______
PREPARED STATEMENT OF JAMES B. FALAHEE, JR., VICE PRESIDENT, LEGAL &
LEGISLATIVE RELATIONS, BRONSON HEALTHCARE GROUP, INC.
Bronson Healthcare Group (``Bronson'') is a medium sized health
care system located in Southwestern Michigan, in the Congressional
District so ably served by Congressman Fred Upton. Unlike some other
health care systems, Bronson consists not only of hospitals, but also
employed providers and two health plans. As such, Bronson is impacted
by almost every element of the HIPAA regulations.
Bronson, like other health care providers, fully supports privacy
rights and recognizes their importance. There already exists an
extensive body of case law and statutory authority which currently
protects personal privacy rights and has developed over time. The new
HIPAA regulations, in Bronson's opinion, are an unnecessary layering of
very complicated and confusing regulations on top of the already
existing, and working, statutes and case law.
Section 164.530(c)(1) of the new HIPAA regulations provides that a
covered entity must ``have in place appropriate administrative,
technical, and physical safeguards to protect the privacy of protected
health information.'' The Department of Health & Human Services could
have confined its entire HIPAA regulations to this one statement and
left it at that. Bronson submits that it, and other covered entities,
already have in place appropriate administrative, technical, and
physical safeguards to protect privacy of protected health information.
HHS need not have so intrusively interfered with the current
safeguards. The complex and prescriptive regulatory system created by
HIPAA is unworkable and not needed.
Bronson has a number of specific issues concerning HIPAA:
1. HIPAA does not supersede state law. Any health care provider or
health plan which operates in multiple states must determine
whether the laws in the individual states in which it operates
are more restrictive than HIPAA. If so, providers need to
customize their consents, authorizations, and documents to
match the more restrictive provisions of a state's law. This
will necessarily lead to a patchwork of different privacy laws,
depending on in which state you live. Instead of such a
patchwork, if HIPAA is retained, the HIPAA regulations should
be revised to include a federal preemption standard.
2. Bronson owns an indemnity insurance company and an HMO. We are
concerned as to whether all health plans will be ready for
HIPAA implementation and the transactions and code sets which
go along with it. If all health plans do not comply with the
HIPAA requirements, the desired streamlining of the payment
processes will not be accomplished. We are also concerned that
some plans may go beyond HIPAA and require even more
information than the standardized transactions/code sets would
require. This would defeat the uniformity goal of HIPAA.
3. The HIPAA regulations require that only the minimum necessary
personal health information be disclosed. This is an unworkable
requirement. Each time information is requested or discussed, a
health provider or covered entity must now determine if the
``minimum necessary'' standard is met. This could present a
risk to patients if vital treatment information is delayed or
denied.
4. The HIPAA regulations will place an onerous burden on individual
physician providers and, even more so, on patients. The primary
goal of the health care community should be to deliver high
quality patient care. Bronson is concerned that the HIPAA
regulations will interfere with the delivery of such care. For
example, upon admission to its facilities or its physicians'
offices, Bronson will now be required to give each patient (or
patient representative) forms, notices, and requests for
authorization which will be, at a minimum, 10 pages long. We
question whether these forms, notices, and authorizations will
be read and, if read, will be understood by patients, their
families, or authorized representatives.
5. The exhaustive HIPAA regulations are yet another unfunded mandate on
the health care community. Bronson has not yet been able to
calculate its cost of implementation, but knows it will require
hundreds of hours of training and education, and the review and
revision of over 800 contracts with vendors and suppliers.
Bronson recommends that the Department of Health & Human Services
develop new, more streamlined regulations which address these and other
comments raised by those in the field. Bronson strongly recommends that
HHS meet with health care providers prior to formally responding to the
comments it receives during March, 2001. A series of meetings between
HHS, providers, and privacy advocates will go a long way to mitigating
the backlash which has occurred as a result of the December, 2000 HIPAA
regulations. Bronson would be more than willing to participate in such
meetings.
Thank you for the opportunity to submit these comments. Bronson
would be glad to work with HHS and this committee to assure that
personal health information is protected, but that high quality patient
care is not adversely impacted by such privacy protections.
Mr. Bilirakis. Ms. Capps.
Ms. Capps. Thank you, Mr. Chairman, for holding this
hearing. It is so important that this committee hear the
testimony, because the debates revolving around medical privacy
and the role of the Federal Government are central, I believe,
to the very issue of access to care. The single most important
factor in providing quality care and encouraging people to use
it is trust. Patients must be able to trust their health care
providers, to trust them to make the right decisions, to pay
attention to their interests, to keep the particulars of their
cases and lives in confidence. If this trust breaks down, then
people will avoid seeking medical attention until they have no
choice, and by then the options will be limited and the costs
excessive.
This committee has an obligation to the American people to
protect that trust and to protect the rights of our
constituents. And this is why a Patient's Bill of Rights is so
important and this is why adequate privacy regulations need to
be put in place.
As we examine the proposed privacy regulations, I hope that
each member of this committee will remember that what is at
stake here is not the work of one administration or another,
what is at stake is the very confidence that Americans have in
their doctors, nurses, hospitals, health centers and other
health care providers; that they be focused on treating their
needs and not exploiting their weaknesses.
By and large, most health care providers have a very good
track record of protecting patients' privacy. Doctors and
nurses are rigorously trained to be cautious with a patient's
personal information. But we need to make sure that the
pressures of the financial bottom line do not tread on this
critical right. On the other hand, we also need to avoid
discouraging medical research and overcomplicating our health
care system. New, creative innovations can be essential to
providing the best care possible and they are dependent on
information about current medical conditions.
I don't believe these goals have to be in conflict. I think
it is possible to protect the rights of patients while enabling
proper medical research, and this should certainly be our
objective. I believe that the current proposed regulation is a
good step in the right direction. Many of the concerns about
the regulation can hopefully be resolved from guidance of the
Department of Health and Human Services. I certainly hope that
neither this committee nor the administration will do anything
that will weaken the protections for patient privacy.
I look forward to hearing what my colleagues and the
panelists have to say about these regulations.
I want to particularly recognize Ms. Mary Foley, the
President of the American Nurses Associations. I am pleased she
is here with us to share the views of the nursing community. As
a nurse myself, I understand how important it is to include
perspectives of nurses on these issues. Nurses are the first
line of defense on health care matters and we need to make sure
that our voices are heard in the hearings and meetings with
policymakers. I have tried to do this in my stay in Congress
and I am glad to see that the ANA is here to do that now. I
commend your efforts and I am interested in your views on what
we should do.
Mr. Chairman, I thank you for holding this hearing, I look
forward to working with you on this issue. And I know we will
strive together to do this in a bipartisan way.
Mr. Bilirakis. I thank the gentlelady for her statement.
Dr. Ganske for an opening statement.
Mr. Ganske. Thank you, Mr. Chairman. We are here today
because Congress couldn't reach an agreement on the medical
record privacy regulations. So at Congress' direction, the
previous administration gave the Department of Health and Human
Services the job of creating new rules. The complexity of the
result reflects the complexity of the problems we face.
In crafting rules for the health care industry, courts,
banks and insurers, HHS attempted to balance the conflicting
demands for privacy and productivity. Initially the rules
covered only information maintained or transmitted
electronically. Not good enough, critics shouted. So HHS
extended the rules to paper files and information transmitted
orally. Too far, shouted different critics.
HHS received over 52,000 comments on its privacy rules.
What they found was that outlawing hacking and malevolent use
of personal information is simple. Enforcing those bans is
hard. In each instance, they found they had produced an
exceedingly complex compromise that is assaulted as too loose
by privacy advocates and too onerous by industry. Writing rules
prohibiting the infringement of privacy without denying doctors
and researchers the benefits of the information technology is
difficult. So is drawing lines telling the health care industry
what they can share, what they can't, and with whom they can do
so. How much should patients know before medical researchers
tap into their records? Does it make sense that business can
share your personal data with their affiliates?
Conflict between society's need to know and individuals'
right to privacy isn't new. As HHS said in December when it
tested the rules, quote: ``we expect insurers and the
government to reduce fraud, we expect to be protected from
epidemics, and we expect medical research to produce miracles.
We expect the police to apprehend suspects and we expect to pay
for our care by credit card.
``all these activities involve the disclosure of health
information to someone other than our physician. We have
expectations as a society that conflict with individuals' views
about the privacy of health information,'' unquote.
Well, while recognizing that conflict, the implementations
of the final rule was delayed by the Bush administration. Mr.
Chairman, I note that we don't have today a representative from
the hospital community, so with your permission, Mr. Chairman,
I would like to introduce a letter into the record from the
Iowa Hospital Association regarding the final medical record
privacy rule.
Mr. Bilirakis. Without objection, that is the case.
[The information referred to follows:]
Iowa Hospital Association
March 16, 2001
The Honorable Tommy G. Thompson
Secretary, U.S. Department of Health and Human Services
Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington, D.C. 20201
Dear Secretary Thompson: The Iowa Hospital Association (IHA) is
pleased with your recent announcement that you will open a public
comment period on the Health Insurance Portability and Accountability
Act of 1996 (HIPAA) privacy rules. IHA is a statewide membership
services organization that advocates for 116 community hospitals and
health systems as well as the patients and communities they serve.
Iowa hospitals and health systems have been proponents of
standardization of electronic transactions related to health care and
support the administrative simplification provisions of HIPAA. Iowa
hospitals and health systems also take very seriously the privacy of
the patients and communities they serve and have a long-standing
commitment to safeguarding this privacy while delivering high-quality
health care to their patients.
The Department of Health and Human Services (HHS) final rule on
privacy will have significant impact on the day-to-day operations of
Iowa hospitals and health systems. Hospitals and health systems will
have to invest substantial resources to comply with this overly complex
and pervasive regulation. Iowa hospitals and health systems today face
an emerging crisis in workforce shortages and the significant
regulatory burden of the HIPAA privacy rules will heighten this crisis.
In addition, the lingering financial burdens imposed by the Medicare
payment cuts of the Balanced Budget Act (BBA) of 1997 have severely
strained the financial resources of our hospitals and health systems.
IHA respectfully requests that HHS suspend the April 14, 2001
effective date and significantly rewrite the HIPAA privacy rules. IHA
believes that it is appropriate for your department to reexamine these
regulations to ensure that implementation of privacy standards does not
hinder the ability of hospitals and health systems to deliver high
quality health care and does not put hospitals and health systems in
further financial jeopardy. There is a balance that must be achieved
between delivering cost-effective, quality health care and protecting
patient privacy.
We suggest the rule be substituted by a simpler version. In keeping
with the original intent of the legislation--to streamline health care
administration--the rule should focus on the potential misuse of
information by employers and health insurers. Consent should be
required only for such non-medical use.
The following are comments and recommendations of IHA on the final
privacy rules.
GENERAL COMMENTS
The final privacy rule threatens the balance between the cost-
effective delivery of high quality care and patient privacy in a number
of ways:
Scope
The Department of Health and Human Services' authorization to adopt
privacy rules under HIPAA is limited. Under the act, confidentiality
regulations are to apply only to electronic transactions and the data
elements for such transactions, and to assure the privacy of health
information exchanged electronically. The final privacy rule applies
privacy standards to all uses and disclosures of protected health
infonnation--electronic, written, and oral--far exceeding the
Department of Health and Human Services' statutory authority. The
result is a regulation that:
Is so complex that it is extremely difficult, if not
impossible to determine how to achieve efficient compliance.
Creates significant barriers to current treatment and quality
improvement activities.
Conflicts with the clear cost-savings intent of the
administrative simplification section of HIPAA.
Costs
The Department of Health and Human Services needs to analyze and
assess how compliance with the privacy rule will impact the cost of
caring for patients. The estimated cost impact of the final privacy
rule on hospitals and health systems needs to be calculated and weighed
against the benefits of the rule. The American Hospital Association has
estimated that the total cost to hospitals and health systems complying
with the final privacy regulations will be up to $22.5 billion over
five years.
The Department of Health and Human Services must recognize the
tremendous burden placed on health care providers who are now facing
simultaneous implementation of multiple, complex federal and state
regulations. Hospitals and health systems over the last few years have
had to address Y2K system problems, make significant changes to their
patient data collection, coding and billing systems to implement
prospective payment systems for Medicare skilled nursing care, home
health care, and outpatient care, in addition to facing changes to a
variety of other regulations significantly impacting their day-to-day
operations.
In addition, Iowa hospitals and health systems face critical
shortages in nursing and in personnel in other clinical areas. The
staffing issues associated with implementing the privacy regulations
need to be considered. Implementation of the privacy rule as published
will further add to providers' already overwhelmed administrative and
information systems and represents yet another unfunded mandate.
Implementation Schedule
The final privacy rule requires all health care providers to
implement the privacy standards two years after their effective date.
Since the regulations are extremely complex and extensive, this
schedule is not practical.
Further, serious consideration should be given to coordination of
the privacy rule implementation deadlines with the implementation
deadlines of the other HIPAA regulations. HIPAA included numerous
components affecting privacy, security, and administrative
simplification. Not all of the regulations to implement these
provisions have been developed. Final implementation of all of these
provisions should be synchronized to assure that providers in
responding to multiple interrelated regulatory provisions do not incur
additional costs. IHA would suggest that implementation of the HIPAA
provisions regarding privacy, security, and administrative
simplification not occur until at least two years following the
promulgation of the final set of relevant regulations.
Preemption
The final regulations fail to preempt conflicting state laws. The
American Hospital Association's cost estimates for this provision alone
over a five-year period are $372 million. IHA is concerned that state
laws that are contrary or more stringent will cause considerable
confusion. It is not uncommon for health systems to operate hospitals
and other health care facilities in multiple states, to serve patients
from other states, and to provide care under arrangements with health
plans that serve populations from several states. Addressing the many
different state rules will be extraordinarily difficult for individual
providers and will lead to confusion as to what rules apply. The lack
of clear preemption complicates the ability for providers to develop
clear and consistent privacy policies. Providers must not only comply
with multiple state requirements, but now also understand how the
federal rules relate to state requirements.
Peer Review Protection
Provisions in the final regulations may threaten peer review
protections. Peer review protections are intended to foster a
comprehensive, quality system for the effective reduction of medical/
health care errors and other factors that contribute to unintended
adverse patient outcomes in a health care organization. This
environment encourages recognition and acknowledgment of risks to
patient safety and medical/health care errors; the initiation of
actions to reduce these risks; the internal reporting of what has been
found and the actions taken; a focus on processes and systems; and
minimization of individual blame or retribution for involvement in a
medical/health care error. It encourages organizational learning about
medical/health care errors and supports the sharing of that knowledge
to effect behavioral changes in itself and other health care
organizations to improve patient safety. The final regulations should
be reviewed to make sure that notice and authorization provisions do
not hinder the development of internal safety reporting and quality
improvement initiatives.
Notice, Consent, and Authorization
Notice and consent requirements added to the final rule will
significantly complicate compliance efforts and activities. These
components represent a significant departure from the proposed
regulations in that the final privacy rules require a consent for uses
and disclosures of protected health information for purposes of
treatment, payment, and health care operations. A separate
authorization to use and disclose protected health information for
``other purposes'' must be obtained separately from the consent. The
terms ``consent'' and ``authorization'' do not overlap and differ
substantially in their content. Notices regarding privacy must be added
to such things as appointment reminders. All of these requirements add
administrative costs with little or no benefit to patients. Hospitals
and health systems are already required by both federal and state
governments to post numerous notices and to provide written notice of
various rights and responsibilities. Instead of requiring yet more
notices and more paperwork, the regulations should allow hospitals and
health systems to incorporate appropriate notification regarding
privacy into existing notices and patient rights' materials.
Minimum Necessary Disclosure
While the final privacy rule tempered the ``minimum necessary
disclosure'' limitation among health care providers, it continues to
pose a significant and costly barrier to compliance with the privacy
rule. This standard is ill-defined in the privacy rule and will likely
result in numerous and varied interpretations. Hospitals and health
systems are required to develop criteria to limit the amount of
information disclosed and to evaluate each and every disclosure against
these criteria. Hospitals and health systems are required to train all
employees regarding these criteria and to establish a ``privacy
officer'' to ensure responsible implementation. Again, these specific
requirements impose significant personnel requirements and
administrative costs, and redirects a caregivers time away from patient
care.
Business Associates
In the final privacy rule, the Department of Health and Human
Services is holding covered entities responsible for the protection of
personal health information by their business associates. The legal
work and costs associated with implementing this provision will be
overwhelming. Hospitals and health systems will have to renegotiate
contract provisions that ensure that these business associates protect
the information that is released to them in the normal course of health
care operations. It would be more appropriate if the regulations held
all parties accountable for their own improper disclosure of personal
health information. Hospitals and health systems should not be
responsible for the improper disclosure of personal health information
by other organizations.
Quality Improvement & Statewide Data Collection Efforts
Centralized data collection activities both by state hospital
associations or state government intended to produce comparative
incidence rates, patient outcome measures, and utilization and cost
data heavily utilized by management in hospitals and health systems,
are threatened by the privacy rules as written. Further, the inclusion
of patient county and zip code as protected health information may
limit the ability to use discharge data for quality improvement and
community health surveillance activities. These activities are
important to hospitals and health. systems that seek to develop
integrated services in response to patient and community health needs.
RECOMMENDATIONS
As published, the final privacy rules are unworkable and will cost
the health care community billions of dollars to attempt compliance at
a time when hospitals and health systems are experiencing severely
restricted resources, both capital and workforce. The costs of
implementing the final privacy rules far outweigh any potential long-
term savings through administrative simplification. The rule also
requires an unrealistic timeframe for implementation and has not been
coordinated with the related HIPAA rules affecting security and
administrative simplification. Therefore, IHA recommends the following
steps be taken to reform the new privacy rule in a manner that
safeguards both patient privacy and patient care.
1. Suspend the final privacy rule prior to its April 14, 2001,
effective date.
2. The Department of Health and Human Services should consult with
hospitals and health systems on site at their facilities to discuss the
practical implementation issues and problems that have been identified
in order to reasonably resolve as many of these issues as possible
prior to implementation of the privacy standards. IHA could facilitate
Department of Health and Human Services' staff visits to hospitals and
health systems within Iowa.
3. The Department of Health and Human Services should appropriately
narrow the scope of the regulation to apply privacy standards
addressing the subjects outlined in the statute to the individually
identifiable health information used in connection with electronic
transactions as outlined in the statute.
4. The Department of Health and Human Services should revise the
HIPAA regulation implementation schedule according to the following
principles:
No health care provider should be required to begin
implementation of HIPAA until all HIPAA privacy, security, and
administrative simplification regulations have been finalized.
A single, uniform date of compliance should be established at
least two years after promulgation of all HIPAA final
regulations to allow a sufficient and reasonable time period in
which to implement.
5. Statewide data collection and use efforts, that have been in
operation for years with safeguards taken to protect health
information, should be provided safe harbor in the final privacy
regulations.
Again, we are pleased that you are allowing for public comment on
the final privacy rules and are hopeful that this first step will lead
to fundamental reform of the privacy rules. IHA is committed to working
with HHS to develop privacy rules that not only safeguard patient
privacy, but also ensure delivery of cost-effective, quality patient
care. Please contact Perry Meyer, Tracy Warner or Maureen Hockmuth at
IHA at 515/288-1955 if you have any questions.
Sincerely,
Stephen F. Brenton
President
cc: Iowa Congressional Delegation
Mr. Bilirakis. And at the same time I would ask unanimous
consent that I might introduce a letter from the Florida
Hospital Association, as well as statements and written
testimony from the American Council of Life Insurance, and from
the Health Insurance Portability Biotechnology Industry
Organization. Without objection, that would be the case.
[The information referred to follows:]
Florida Hospital Association
March 16,2001
The Honorable Michael Bilirakis
Room 2269 Rayburn House Office Building
U.S. House of Representatives
Washington, DC 20515
Dear Representative Bilirakis: The Florida Hospital Association,
which represents 230 not-for-profit, investor-owned and government
hospitals and health Systems, seeks your help in an urgent and time-
sensitive matter. We ask that you contact Health and Human Services
Secretary Tommy Thompson to request that he delay the April 14, 2001,
effective date of the privacy rules promulgated under the Health Care
Portability and Accountability Act (HIPAA). FHA members are deeply
concerned about the regulation and request that you join with us and
ask the Secretary to fix the rule.
Florida's hospitals are committed to safeguarding the Privacy of
patients' medical information. However, we are extremely concerned
about the effect the final HIPAA medical privacy rules will have on
hospitals. The rules are so complex and prescriptive in many areas that
they will be both unworkable and unreasonably costly. The rules were
reopened for public comment on March 1, 2001. HHS must receive your
request no later than March 30, 2001. Time is short.
We believe that patients have the right to every consideration of
privacy, including the right to review and understand their medical
records. However, in their current form the HIPAA privacy rules are so
complex and prescriptive that they are both unworkable and excessively
costly. They will hinder the ability of providers and families of
patients to coordinate the care for patients.
Florida's hospitals need your help: Please ask HHS to delay the
rules and fix them.
Sincerely,
Charles F. Pierce, Jr.
President, FHA Orlando
______
PREPARED STATEMENT OF THE AMERICAN COUNCIL OF LIFE INSURERS
This testimony on Assessing HIPAA: How Federal Medical Privacy
Regulations Can Be Improved is submitted to the House Commerce
Subcommittee on Health on behalf of the American Council of Life
Insurers (the ACLI). The ACLI is a national trade association whose 435
member companies represent 73 percent of the life insurance and 86.9
percent of the long term care insurance in force in the United States.
The ACLI also represents 73 percent of the companies that provide
disability income insurance. The ACLI appreciates the opportunity to
submit this statement.
The ACLI strongly supports the underlying goal of the Standards for
Privacy of Individually Identifiable Health Information (the
Regulation) issued by the Department of Health and Human Services (the
Department)--protecting individually identifiable health information.
Life, disability income, and long term care insurers understand their
responsibility to protect their customers' health information. ACLI
member companies are strongly committed to the principle that
individuals have a legitimate interest in the proper collection and
handling of their medical information and that insurers have an
obligation to assure individuals of the confidentiality of this
information. Several years ago, the ACLI Board of Directors adopted the
``Confidentiality of Medical Information Principles of Support.'' These
Principles were recently strengthened providing ACLI support for
prohibitions on the sharing of medical information for marketing and
for determining eligibility for credit. (A copy of the Principles is
attached.)
The ACLI believes that the Regulation's goal of protecting
individually identifiable health information may be achieved in a
manner consistent with the significant public interest in maintaining
the life, disability income, and long term care insurance markets which
meet the private insurance needs of millions of American consumers. By
their very nature, the businesses of life, disability income, and long
term care insurance involve personal and confidential relationships.
However, insurers selling these lines of coverage must be able to
obtain and use their customers' health information in order to perform
legitimate insurance business functions, such as underwriting and
claims evaluation. The performance of these functions is essential to
insurers' ability to serve and fulfill their contractual obligations to
their existing and prospective customers.
The Regulation will have a significant and direct impact on the
manner in which life, disability income, and long term care insurers do
business. Although life and disability income insurers are not
``covered entities'' under the Regulation, their ability to obtain
individually identifiable health information will be subject to the
Regulation's disclosure requirements and limitations. This is true
because life and disability income insurers often must obtain
individually identifiable health information from health care providers
which are ``covered entities'' under the Regulation. Covered entities
may only disclose protected health information as permitted under the
Regulation.
Long term care insurers are covered entities under the Regulation.
As such, they are subject to the full ambit of the Regulation's
requirements regarding access, use and disclosure of individually
identifiable health information. In addition, like life and disability
income insurers, long term care insurers' ability to obtain
individually identifiable health information from other covered
entities (health care providers) is subject to the Regulation's
disclosure limitations and requirements.
A number of changes were made in the final Regulation in response
to concerns raised by the ACLI in connection with the proposed
regulation's disclosure requirements. However, there continue to be
ambiguities in some provisions of the final Regulation which could be
construed to limit covered entities' disclosure of individually
identifiable health information to life, disability income, and long
term care insurers. This would limit these insurers' access to and use
of health information critical to their ability to perform fundamental
insurance business functions, such as underwriting and claims
evaluations.
Below are more detailed explanations of the manner in which life,
disability income, and long term care insurers use protected health
information and ambiguities in the Regulation which could be construed
to jeopardize legitimate and essential uses of that information by
life, disability income, and long term care insurers.
ways in which life, disability income, and long term care insurers use
INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION
The process of risk classification is a system of classifying
proposed insureds by level of risk. It enables insurers to group
together people with similar characteristics and to calculate a premium
based on that group's level of risk. Those with similar risks pay the
same premiums. Risk classification provides the fundamental framework
for the current private insurance system in the United States. It is
essential to insurers' ability to determine premiums which are: (1)
adequate to pay their customers' future claims; and (2) fair relative
to the risk posed by proposed insureds.
The price of life, disability income and long term care insurance
is generally based on the proposed insured's gender, age, present and
past state of health, possibly his or her job or hobby, and the type
and amount of coverage sought. Much of this information is provided
directly by the proposed insured. Depending on the proposed insured's
age, medical history, and the amount of insurance applied for, the
insurer may also need information from the individual's medical
records. In this event, when the insurer's sales representative takes
the consumer's application for insurance, he will request that the
applicant sign an authorization, provided by the insurer, authorizing
the insurance company to: (1) obtain his health information from his
doctor or from a hospital where he has been treated; and (2) use that
information to, among other things, underwrite that individual's
application for coverage. Based on this information, the insurer groups
insureds into pools so that they can share the financial risk presented
by dying prematurely, becoming disabled, or needing long term care.
If a company is unable to gather accurate information or have
access to information already known to the proposed insured, an
individual with a serious health condition, with a greater than average
risk, could knowingly purchase a policy for standard premium rates.
This is known as adverse selection. While a few cases of adverse
selection might not have a significant negative impact on the life,
disability income, or long term care insurance markets, multiple cases
industry-wide would likely have such an effect. This would be
particularly true if individuals were to be legally permitted to
withhold or restrict access to medical information significant to their
likelihood of dying prematurely, becoming disabled or requiring long
term care. The major negative consequence of adverse selection would be
to drive up costs for future customers which could price many American
families out of the life, disability income, and long term care
insurance markets.
Most life and long term care insurance and much disability income
insurance is individually underwritten. As part of the underwriting
process, insurers selling life, disability income, and long term care
insurance rely on an applicant's individually identifiable health
information to determine the risk that he or she represents. Therefore,
medical information is a key and essential component in the process of
risk classification.
Once a life, disability income, or long term care insurer has an
individual's health information, the insurer controls and limits who
sees it. At the same time, insurers must use and disclose individually
identifiable health information to perform legitimate, core insurance
business functions. Insurers that sell life, disability income, and
long term care insurance must use individually identifiable health
information to perform essential functions associated with an insurance
contract. These basic functions include, in addition to underwriting,
key activities such as claims evaluation and policy administration. In
addition, insurers must also use individually identifiable health
information to perform important business functions not necessarily
directly related to a particular insurance contract, but essential to
the administration of servicing of insurance policies generally, such
as, for example, development and maintenance of computer systems.
Also life disability income, and long term care insurers must
disclose individually identifiable health information in order to
comply with various regulatory/legal mandates and in furtherance of
certain public policy goals such as the detection and deterrence of
fraud. Activities in connection with ordinary proposed and consummated
business transactions, such as reinsurance treaties and mergers and
acquisitions, also necessitate insurers' use and disclosure of such
information. Life, disability income, and long term care insurers must
disclose individually identifiable health to: (1) state insurance
departments in connection with general regulatory oversight of insurers
(including regular market conduct and financial examinations of
insurers); (2) self-regulatory organizations, such as the Insurance
Marketplace Standards Association (IMSA), concerned with insurers'
market conduct; and (3) state insurance guaranty funds, which seek to
satisfy policyholder claims in the event of impairment or insolvency of
an insurer or to facilitate rehabilitations or liquidations.
Limitations on these disclosures would operate counter to the consumer
protection purpose of these disclosure requirements.
Life, disability income, and long term care insurers need to (and
in fact, in some states are required to) disclose individually
identifiable health information in order to protect against or to
prevent actual or potential fraud. Such disclosures are made to law
enforcement agencies, state insurance departments, the Medial
Information Bureau (MIB), or outside attorneys or investigators who
work for the insurer. Again, any limitation on an insurer's ability to
make these disclosures would undermine the public policy goal of
reducing fraud, the cost of which is ultimately borne by consumers.
AMBIGUITIES RAISED BY THE FINAL REGULATION
The following summarizes ACLI member companies' major concerns with
the Regulation listed in order of their importance. As indicated above,
ACLI member companies' most fundamental and critical concerns relate to
the Regulation's likely significant and adverse impact on their ability
to obtain protected health information, critical to the business of
insurance, from health care providers.
ACLI member companies are very concerned by a number of ambiguities
in relation to the minimum necessary standard set forth in Sections
164.502(b) and 164.514(d). Medical underwriting on the basis of
individually identifiable health information lies at the core of the
present systems of life, disability income, and long term care
insurance. In order for insurers to be able to fairly and prudently
underwrite, they must be able to access and use protected health
information relevant to the proposed insured's likelihood of dying
prematurely, becoming disabled, or requiring long term care. Insurers
must also be able to access protected health information to pay claims
for benefits submitted under existing life, disability income, and long
term care insurance policies.
Life and disability income insurers are concerned by Sections
164.502(b)(1) and 164.514(d)(3) which would require a covered entity to
only disclose the minimum amount of information which it believes to be
necessary to accomplish the purpose for which the information is
requested. It does not appear to be the intent of the drafters of the
Regulation, nor would it make practical sense, to subject to this
standard disclosures of protected health information made pursuant to
the authorization of the individual, the type of authorization used by
life and disability income insurers. However, because this is not
entirely clear, life and disability income insurers are concerned that
covered entity health care providers will construe the minimum
necessary rule to require them to disclose as little information as
possible to life and disability income insurers. As a result, life and
disability income insurers are likely to be denied access to
information essential to their ability to make fair and prudent
underwriting decisions and appropriate claims evaluations, among other
things.
Long term care insurers are also concerned by the minimum necessary
requirements of Sections 164.502(b) and 164.514(d). They are
particularly concerned that the language of Section 164.502(b)(2)(ii)
may be construed by covered entity health care providers to subject
disclosures of protected health information to covered entity long term
care insurers to the minimum necessary standard. Like life and
disability income insurers, long term care insurers strongly believe
that health care providers are not in a position to know what
information is needed to underwrite an application for insurance
coverage or to evaluate a claim; nor does the health care provider bear
the financial risk of issuance of an insurance policy.
Long term care insurers are also concerned that under Section
164.504(d), they may only request the minimum amount of information
necessary to accomplish the purpose for which the information is
requested. At the inception of the underwriting process for a long term
care insurance policy, it is generally impossible for a long term care
insurer to know what information may be in a proposed insured's medical
record that may be relevant to the individual's likelihood of requiring
long term care in the future. Until the long term care insurer sees the
individual's entire medical file, it often does not know what is the
minimum amount of information necessary to underwrite an application
for coverage. Unfortunately, the Regulation is very unclear as to how
its requirements in relation to the minimum necessary standard will
interface with the requirements governing covered entities' right to
use and disclose an individual's entire medical record.
Concerns of life and disability income insurers, as well as long
term care insurers, in relation to the minimum necessary requirements,
are exacerbated by the lack of clarity in Section 164.514(d)(5)
permitting a covered entity to disclose, use, and request an
individual's entire medical record. They are concerned by the ambiguity
as to the intended interplay between this provision and those
provisions articulating the minimum necessary standard.
The nature and level of justification required for a disclosure or
use of an entire medical file to be ``specifically justified'' is
unclear. Moreover, at the inception of the underwriting process, it is
impossible for the insurer to know what information is in the
individual's medical file that is likely to be material to the
individual dying prematurely, becoming disabled, or requiring long term
care. Finally, there is no practical reason why an individual should
not be able to authorize the use or disclosure of his or her entire
medical record and why that authorization should not appropriately
govern the actions of the covered entity.
Section 164.514(d) should be clarified to provide that an
authorization for use or disclosure of an entire medical file is
``specifically justified'' if it is submitted in connection with the
underwriting of an application for insurance coverage or evaluation of
a claim for insurance benefits. It should also be made clear that under
these circumstances, the authorization for use or disclosure of the
entire medical file takes precedence over any requirements in relation
to the minimum necessary standard.
Life, disability income, and long term care insurers are very
concerned that ambiguity in the language of Section 164.522, relating
to agreements to restrict use and disclosure of information, will also
have a ``chilling effect'' on doctors' and hospitals' disclosure of
protected health information to life, disability income, and long term
care insurers. They believe that if this section is not clarified, it
may be construed to permit and uphold agreements to withhold protected
health information which is material to underwriting and claims
evaluations by life, disability income, and long term care insurers.
Since there is no requirement that the covered entity provide notice to
the effect that information is being withheld pursuant to such an
agreement, the insurer receiving other protected health information
from the health care provider is likely not to know that the restricted
information existed in the first place or that any information is being
withheld. If this practice were to become widespread, it could cause
adverse selection. It could significantly undermine the underwriting
and claims processes, jeopardizing the current private systems of life,
disability income, and long term care insurance. It would legalize
actions which constitute fraud and material misrepresentation under
current law.
Although the actual words of the Regulation only require covered
entities to permit an individual to request restriction of the use or
disclosure of protected health information to carry out treatment,
payment, and health care operations, insurers are concerned that health
care providers that enter into such agreements will treat disclosures
to life, disability income, and long term care insurers no differently
from uses or disclosures for purposes of treatment, payment, or health
care operations. This concern is exacerbated by the fact that
disclosures to life, disability income, and long term care insurers are
not included in the list of situations under which agreements to
restrict are not effective set forth in Section 164.522(a)(1)(v).
Furthermore, ACLI member companies are very concerned by this section
of the Regulation's clear sanctioning of segregation of certain parts
of individuals' medical records.
ACLI member companies have a number of concerns in relation to the
authorization requirements set forth in Section 164.508. They are
concerned by the level of specificity required in authorization forms
by Section 164.508(c)(i) which prescribes that the information to be
used or disclosed be identified in a ``. . . specific and meaningful
fashion.'' As discussed above, is it generally impossible for life,
disability income, and long term care insurers to know ``up front''
what information in an individual's medical record they may need to
underwrite appropriately. Moreover, this degree of specificity gives
rise to concern that insurers will have to ``tailor'' authorization
forms for each individual in order to obtain necessary underwriting and
claims information. This would be very expensive.
Life, disability income, and long term care insurers have grave
concern with the Regulation's provisions relating to an individual's
right to revoke an authorization set forth in Section 164.508(b)(5).
Contrary to its apparent intent, Section 165.508(b)(5) fails to
adequately protect insurers against fraud and material
misrepresentation in origination of insurance policies or in the
payment of claims. This is true because this section fails to provide
life and disability income insurers, which are not covered entities,
any protection for having taken action in reliance on an authorization;
and it fails to clearly limit individuals' right to revoke
authorizations obtained as a condition of obtaining insurance coverage
or payment of claims.
ACLI member companies are concerned by the definition of
``psychotherapy notes'' set forth in Section 164.501 and the
limitations on conditioning enrollment and claims payments based on
provision of an authorization, articulated in Section 164.508(b)(4).
Member companies are very concerned that the definition of
``psychotherapy notes,'' for example, does not exclude a ``diagnosis'',
but only excludes a summary of diagnosis. The Best Principles for
Health Privacy, recently published by the Health Privacy Project at
Georgetown University states: ``The phrase `psychotherapy notes'
includes only the personal notes taken by a mental health professional.
The notes do not include diagnostic and treatment information, signs
and symptoms, or progress notes, which may be shared in the same manner
as other clinical information.'' Accordingly, the ACLI urges
clarification of the definition of psychotherapy notes.
Long term care insurers also are gravely concerned that the
definition of ``psychotherapy notes,'' coupled with Section
164.508(b)'s prohibition on conditioning enrollment or claims payments
on provision of authorization in relation to psychotherapy notes, will
result in long term care insurers having to issue coverage and pay
claims even if they only receive incomplete information, in relation to
the individual's condition. For example, the long term care insurer may
only receive a ``summary of'' the diagnosis, but not the diagnosis.
Long term care insurers are also very concerned by the ambiguity of
Section 164.508(e) which provides implementation specifications for
authorizations requested by a covered entity for disclosures of
protected health information by other covered entities. This provision
was not in the Regulation as proposed. There is significant concern
that it may be construed by covered entities health care providers to
inappropriately require a ``super'' authorization as a prerequisite to
disclosure of protected health information to covered entity long term
care insurers. It also gives rise to concern because of the reference
to it in Section 164.502(b)(2)(ii) which could be construed to subject
disclosures of protected health information to long term care insurers
to the minimum necessary requirement.
The ACLI urges deletion of Section 164.508(e). Not only is it
beyond the scope of the Regulation as proposed, but it may be
inappropriately construed to require special authorizations for
disclosure of protected health information to long term care insurers
and to inappropriately subject such disclosure of protected health
information to long term care insurers to the minimum necessary
standard.
Other ACLI member company concerns with the Regulation, include the
following:
There is concern that the requirements imposed on ``hybrid
entities'' by Section 164.504(b) will require member companies to
create firewalls, between different divisions of a single company and
within single divisions of a company, that will be very difficult to
enforce and jeopardize member companies' activities in relation to the
detection and prevention of material misrepresentation and fraud in the
inception of life, disability income, and long term care insurance
contracts.
The rules in relation to de-identification of protected health
information, set forth in Section 164.514, are particularly troublesome
to long term care insurers. They are concerned that these rules will
jeopardize their ability to perform studies critical to future policy
design and experience rating, among other things. There is particular
concern with the requirements in Section 164.514 (b)(2)(i)(B) and (C)
which require removal of specified information concerning geographic
subdivisions and elements of dates.
The definitions of ``health care operations'' and ``payment'' set
forth in Section 164.501, are also of significant concern to long term
care insurers. These definitions fail to include within their scope
fundamental insurance business functions of long term care insurers.
Not only will long term care insurers be required to obtain
authorizations to use protected health information to perform these
basic insurance business activities, but they will be vulnerable to
revocation of those authorizations.
Long term care insurers are concerned by the apparent requirement
of a written contract in every instance where they disclose protected
health information to a business associate working on its behalf. While
there is no question that the long term care insurer must always
receive assurance that the business associate is safeguarding protected
health information disclosed to it by a covered entity, long term care
insurers are hopeful that an exception to the written contract rule may
be provided for instances where the risk of improper disclosure is low.
There is concern with Section 160.203 which provides that ``(a)
standard, requirement, or implementation specification adopted under
this subchapter that is contrary to a provisions of State law preempts
the provision of State law. This general rule applies, except if one or
more of the following conditions is met: . . . (b) The provision of
State law relates to the privacy of health information and is more
stringent than a standard, requirement, or implementation specification
adopted under subpart E or part 164 of this subchapter.'' ACLI member
companies are concerned about having to make a determination as to
which law (state law or the HHS regulation) is ``more stringent,'' and
their resulting vulnerability to challenge for their decisions. This is
particularly troubling, given that, unlike the proposed regulation, the
final Regulation withdrew a provision that would have required HHS to
responds to requests for advisory opinions regarding state preemption
issues. According to testimony presented to the Senate Health,
Education, Labor and Pensions Committee by the United States General
Accounting Office, ``HHS officials concluded that the volume of
requests for such opinions was likely to be so great as to overwhelm
the Department's capacity to provide technical assistance in other
areas. However, they did not consider it unduly burdensome or
unreasonable for entities covered by the regulation to perform this
analysis . . .'' We are concerned that the Department has determined
that it does not have the resources to make determinations on
preemption, yet the industry is expected to do so.
CONCLUSION
The ACLI recommends that the Regulation's ambiguities that could be
construed to restrict life, disability income and long term care
insurers access to and use of protected health information be
clarified. ACLI staff will be pleased to respond to any concerns or
questions raised by members of the subcommittee.
CONFIDENTIALITY OF MEDICAL INFORMATION
PRINCIPLES OF SUPPORT
Life, disability income, and long-term care insurers have a long
history of dealing with highly sensitive personal information,
including medical information, in a professional and appropriate
manner. The life insurance industry is proud of its record of
protecting the confidentiality of this information. The industry
believes that individuals have a legitimate interest in the proper
collection and use of individually identifiable medical information
about them and that insurers must continue to handle such medical
information in a confidential manner. The industry supports the
following principles:
1. Medical information to be collected from third parties for
underwriting life, disability income and long-term care
insurance coverages should be collected only with the
authorization of the individual.
2. In general, any redisclosure of medical information to third parties
should only be made with the authorization of the individual.
3. Any redisclosure of medical information made without the
individual's authorization should only be made in limited
circumstances, such as when required by law.
4. Medical information will not be shared for marketing purposes.
5. Under no circumstances will an insurance company share an
individual=s medical information with a financial company, such
as a bank, in determining eligibility for a loan or other
credit--even if the insurance company and the financial company
are commonly owned.
6. Upon request, individuals should be entitled to learn of any
redisclosures of medical information pertaining to them which
may have been made to third parties.
7. All permissible redisclosures should contain only such medical
information as was authorized by the individual to be disclosed
or which was otherwise permitted or required by law to be
disclosed. Similarly, the recipient of the medical information
should generally be prohibited from making further
redisclosures without the authorization of the individual.
8. Upon request, individuals should be entitled to have access and
correction rights regarding medical information collected about
them from third parties in connection with any application they
make for life, disability income or long-term care insurance
coverage.
9. Individuals should be entitled to receive, upon request, a notice
which describes the insurer's medical information
confidentiality practices.
10. Insurance companies providing life, disability income and long-term
care coverages should document their medical information
confidentiality policies and adopt internal operating
procedures to restrict access to medical information to only
those who are aware of these internal policies and who have a
legitimate business reason to have access to such information.
11. If an insurer improperly discloses medical information about an
individual, it could be subject to a civil action for actual
damages in a court of law.
12. State legislation seeking to implement these principles should be
uniform. Any federal legislation to implement the foregoing
principles should preempt all other state requirements.
______
PREPARED STATEMENT OF THE BIOTECHNOLOGY INDUSTRY ORGANIZATION
The Biotechnology Industry Organization (``BIO'') is pleased to
have the opportunity to submit testimony expressing our concerns about
the federal medical privacy regulation issued under the Health
Insurance Portability and Accountability Act of 1996 1
(HIPAA) published on December 28, 2000.2 BIO represents more
than 950 biotechnology companies, academic institutions, state
biotechnology centers, and related organizations in all 50 US states
and 33 other nations. BIO's members are in the business of conducting
and sponsoring research designed to discover medicines, diagnostics,
and innovative new forms of therapy. These companies provide a home
base for researchers who are committed to finding ways to use science
to meet unmet medical needs. For most BIO members, research is their
business; only a handful have products approved for marketing. These
companies are sustained by their prospective patients' hope and faith
in their research enterprise, and by Americans' willingness to invest
in that hope.
---------------------------------------------------------------------------
\1\ Pub. L. No. 104-191 (Aug. 21, 1996) (amending the Social
Security Act (``SSA'') by adding Part C of Title XI, codified at 42
U.S.C. Sec. Sec. 1320d et seq.).
\2\ 65 Fed. Reg. 82462 (Dec. 28, 2000).
---------------------------------------------------------------------------
BIO's long-standing role as a proponent of federal legislation and
regulations to safeguard the confidentiality of medical information
stems from the recognition that (1) the availability of sensitive and
detailed medical information about individuals is indispensable for
biomedical research, and (2) this availability depends on patients'
trust and confidence that researchers will use medical information
responsibly and protect it from misuse. BIO's members have long
endorsed the principles of respect for the medical privacy of
individual patients and strong laws with incentives for all concerned
to protect medical information from abuse and unauthorized disclosure.
Researchers work hard to maintain the trust and confidence of the
patients who make themselves available for research.
BIO's members also believe, however, that patients are counting on
them to vigorously pursue their research objectives. BIO believes that
the public interest in the discoveries and findings of research is as
strong as the public interest in medical privacy. We note that since
the enactment of HIPAA, the public debate and hearing record amply
document that no one--from patient groups to privacy advocates,
providers, payers, and government officials--advocates that research
should be made more difficult or costly by the legal framework that we
establish to protect medical privacy.
BIO is pleased that the final regulation published on December 28,
2000 makes some significant improvements over the proposed rule
regarding issues critical to the conduct of research. Our purpose in
submitting this testimony is to express our great concern that the
regulation still imposes significant new administrative burdens on
those covered entities that choose to collaborate in our research
activities, and we do not believe that these burdens are warranted in
the context of the HIPAA administrative simplification regulations.
Traditionally, a majority of clinical research sponsored by
biotechnology companies involves collection of data by investigators
associated with academic medical centers or other institutions that are
``covered entities'' that are required to comply with the new
regulation. BIO is deeply concerned that the additional costs of the
significant new administrative requirements, together with the new
civil and criminal liability to which they are exposed, may have the
unintended consequence of making these institutions reluctant to host
sponsored research, or incur greater cost and risk to do so.
In particular, we are concerned that as they scramble to meet the
aggressive timetable for bringing their patient care and reimbursement
activities into compliance over the next two years, these entities may
not have the time and resources to meet the new requirements for
research--imposed by the regulation including developing the new forms,
implementing the new review criteria and modifying the duties of
Institutional Review Boards (IRBs). Research will suffer if
biotechnology companies are unable to count on the collaboration of
academic scientists and hospitals. In addition to these general
concerns, BIO would like to offer comments on specific research issues
directly affected by the medical privacy regulation.
Regulation of Clinical Research. Research activities of
biotechnology companies already are subject to the regulations of the
Food and Drug Administration (FDA), the state laws that apply to every
research site where we collect information about research participants,
as well as the federal regulations that govern the IRBs responsible for
reviewing each of the projects where data are collected from patients
that are receiving care or participating in research at an academic
institution.3 Research protocols typically involve data
collected from individuals recruited by investigators affiliated with
multiple separate institutions. As a result of the Common Rule,
therefore, even without the new HIPAA requirements, the research
protocols that companies sponsor, including the arrangements for
safeguarding the privacy of participants and protecting the
confidentiality of the data that is collected, are independently
reviewed by IRBs at each institution where data are collected.
---------------------------------------------------------------------------
\3\ These federal research regulations are known as the ``Common
Rule'' because they have been adopted and codified by 16 federal
agencies that are involved in conducting or supporting research with
human research participants.
---------------------------------------------------------------------------
Nevertheless, to the already duplicative regime in existence under
the Common Rule, the regulation adds new requirements. Specifically, it
mandates a new privacy authorization form that addresses separate legal
issues from the informed consent form under which each research
participant agrees to participate in research and acknowledges the
potential risks. For example, the form addresses whether the research
participant agrees that information from the treatment that is part of
the research protocol can be made available to the researcher. No
deviations are allowed from any of the elements that are required to be
in this new form unless the IRB specifically ``waives'' the form of
authorization using a complex and subjective set of criteria. Nothing
about this process is related to the privacy of individuals'
information transmitted in connection with the transactions specified
in the HIPAA statute. This new research review requirement is simply a
modification of the Common Rule to add privacy as a separate risk
factor with its own IRB review, separate from the IRB's consideration
of other risks to research participants. The desirability of such a
proposal must be addressed in the context of a broader consideration of
the current federal research regulations, not added to the duties of
academic medical centers and other covered entities involved in
research as part of HIPAA.
De-Identified Information. Much useful research can be structured
to protect privacy by creating incentives to use databases of de-
identified information--information that does not identify an
individual. Notwithstanding the Secretary's acknowledgement of this
fact, the ``safe harbor'' criteria in the regulation for creating a de-
identified database seem to be calculated to create data that are
useless for research purposes. As a result, the regulation seems likely
to have the incongruous result of encouraging researchers to seek
review by an IRB, or to set up what the regulation calls a ``privacy
board'' so that they can obtain data that are appropriate for research.
BIO believes that de-identification appropriate to the researcher's
proposed and permitted use of the data can be an effective means of
protecting the confidentiality of data subjects. The regulation's use
of a one-size-fits-all set of standards will deter people from taking
these measures seriously in the research context.
Post-Marketing Surveillance. BIO also is concerned that the
regulation misunderstands the FDA regulatory scheme under which doctors
and hospitals voluntarily report information about product outcomes to
companies that are responsible for collecting information and reporting
to FDA any ``adverse events.'' Companies collect information about
unexpected events--often from health care providers--to detect which
actually may be ``adverse'' events associated with use of a particular
drug. By defining the permissible disclosure so strictly, and imposing
serious penalties for infractions, the regulation may cause providers
to be very conservative in selecting the few incidents to report.
The regulation permits reporting only of ``adverse events'' and
such reports must be made to the entity ``required to report'' them. As
such, the provider must make subjective determinations about whether
events are ``adverse''. The provider also must look beyond the name of
the manufacturer on the label to ensure that the manufacturer is the
entity ``required or directed'' by FDA to collect and report adverse
events. It would be a terrible unintended consequence if, in the name
of complying with federal privacy laws, providers were hesitant to
report unusual outcomes to the manufacturer whose ``800'' number is on
the product label, because of an uncertainty about whether or not the
event is truly ``adverse'' or the labeled manufacturer is the entity
required to collect and report events.
The same problem arises in connection with exposure registries that
are used to more systematically collect information on use of products
by special sub-populations in order to identify any issues that may not
have been detectable in the clinical trials that supported product
approval. In some cases, FDA has authority to require or direct the
manufacturer to operate these registries (e.g., fast-track approvals).
In other cases, the manufacturer may be willing to conduct a registry
and FDA may support the idea, but FDA does not have authority to
``require or direct'' the manufacturer to do so. The privacy regulation
says that covered entities may participate in the registries that FDA
has ``required or directed'' but not in those that manufacturers
voluntarily operate--even if they operate them consistent with the
FDA's guidance documents regarding registries. We see no indication in
Congress' enactment of the HIPAA administrative simplification
requirements--including its provision for the Secretary to issue
regulations protecting the privacy of medical information--that
Congress wished the Secretary to use HIPAA's civil and criminal
penalties in a manner that would cause providers to be leery of
participating in our nation's system for monitoring the safety and
efficacy of prescription pharmaceuticals.
BIO urges a delay in the effective date of the regulations. A two
year deadline for each of the separately issued elements of HIPAA has
the potential to be harmful to research conducted with covered
entities. Because requirements such as privacy and security are so
closely related, most of the final arrangements for compliance with
privacy cannot be addressed until the other is finalized.
BIO also supports changes that would help facilitate critical
medical research. We are living in an era of enormous promise and
potential clinical breakthroughs as scientists use genetic knowledge to
improve our medical interventions. Decades of responsible science under
the Common Rule has shown that protecting the confidentiality of data
and promoting medical research are mutually attainable goals. Perhaps
the time has come to reexamine the Common Rule to ensure that it still
provides the kind of comprehensive protection for research participants
that is integral to the conduct of high quality research. There have
been many changes in our research infrastructure and our science since
the Common Rule was adopted. BIO looks forward to working with the
Committee as it pursues that goal.
Thank you.
Mr. Bilirakis. Has the gentleman completed his opening
statement?
Mr. Ganske. I yield back.
Mr. Bilirakis. Thank you. Mr. Stupak.
Mr. Stupak. Thank you, Mr. Chairman. Let me mention part of
my statement. I am disappointed that we did not hear from HHS
or HCFA here today, because I believe there has been a great
deal of misinformation spread about the final regulation put
forth by the Clinton Administration. But I don't think anyone
can argue with the fact that we do need uniform effective
Federal guidelines in protecting an individual's right to
privacy. People should not yield the right to privacy simply
because they go to a doctor, contract an illness, take a
diagnostic test, or suffer from a chronic disease.
Consensus does exist on the need for fair information
practices from the health record. The bottom line is that
medical records belong to the patient and should not be
disclosed without their consent.
I look forward to this meeting and I hope we do get people
from HCFA and HHS here to explain their implementations of the
rule. I note that the subject matter of the hearing today is
how to improve the medical record privacy regulations. If they
are really not implemented yet, maybe we have the cart before
the horse here, so I wish we had HCFA and HHS here.
So with that, I yield back my time, Mr. Chairman.
Mr. Bilirakis. I thank the gentleman.
Mr. Pitts for an opening statement.
Mr. Pitts. Thank you, Mr. Chairman. Thank you for holding
this important hearing today on Federal medical record privacy.
The recent growth in medical and computer technology and the
continuing changes in technology have made health information
an essential tool in our country's health care system. When I
was young, our family went to our family doctor for nearly all
of our medical care. Today, patients see a variety of health
care practitioners, including specialists and alternative care
providers. In this new environment, practitioners must be able
to share and communicate about a patient's medical information.
Accurate available health information is extremely vital to
determining the best treatment for a patient.
Health information also is critical for basic insurance
payments. Public and private payers need personal identifiable
patient information primarily to pay billions of health care
claims each year.
I recognize concerns with the confidentiality of their
health information and agree that these concerns must be
addressed, and that is why I do believe that we have need to
have some standards protecting patients' medical records.
However, as we work to protect individuals' identifiable health
information, we must also make sure it is available for basic
insurance and health plan functions.
Mr. Chairman, while I believe Congress has the
responsibility to address consumer concerns, I also believe we
must be careful not to adopt legislation that could undermine
the health care industry's ability to provide these consumers
with high-quality and affordable health care.
Again, I look forward to hearing from our distinguished
panel of witnesses their thoughts today on the current medical
privacy regulation and how we can improve it.
Thank you, Mr. Chairman.
Mr. Bilirakis. The gentleman from Wisconsin, Mr. Barrett.
Mr. Barrett. Thank you very much, Mr. Chairman, and thank
you for holding this hearing on this exceedingly difficult
issue. I believe that the Clinton administration made a good-
faith effort to address this issue after Congress failed to
perform the duty it assigned itself. And I think that we have
to be cognizant of that, that we were given the first kick at
the cat and decided we would rather stand back and let somebody
else do it.
So I have to give them credit for moving forward on the
issue. At the same time, I think some opponents and critics of
the rule have raised some serious questions which we must
consider in the context of these rules. But the overriding
concern that I have is that the privacy issue is real and the
privacy issue is not going away. So we can run but we cannot
hide when it comes to this issue. At some point we have to
failings up to it. And I am glad that we have so many people
here today to tell us their perspective on it and it is frankly
much easier for me to learn when I am listening than when I am
talking so I would yield back the balance of the time.
Mr. Bilirakis. The Chair thanks the gentleman for that. Mr.
Greenwood for an opening statements.
Mr. Greenwood. Thank you, Mr. Chairman, for holding this
hearing, and I thank the witnesses for appearing today. I
appreciate this committee's resolve in addressing this
important consumer protection issue. Today I will introduce
legislation to secure the confidentiality of patients' medical
information. I do so because the final regulations promulgated
by the Clinton administration currently under review by the
Bush administration are in my opinion woefully inadequate. In
fact, I consider them an abject failure. The final rule does
not preempt State law. It imposes a silly construct for patient
authorization for the use and disclosure of information that
has little to do with privacy. It increases dramatically
paperwork requirements on already burdened providers. The rule
may increase medical errors and, therefore, unnecessary injury
and death. It will likely inhibit medical research that
benefits all Americans and it runs counter to Congress's
efforts to double the budget of the NIH to improve clinical
research, to expand patient access to clinical trials, to speed
delivery of safe drugs, devices and biologics to consumers, and
to bring Medicare into the 21st centry by covering prescription
drugs.
Each witness here today will testify that the regulations
are either unacceptable because they are onerous, or need to be
expanded because they are inadequate. Quite frankly, that is
not good enough. The final rule Secretary Shalala issued on
December 28 fails health consumers and it fails America. It
should be rejected, and comprehensive legislation should be
enacted in its stead.
Janlori Goldman from Georgetown University will testify
today that the final rule is a good starting point. She will
say that all we need to do as a deliberative body is to build
on the regulation's primal construct and we will seal the job
of protecting medical health. I respect Ms. Goldman. I have
worked closely with her, but I respectfully disagree with her
on this point. The fact is, the final regulation embraces a
dying concept in our society, one that embraces with bleary
eyes a vision of the past that says we need only to lock
medical files in crypts and file cabinets to ensure that our
most intimate secrets remain undisclosed.
It is a dismal vision that fails to capitalize on new
information technology that, while frightening to some, has the
potential to protect our personal data better than any lockbox
and skeleton key ever could. The regulation embraces a concept
that artificial geographic boundaries are relevant in the
Internet world and a global economy. It states that accidents
of geography should determine relative data security. This
vision ignores advances in research protections and encryption
technology as no more relevant today than buggy whips and
butter churns. It embraces an uneven patchwork quilt of
differing standards that will leave consumers and providers
confused, pondering the question of why we can't capitalize on
newfound wonders of computer security, enhanced accountability,
and secured trust. It will harm, not help consumers.
Finally, the regulation ignores the concept of the commerce
clause embodied in our Constitution. For these reasons, we
should lift our eyes from what we sought to secure in the past
to what we might achieve in the future. We ought to reject this
privacy rule and seek to bridge differences between Republicans
and Democrats, liberals and conservatives, in order to find
common ground that truly secures our most intimate secrets
while advancing medical science. This rule seeks to lock in
place where we have been, not where we need to go. Other than
that I think they are fine, Mr. Chairman.
Mr. Bilirakis. The gentleman's time has expired.
Mr. Green for an opening statement.
Mr. Green. Thank you, Mr. Chairman. I appreciate Mr.
Greenwood's support for those regulations. Mr. Chairman, I will
not give my total opening statement because I would like to
hear from our panel, but obviously I disagree with my
colleague. I think medical privacy is a very import issue and
one that requires input from many different parties. I am
pleased to see such a diverse group of witnesses today. I do
wish a member from HHS was here, and hopefully before the
Easter district work period we will be able to have someone.
Keeping personal information medical private has been the
cornerstone of the medical profession since the dawn of time.
When taking the Hippocratic oath, the doctor promises,
``Whatever in connection with my professional service I see or
hear . . . I will not divulge as reckoning that all such shall
be kept secret.''
Unfortunately, medical information is no longer stored in
filing cabinets in an office. Advances in technology mean that
these records are on computers and they can be transferred very
easily and accessed with a few keystrokes. We have heard the
horror stories. What worries me is that 1 in 6 patients
withhold information from their doctors because they fear it
will not be protected. Without adequate information, doctors
are hobbled in their ability to diagnose and treat patients,
and the result is the patients risk an undetected and untreated
condition which could escalate to even more painful and costly
illnesses.
There is a need for medical privacy regulations. I share my
colleague from Pennsylvania's concern, and hopefully we can
work together. I know there are groups on both sides of the
aisle who want to see some changes, but I would hope this
administration would not take civil steps to kill this medical
privacy regulation. We saw what happened with the ergonomics
rule that we took 10 years to create. We see what is happening
with a number of regulations on environment. This is not
setting a pattern for the bipartisan efforts that President
Bush talked about. But I would hope that if we do need to make
some changes in the regulations, that we can work together.
And I yield back my time.
Mr. Bilirakis. The Chair thanks the gentleman.
Mr. Bryant.
Mr. Bryant. Thank you, Mr. Chairman. I apologize for
shuffling back and forth, but I am trying in the same day--I am
trying to learn about medical privacy as much as possible, and
electricity in California upstairs. And I also thank you for
having this hearing and my consideration of wanting to hear
from this panel.
I will yield back my time, but probably the main reason I
came back was to hear Mr. Markey's statement.
Mr. Bilirakis. Yes. Mr. Markey has been patiently waiting.
Mr. Markey is not a member of the subcommittee, but has
requested to make a very short opening statement. Without
objection, he will now be recognized.
Mr. Markey. Thank you, Mr. Chairman. Thank you for your
courtesy. Obviously the reason why so many members and so many
Americans are now concerned is that over the last couple of
weeks there have been a startling number of decisions that have
been made by the Bush administration which have given us cause
to be concerned about what could now happen to these privacy
regulations. The gentleman from Texas, Mr. Green, alluded to
the worker safety rules. Obviously there was a decision made on
CO2, whether or not it is a pollutant, which helps to
dramatically increase the problem of greenhouse gases causing
global warming problems. And then there is the arsenic decision
that was just made, you know. And obviously if they can make a
decision on arsenic, then they can definitely make a decision
on privacy that hurts public health and safety.
Until this week EPA stood for the Environmental Protection
Agency. Now it stands for ``Eat Plenty of Arsenic.'' There is
absolutely no rationale for making that kind of a change. There
is a Dickensian quality to the wires that have been installed
over the last 10 years in this country: It is the best of wires
and it is the worst of wires, simultaneously. It can enable and
ennoble or it can degrade or debase simultaneously. We just
cannot pretend that it is all good. It is not.
All that information in your financial records, in your
health records, in everything else you do, can now be compiled
into a digital dossier that allows some company to know more
about you than you know about yourself. But, moreover, when it
comes to your health care records, it makes it possible for
them to basically spread information that only you want to
know. You might not have told anyone else in your family, much
less everyone else in town, every company that is out there. So
you should have a right to be able to protect yourself. I think
that basically is the core right that we should all have. If
there is a bottom-line core privacy right that we have should
have, it is to our own medical information, our own DNA, who we
are. We should be able to control that.
And whether or not you are on ESPN.Com or bought a book at
Amazon.com, we can debate over that; but over who we are, who
our family members are, husbands, wives, children, mothers,
fathers, you know, we should have a right to know that it is
going to be protected.
So you have these information reapers now who are out there
trying to gather this profile that they will be able to make
money off of, replacing the information-keepers that we grew up
with, that nurse, that doctor in the hometown, who we knew was
never going to tell anyone about it. But the privacy peepers
now do not just kind of learn a little secret about you, they
also make money off of it. That is the fear: The more they
learn about you is the more money they make. And that is why
America is afraid, because they might ultimately decide in
large numbers not to get the health care treatment which they
need.
And that is why privacy is going to be the civil rights
issue of the next generations. Because this wire, this new
digital built stream, makes it possible for all of this
information to be gathered about people.
Now, on April 15, we have tax day. On April 14, HHS has to
make a decision as to whether or not they are going to protect
America's privacy. Now, I say ``No Taxation Without
Implementation'' of the health care privacy regulations. I
think it would be a tragedy if people in the same week lost
their privacy and had to pay their taxes. And in the long run,
the loss of privacy would be a much greater harm for these
families to suffer when it came to all of the medical secrets
that they have.
So, Mr. Chairman, I don't think we are going to have a more
important hearing this year, and I hope that HHS does the right
thing for the American people on this subject.
I yield back the balance of my time.
Mr. Bilirakis. I thank the gentleman. I note that we are
happy that he did not insist as to privacy on his opening
statement. But he has been a strong supporter of privacy
throughout the years. I know we have heard an awful lot from
Mr. Markey on this subject as well.
Mr. Markey. Mr. Chairman, I have a letter from 50 Members
to the Secretary of HHS on the subject. Could I insert it in
the record?
Mr. Bilirakis. I suppose there is no problem with your
inserting that into the record. That will be the case.
[The letter referred to follows:]
Congress of the United States
Washington, DC 20515
March 20, 2001
The Honorable Tommy Thompson
Secretary of Health and Human Services
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201
Dear Secretary Thompson: We are writing to express our concern with
the recent decision to open a new 30-day comment period on the final
medical information privacy standards mandated by the Health Insurance
Portability and Accountability Act (HIPAA). The health privacy of
Americans has been on hold for far too long, and we respectfully urge
you to put these important privacy protections into effect night away.
This long-overdue regulation establishes for the first time a
fundamental right to medical privacy. This new standard includes access
to one's own medical records, a requirement of notice of how health
information is going to be used and shared, a requirement of consent
for use and disclosure, and limitations on employer access to personal
health information.
At this point, further delay of these crucial protections would be
a major setback in years of effort to grant Americans the privacy they
have demanded for so long. Americans have waited long enough for
privacy protections, and every day that this rule is not in effect, the
confidentiality of their patient records are at risk. Therefore, we
urge you not to delay these protections any further.
The process of developing the current regulation has been open and
extensive. HIPAA, which passed with strong bipartisan support in both
Houses in 1996, included a three-year deadline for Congress to pass a
comprehensive medical privacy law. Understanding the importance of this
issue, Congress built in a back-up plan giving the Secretary of Health
and Human Services (HHS) the authority to promulgate a health privacy
regulation in the absence of legislation by August 1999.
Over the years that this regulation was developed, the views of
Congress and interested parties were given ample consideration. In
September 1997, the Secretary of HHS presented recommendations to
Congress for legislation on medical privacy. Subsequently, several
bills were introduced but no law was passed. HHS then issued a proposed
rule in November 1999, and even extended the comment period by 45 days
at the request of industry and consumer groups. The Department then
considered more than 52,000 comment letters over ten months before
issuing a final rule.
We recognize that special circumstances may arise from time to time
that are not fully anticipated in the regulation. For this reason, HHS
is authorized in section 262 of HIPAA to work with the healthcare
industry, providers, and consumers to resolve potential problems with
compliance on a case-by-case basis. However, this process cannot begin
until the covered entities move forward with implementing the rule.
We strongly urge you to hold the line on medical privacy by
allowing the regulation to take effect on April 14th as originally
provided. Americans have waited too long for these critical privacy
protections--they shouldn't have to wait any longer.
Sincerely,
Edward J. Markey, Member of Congress; Edward M. Kennedy, United States
Senate; Henry Waxman, Member of Congress; Patrick Leahy, United
States Senate; John D. Dingell, Member of Congress; Christopher J.
Dodd, United States Senate; Richard A. Gephardt, Member of
Congress; Thomas A. Daschel, United States Senate; Gary A. Condit,
Member of Congress; Tom Harkin, United States Senate; Edolphus
Towns, Member of Congress; Jeff Bingaman, United States Senate;
Bill Luther, Member of Congress; Jack Reed, United States Senate;
Rosa L. DeLauro, Member of Congress; Hillary Rodham Clinton, United
States Senate; Pete Fortney Stark, Member of Congress; John F.
Kerry, United States Senate; Jim McDermott, Member of Congress;
John D. Rockefeller, United States Senate; James P. Moran, Member
of Congress; Robert G. Torricelli, United States Senate; Janice D.
Schakowsky, Member of Congress; Daniel K. Inouye, United States
Senate; George Miller, Member of Congress; Daniel A. Akaka, United
States Senate; John P. Murtha, Member of Congress; Jon Corzine,
United States Senate; Dennis Kucinich, Member of Congress; Patsy
Mink, Member of Congress; Maurice Hinchey, Member of Congress; Dale
E. Kildee, Member of Congress; John F. Tierney, Member of Congress;
James P. McGovern, Member of Congress; Anna Eshoo, Member of
Congress; Lucille Roybal-Allard, Member of Congress; Shelley
Berkley, Member of Congress; Jerrold Nadler, Member of Congress;
Jose Serrano, Member of Congress; Carolyn B. Maloney, Member of
Congress; Eleanor Holmes Norton, Member of Congress; Jim Turner,
Member of Congress; Wm. Lacy Clay, Member of Congress; Bob Filner,
Member of Congress; Robert A. Borski, Member of Congress; Sherrod
Brown, Member of Congress; Paul Wellstone, United States Senate;
Julia Carson, Member of Congress; and John Edwards, United States
Senate.
Mr. Bilirakis. All right. We are going to break now. I will
ask all of the witnesses to please take their seat so that as
soon as we cast this vote and return, we can continue on.
[Additional statements submitted for the record follow:]
PREPARED STATEMENT OF HON. W.J. ``BILLY'' TAUZIN, CHAIRMAN, COMMITTEE
ON ENERGY AND COMMERCE
Let me begin by thanking Subcommittee Chairman Bilirakis for
holding this timely hearing on the Federal medical record privacy
regulation, which is now the subject of a comment period that expires
at the end of the month.
The Energy and Commerce Committee has already held two hearings
this year on privacy. This hearing, of course, will focus on medical
privacy, an area of the law that raises a host of important issues for
consumers and health care providers.
The specific purpose of this hearing today will be to examine a
regulation that was issued in the closing days of the Clinton
Administration. Once the new Administration has time to review the
comments they are receiving on this regulation, we will bring Secretary
Thompson's team forward and hear their thoughts about how the
regulation can be improved. As I told my good friend Mr. Dingell this
week, we are working to arrange a time to host Secretary Thompson or
his designee at a hearing before this Committee so that we can inquire
further into their positions on this privacy regulation.
We all want to be sure that our medical records are kept private,
and this is not a new concern. In fact, the Hippocratic Oath states
that ``Whatever, in connection with my professional service, or not in
connection with it, I see or hear, in the life of men, which ought not
to be spoken of abroad, I will not divulge, as reckoning that all such
should be kept secret.'' Physicians have subscribed to these tenets
since at least the 4th Century B.C., and these principles still apply
today.
Unfortunately, in the interconnected 21st Century, relying on the
Hippocratic Oath isn't good enough. Records are reduced to electronic
form and shipped from one part of the country to another for diagnosis,
payment, fulfilling prescriptions, or epidemiological research. Every
American wants to know that their medical records remain confidential,
and that sensitive medical information identifiable to them, is not
bought, sold and displayed on the Internet. No one deserves to have
that happen to them. We want to be assured that personally-identifiable
health information is protected from public disclosure, and that
privacy safeguards are developed that would complement rather than
burden biomedical research. Moreover, we need to make sure that
workable security systems are in place safeguarding the privacy of the
medical records of American citizens. All of the protections on the
books won't help consumers unless we can prevent criminals from
breaking into computers and improperly accessing patients' medical
records.
And that's why we are here today--to discuss these issues. During
this hearing, we want to examine the implications of moving forward
with the Clinton Administration's privacy policy. While we have no
doubt that drafting this regulation was an arduous process, and an
unenviable task, we still need to explore how we can improve this
regulation and make it work more effectively for consumers and health
care providers.
We all want today's hearing to be constructive. For example, I hope
that we can hear about what parts of the regulation could be
strengthened from a consumer's point of view. How can we better draft
this regulation to bring these new protections to consumers in a more
cost-effective way? What provisions need a little more fine-tuning in
light of real-life practices? These are the kinds of issues we would
like to explore today.
Mr. Chairman, thank you again for holding this hearing. I look
forward to hearing the testimony and learning more about these issues.
______
PREPARED STATEMENT OF HON. EDOLPHUS TOWNS, A REPRESENTATIVE IN CONGRESS
FROM THE STATE OF NEW YORK
I am hopeful that today's hearing rather than delaying medical
privacy rules actually will move us one step closer to the
implementation of the final rule on April 14th.
As a former hospital administrator, I can speak from personal
experience about how the climate has changed for the privacy of medical
records. Doctors no longer simply maintain patient records under lock
and key in a file cabinet. Today health information is both in paper
and electronic form leaving patient privacy and confidentiality largely
unprotected.
Nowhere are these protections of more concern than in the area of
on-line privacy of medical records. New initiatives like informatics--
the science of optimizing the storage, retrieval, and management of
information found in patient records and medical databases--will
revolutionize the traditional doctor-patient relationship. Experts
argue that on-line medical records can improve the quality of
healthcare through better efficiency, lower costs and the elimination
of thousands of medical errors. I don't doubt that these improvements
would occur. Confidentiality, however, can be a significant weakness in
these systems.
For example, there is nothing to prohibit a hospital employee from
``snooping'' through a patient's record. In fact, yesterday's Supreme
Court case, decided in favor of patient protection, arose from the
overzealous decision by a hospital staff member to share positive drug
test results from pregnant women with local law enforcement in
Charleston, South Carolina. In fact, in many instances, an on-line
review by an employee would be assumed to be authorized as part of that
patient's care.
Consequently, given the patchwork nature or in some cases the total
absence of a privacy standard, April 14th becomes absolutely critical
in terms of establishing a national standard for the protection of
medical records. As the Ranking Member on the Subcommittee on Commerce,
Trade and Consumer Protection, I anticipate that we will continue to
examine e-commerce and privacy issues. It is my expectation that the
national standard established by this medical privacy rule will guide
our future considerations in the on-line privacy debate. This linkage
makes it even more important for the rule to be finalized.
Americans have waited long enough for medical privacy protections.
I would urge Secretary Thompson to allow this rule to go into effect to
create a privacy system that covers all health information held by
hospitals, providers, health plans and health insurers. I am hopeful
that our witness testimony today will support the finalization of this
rule.
______
PREPARED STATEMENT OF HON. ANNA ESHOO, A REPRESENTATIVE IN CONGRESS
FROM THE STATE OF CALIFORNIA
The American people expect, and are entitled to, confidential, fair
and respectful treatment of their private health information.
Currently, we do not have a federal standard, and the existing
patchwork of state laws provides erratic protection at best.
With the advent of managed care, patients can no longer depend on
their family doctor to protect their confidentiality. Instead they are
forced to place their trust in entire networks of insurers and health
care providers with direct access to their sensitive medical
information.
The need for meaningful privacy protections is clear. Yet President
Bush has arbitrarily decided to delay implementation of HHS regulations
that would have provided them. The stated reason for the delay was to
enlist further public comment, yet HHS has already received 53,000
comments prior to issuing the final rule. I'm dismayed by the
President's seeming callous disregard of our constituents' call for
privacy protection and I hope that the purpose of this hearing is to
help move the issue along rather than an effort to help stall
implementation.
As this Committee moves toward a solution to the privacy dilemma, I
urge my colleagues to keep in mind the need to balance meaningful
privacy protection with our interest in medical research. When we held
hearings on this issue last year, I cautioned my colleagues that any
legislation or regulation enacted should not erect unnecessary barriers
to the ability to conduct medical research.
I'm encouraged that my concerns appear to have been heard and the
regulations include flexibility in the IRB structure applied to
privately funded research. For example, the regulation allows expedited
review for research on archived medical records. This is significant
since information is the lifeblood of research. Without access to
health data, patients would be the real losers.
Mr. Chairman, our constituents have demanded that their federal
representatives provide them with a meaningful federal standard to
protect against unauthorized uses of their most private health
information.
At the same time, we must also ensure that these protections
incorporate the appropriate flexibility to continue needed medical
research. I believe the regulations put forth by the Clinton
Administration go a long way toward achieving these two goals.
Thank you Mr. Chairman. I look forward to hearing from the
witnesses.
[Brief recess.]
Mr. Bilirakis. Let's have order, please. For the benefit of
those who ordinarily do not come up here to testify, this is a
very rude thing to do to you, and certainly very discourteous.
We can't help it. When votes are called, we have to run over,
and we hope you realize that. We understand that in just a few
minutes we have a series of votes coming up, so there will be
another series of votes before we have to break again.
The Chair welcomes and thanks the witnesses, consisting of
Dr. John D. Clough, Director of Health Affairs for the
Cleveland Clinic Foundation; Ms. Mary Foley, President of the
American Nurses Association; Dr. John Melski, Medical Director
of Informatics at the Marshfield Clinic in Marshfield,
Wisconsin; Dr. Paul Appelbaum, Chairman of the Department of
Psychiatry, University of Massachusetts Medical School; Mr.
Carlos R. Ortiz, Director of Government Affairs, CVS Pharmacy;
Ms. Janlori Goldman, Director of Health Privacy Project,
Institute for Health Care Research and Policy, Georgetown
University; and Mr. Bob Heird, Senior Vice President, Anthem
BlueCross BlueShield. Welcome.
Your written statement is a part of the record. We would
hope you would complement it orally. The clock is set for 5
minutes. Obviously, if you are not completely finished, we will
let you go on, but at the same time keep it as close to that as
you can.
We will start off with Dr. Clough. Is that the correct
pronunciation?
Mr. Clough. Correct.
Mr. Bilirakis. There has been a Dr. Clough in Tarpon
Springs, Florida for many, many years.
Mr. Clough. Probably a distant relative.
STATEMENTS OF JOHN D. CLOUGH, DIRECTOR OF HEALTH AFFAIRS,
CLEVELAND CLINIC FOUNDATION; MARY E. FOLEY, PRESIDENT, AMERICAN
NURSES ASSOCIATION; JOHN MELSKI, MEDICAL DIRECTOR OF
INFORMATICS, MARSHFIELD CLINIC; PAUL APPELBAUM, CHAIRMAN,
DEPARTMENT OF PSYCHIATRY, UNIVERSITY OF MASSACHUSETTS MEDICAL
SCHOOL; AND CARLOS R. ORTIZ, DIRECTOR OF GOVERNMENT AFFAIRS,
CVS PHARMACY
Mr. Clough. Good morning, Chairman Bilirakis, Vice Chairman
Norwood, Mr. Brown, and distinguished members of the committee.
I am Dr. John Clough, director of health affairs at the
Cleveland Clinic. I have also been a practicing rheumatologist
for 30 years. I thank you for allowing me----
Mr. Bilirakis. Your mike, sir. Please pull it closer. We do
want to hear what you have to say.
Mr. Clough. I thank you for allowing me to offer testimony
today on behalf of American Medical Group Association, the
AMGA, and the Health Care Leadership Council, HLC.
The AMGA represents approximately 300 medical care groups
which care for 35 million patients nationwide. The HLC
represents CEOs of the Nation's leading health care companies
and institutions, including hospitals, and the Cleveland Clinic
is a member of both.
Medical group providers strongly support the
confidentiality of patient information and appreciate the
Department's efforts in this respect. The HLC and AMGA support
creating workable, nationally uniform standards that protect
confidentiality, including the rights of patients to inspect
their records, notice of confidentiality practices, safeguards
for information, and prohibition of unauthorized disclosure of
patient information for purposes other than treatment, payment,
health care operations and research.
The final HHS regulation contains several improvements from
the originally proposed regulation. Nevertheless, I would like
to highlight three key provisions that appear to be unworkable,
would disrupt patient care, would divert limited resources from
treating patients. These are the prior consent requirement, the
minimum necessary standard, and the rules governing disclosure
of information to business associates.We need to delay the
implementation of the rule until these issues are appropriately
addressed.
In terms of prior consent, in a major departure from the
proposed rule, HHS created a prior consent mandate on
providers. This unprecedented mandate would require doctors to
obtain a signed written consent from patients before using or
disclosing patient information for even the most routine
purposes, including treatment. This is unworkable for several
reasons. The task for physicians and the cost to medical groups
to obtain such consents for more than 200 million Americans is
daunting. No State of which I am aware currently requires prior
consent to use or disclose information for treatment. This
requirement will disturb a range of routine provider practices
from sending out reminder notices about appointments, to
conducting disease management and maintaining quality
improvement programs. It could force patients to make an extra
trip to the hospital to sign consent forms before a hospital
can use any medical information about them.
Here is one of many examples of how the rule could disrupt
routine patient care. Today, increasing numbers of surgical
procedures are performed in the outpatient setting. Now, if I
refer a patient for outpatient surgery, he or she would not
have to go to the ambulatory surgery facility until the day of
the operation. Under the new consent requirement, however, the
patient would have to make a special trip to sign the necessary
consent forms before the operation could even be scheduled. To
add to the confusion, the patient must be given the opportunity
to restrict or revoke the consent at any time. But what if the
patient revokes consent for use of information supporting
payment but the information is also needed for key health care
operations such as infection tracking, quality assurance,
outcomes assessment and so on?
The prior consent requirement dehumanizes the relationship
between patient and physician, a relationship that is built
upon patient trust that a physician will use good professional
judgment to determine the use of the patient's information,
particularly in care management.
We recommend that HHS eliminate this overly burdensome and
costly requirement and return to the statutory authorization as
in the originally proposed rule. In the case of ``minimum
necessary'' in today's coordinated systems of health care
delivery, information sharing and use by teams of physicians
and other health professionals is the key to the quality,
efficiency, and effectiveness of medical care and prevention,
detection, and mitigation of medical errors. The minimally
necessary provision is not necessary itself, especially as it
applies to internal uses of patient information. The regulation
should allow health care providers to develop their own set of
guidelines and rules based on what is best for the patient.
Finally, as to business associates, rewriting contracts
with every entity to which the Cleveland Clinic discloses
patient information in order to achieve compliance with this
regulation will require a substantial amount of legal and
professional time, effort, and expense. We believe that these
problems can be addressed and the rule can move forward, but
rushing forward on a flawed and unworkable regulation could
hinder the cause of protecting and improving the quality of
health care. It makes sense to get the regulation right the
first time, before hospitals and others have spent limited
resources to comply with the rule that has to be changed.
Therefore, we urge the Department to delay the April 14,
2001 effective date to give the Department adequate time to
consider the many comments it will receive. Once these comments
are carefully considered, a new version of the rule fixing the
problems we have identified can be promulgated with our
support.
Thank you very much.
[The prepared statement of John D. Clough follows:]
PREPARED STATEMENT OF JOHN D. CLOUGH, DIRECTOR, HEALTH AFFAIRS,
Cleveland Clinic Foundation on Behalf of the American Medical Group
Association and the Healthcare Leadership Council
Good morning, Chairman Bilirakis and members of the subcommittee.
I am Dr. John D. Clough, Director of Health Affairs, Cleveland
Clinic Foundation. I am also a practicing rheumatologist. I offer
testimony today on behalf of the American Medical Group Association
(AMGA) and the Healthcare Leadership Council (HLC).
The AMGA represents approximately 300 medical groups that care for
35 million patients nationwide. The HLC represents the CEOs of the
nation's leading health care companies and institutions.
Thank you for giving me this opportunity to testify on the HHS
regulation. Medical group providers strongly support the
confidentiality of patient information. We appreciate the Department's
effort to create meaningful and balanced federal standards to protect
the security of each individual's health information.
The HLC and AMGA support creating nationally uniform standards
protecting confidentiality, including giving patients the right to
inspect their records, notice of confidentiality practices, creating
safeguards for information, and prohibiting disclosure without
authorization of patient information for purposes other than treatment,
payment, health care operations, and research.
The final HHS regulation contains several improvements from the
proposed regulation. However, I would like to highlight three key
provisions that are unworkable, would disrupt patient care, and divert
limited resources from treating patients: The prior consent
requirement, ``minimum necessary'' standard, and ``business
associates.''
Prior Consent
In a major departure from the proposed rule, HHS created a prior
consent mandate on providers. This unprecedented mandate would require
doctors to obtain a signed, written consent from patients before using
or disclosing patient information for even the most routine purposes,
including treatment. This mandate is unworkable because:
The task for physicians and the cost to medical groups of
obtaining such consents from over 200 million Americans is
daunting.
In no state of which we are aware do doctors routinely obtain
prior consent to use patient information for treatment.
As of the compliance date for the HHS regulation, no physician
will be able to use information for most activities without a
signed consent. Thus, routine practices by providers will be
disrupted, from sending out reminder notices about appointments
to conducting disease management and maintaining quality
assurance programs.
This requirement could force patients to make an extra trip to
the hospital to sign a consent form before the hospital can use
any medical information about them.
More and more surgeries are on an outpatient basis today.
Currently, if I see a patient and refer her to have an
outpatient surgical procedure, she would not have to go to the
outpatient facility until the day of the surgery. With the new
consent requirement, however, she would have to make a special
trip to sign the necessary consent forms before the outpatient
facility could use her information to schedule surgery and
initiate the intake process.
To add to the confusion, a patient must be given the
opportunity to restrict or revoke the consent at any time. This
poses significant difficulties for group practices. What if
there is a restriction on, or revocation of, a consent for
payment or health care operations and the information is needed
for billing or key health care operations such as infection
tracking, quality assurance, outcome assessments, and so on?
The prior consent requirement de-humanizes the relationship between
the patient and physician--a relationship that is built upon patient
trust that a physician will use good professional judgment to determine
the use and disclosure of the patient's information, particularly in
the course of treatment of the patient. We advocate that HHS should
eliminate such an overly burdensome and costly requirement and return
to the statutory authorization as under the proposed rule.
Minimum Necessary
Most health care services today are delivered in some form of
organized or coordinated system of delivery. Information sharing and
use by teams of physicians and health professionals is the key to
quality medical care for patients, and the key to improvements in
patient care. The sharing of information among health care
professionals in an integrated system is critical to their ability to
serve patients in the most efficient and effective way.
Under the rule, providers must make reasonable efforts to limit the
use and disclosure of information to what is minimally necessary to
accomplish its intended purpose. Under the final rule, disclosures and
requests are excluded from the requirement; however, there is no such
exclusion for ``use'' of information. This potentially limits the
ability of providers to use a complete medical record for treatment
purposes. The concept of limiting the use of the full medical record
for treatment purposes would appear to be completely contrary to
efforts to prevent medical errors and promote patient safety.
This provision is unnecessary, particularly to the extent it
applies to internal uses of patient information. Rather than establish
a minimum necessary standard, the regulation should allow health care
providers to develop their own set of guidelines and rules about what
they believe is the necessary standard and what is best for the
patient.
Business Associates
Rewriting and recontracting with every entity to whom Cleveland
Clinic discloses patient information in order to achieve compliance
with this regulation will require a substantial amount of legal and
professional time, effort and expense. Last week, Secretary Thompson
testified regarding the need to ensure administrative simplification of
complex and burdensome regulations. Also, the underlying intent of the
section of HIPAA in which privacy falls is ``administrative
simplification.''
Yet, the ``business associate'' requirements would necessitate
hundreds, and for some entities, thousands of privacy contracts. We
recommend that the business associate provision be removed because HHS
has exceeded its statutory authority under HIPAA. We especially object
to a requirement of a contract between covered entities and business
associates.
We believe that these problems can be addressed and the rule can
then move ahead. Rushing forward on a flawed regulation that is
unworkable could set back the cause of protecting confidentiality and
improving the quality of health care. It makes sense to get the
regulation right the first time, before hospitals and others have spent
limited resources on complying with a rule only to see it changed.
Therefore, we urge the Department to delay the April 14, 2001,
effective date to give the Department adequate time to consider the
many comments it will receive. Once these comments are carefully
considered, a new version of the rule fixing the problems we have
identified can be promulgated with our support.
Mr. Bilirakis. I thank you. Ms. Foley.
STATEMENT OF MARY E. FOLEY
Ms. Foley. Thank you, Mr. Chairman, and members of the
subcommittee. I am Mary Foley, registered nurse and president
of the American Nurses Association, which is the only full
service professional organization that represents our Nation's
registered nurses in all 53 State and territorial nursing
associations.
It is a great pleasure to be here this morning and offer
our views on patients' privacy and confidentiality regulations
as issued by the Department of Health and Human Services in
December of last year. Mr. Chairman, as I indicated, I am a
health care practitioner, and until I came president of the
American Nurses Association just over a year ago, I was a nurse
executive in a medium-sized hospital in urban California.
Before that I spent 17 years as a staff nurse at that hospital,
and I have also been a clinical instructor in nursing.
The second charge in the code for nurses, our ethical code,
states, ``the nurse safeguards the client's right to privacy by
judiciously protecting information of a confidential nature.''
That very simple statement is an obligation that our profession
takes very seriously. Virtually all of our members are involved
in creating, transmitting, maintaining, and safeguarding
patient records on a daily basis as an integral part of their
professional practice. Working on the front line of health
care, registered nurses are well aware of the concerns their
patients have regarding privacy and confidentiality. We remain
professionally committed to strong, enforceable standards to
protect the confidentiality of the health information of our
patients. This commitment has always been a part of the
professional practice.
In my testimony this morning I will focus on two aspects of
this issue that I can speak to as a nurse and as a
representative of the nursing profession. First, it is the
necessity to keep our focus on what is best for patients; and,
second, it is the practical application of this standard in
health care settings. The most important test that these
regulations must meet is whether every individual patient's
reasonable expectation for privacy and confidentiality is
addressed. Can I assure my patients when they are describing
the most intimate, troublesome, embarrassing, frightening
aspects of their lives to people who will treat and care for
them that there are safeguards for maintaining the
confidentiality of this sensitive and important information?
Mr. Chairman, if I can't do that, many of my patients and many
around this country will go without treatment or will disclose
only some of the information, a very dangerous proposition
which can lead to improper diagnosis, improper treatment,
complications in an illness or injury, negative drug
interactions, adverse events, or even death.
It is hard to talk about a whole range of sensitive issues
which might include mental illness, sexual practices, and
physical abuse. It will not happen at all if you think your
story is going to be grist for the local gossip mill or sold to
a corporation that will farm it out to telemarketers in case
you might be in the market for a pregnancy test, or also that
it could be available to your employer who would then have the
opportunity to consider the implications perhaps for your
prescription for antidepressants.
This concern for our patients must be our overriding
concern, not whether the rule will be inconvenient for
hospitals or practitioners or for the staff people who handle
insurance paperwork.
This regulation requires that a covered entity must
reasonably safeguard protected health information from any
intentional or unintentional use or disclosure. And, of course,
it must. Our accrediting bodies for hospitals already require
that. Any suggestion that this is new or burdensome for health
care institutions is really unfounded. You watch your voice,
you don't talk about patients by names in the hallways. You
post prominent notices in their predominant languages for
patients, informing them that the staff will work to meet their
request for greater privacy, and then follow through on it. We
were already complying with the intent.
These instructions are the stuff of daily work in a
hospital setting and every nurse is trained to be in tune to
its importance. And any hospital or practitioner that isn't
already doing it, and doing it seriously, is a menace. Every
day there are practitioners who, as a matter of ethics and
successful treatment, must be able to ensure their patients
that their records are protected. We have a patchwork of State
laws that provide some protections to some people, some of the
time, in some places. We need this national standard for basic
protections for all of our people, all of time, in every place
in this Nation.
Thank you Mr. Chairman. I remain available to answer any
questions.
[The prepared statement of Mary E. Foley follows:]
PREPARED STATEMENT OF MARY E. FOLEY, PRESIDENT, AMERICAN NURSES
ASSOCIATION
Mr. Chairman and Members of the Subcommittee: I am Mary Foley,
President of the American Nurses Association, which is the only full-
service professional organization representing the nation's registered
nurses through our 53 state and territorial nurses associations. It is
a pleasure to be here this afternoon to offer our views on the patient
privacy and confidentiality regulations issued by the Department of
Health and Human Services in December of last year.
Mr. Chairman, I am a health care practitioner. Until I became
President of the American Nurses Association just over a year ago, I
was a nurse executive in a medium-sized hospital in California. Before
that, I spent seventeen years as a staff nurse, and I have served as
clinical instructor in nursing.
The second charge in the Code for Nurses states, ``The nurse
safeguards the client's right to privacy by judiciously protecting
information of a confidential nature.'' That simple statement is an
obligation the nursing profession takes very seriously.
Virtually all of ANA's members are involved in creating,
transmitting, maintaining, and safeguarding patient records on a daily
basis as an integral part of their professional practice. Working on
the front line of health care, registered nurses are well aware of the
concerns of their patients regarding privacy and confidentiality and
are professionally committed to strong enforceable standards to protect
the confidentiality of the health information of their patients.
This commitment has always been a part of professional practice.
But the need for Federal law is in large part a function of the
momentous change in communications technology. Health care
professionals have always been aware of the importance of
confidentiality and the possibilities for carelessness; the need for
that reminder in the code of ethics is real. But the complexity of the
health care system means that transgressions of patient
confidentiality, intentional or not, have much broader consequences
than ever before, because the information travels further and faster
and cannot be retrieved.
In my testimony, I will focus on two aspects of this issue that I
can speak to as a nurse and as a representative of the nursing
profession: First, is the necessity to keep our focus on what is best
for the patient. Second, is the practical application of this standard
in health care settings.
The most important test that these regulations must meet is whether
every individual patient's reasonable expectations for privacy and
confidentiality are addressed. Can I assure my patients that `` when
they are describing the most intimate, troublesome, embarrassing,
frightening aspects of their lives to people who will treat them and
care for them `` there will be safeguards for maintaining the
confidentiality of this sensitive information?
Mr. Chairman, if I can't do that, many of my patients will go
without treatment or will disclose only some of the information, a
dangerous proposition, which can lead to improper diagnosis, improper
treatment, complications in an illness or injury, even death. It is
hard to talk about a whole range of sensitive issues, which might
include mental illness, sexual practices, and physical abuse. And it
will not happen at all if you think your story is going to be grist for
the local gossip mill or sold to a corporation that will farm it out to
telemarketers in case you might be in the market for a pregnancy test
or be available to your employer, who will have then the opportunity to
consider the implications of a prescription for anti-depressants.
This concern for our patients must be our overriding concern, not
whether the rule will be inconvenient for hospitals or practitioners or
staffers who handle insurance paper work.
This regulation requires that ``a covered entity must reasonably
safeguard protected health information from any intentional or
unintentional use or disclosure . . .'' Of course it must. Accrediting
bodies for hospitals already require it. Any suggestion that this is a
new or burdensome requirement for health care institutions is really
unfounded. Watch your voice, don't talk about patients by name in the
hallways, post prominent notices for patients informing them that staff
will work to meet their requests for great privacy--and do it. These
instructions are the stuff of daily work in a hospital setting. Every
nurse is trained to be attuned to its importance. And any hospital or
practitioner that isn't already doing it--and doing it seriously--is a
menace.
The American Nurses Association has long been in the forefront of
organizations that have worked for better and more standardized
electronic communications among health care providers as an important
improvement in patient treatment and care. It is clear that the work in
this area undertaken as a result of the Health Insurance Portability
and Accountability Act will provide a huge cost benefit to plans and
providers, as well. For the health care industry to accept this
financial boon and then attempt, as is apparent in recent weeks, to
weaken or impede these important safeguards to patient privacy and
confidentiality is unfortunate and counterproductive.
We believe that this rule should go forward as issued. Congress
ordered the Department of Health and Human Services to develop and
promulgate this standard, absent Congressional action in the three
years following enactment of the Health Insurance Portability and
Accountability Act. The Department issued the standard as directed,
after having sought and worked through an immense number of comments
from a full range of stakeholders in the process. It is certainly
remarkable to hear that some stakeholders believe that they have not
been afforded a full opportunity to be heard. As would be expected,
changes were made in the proposed rule in response to comments. The
Department was careful to point out in its request for comments areas
in which more information was wanted, such as the approach on
requirements for patient consent. No final rule can ever be issued if
it is always subject to additional comment. It is clear from a decade
of Congressional attempts to fashion legislation on this issue that not
all stakeholders will agree on some aspects of the issue, but the
paramount concern must be the continuing and growing need for the
regulation.
Are there issues that ANA considers important for future regulatory
or legislative action? Yes. There is still inadequate protection for
occupational health nurses who are daily pressured by their employers
for access to information about employees who are treated at the work
place. There is still no private right of action for individuals whose
identifiable health information is recklessly disclosed. There is still
inadequate protection from the use of private information for marketing
purposes--the essence of privacy is the right to be left alone. There
are still inadequate restraints on law enforcement access to
information.
But these issues--and issues that may trouble other providers,
consumers, or covered entities--may be dealt with in the future through
legislation or regulation. Congress wisely in 1996 recognized that a
legislative remedy could be difficult to achieve and wisely recognized
that health privacy and confidentiality are far too important to be
left subject to the vagaries of a difficult legislative environment.
We come back to our original point: for nurses, the first issue is
protecting our patients. The regulation as issued is too important to
be delayed or rescinded. There is time, if efforts are made in good
faith, for covered entities to comply with this regulation. And there
are administrative and--of course, ultimately--legislative remedies
available for any aspect of the rule that should prove to be
unworkable.
In the meantime, every day there are practitioners who, as a matter
of ethics and successful treatment, must be able to assure their
patients that their records are protected. We have a patchwork of state
laws that provide some protections to some people some of the time in
some places. We need this national standard of basic protections for
all of our people all of the time in every place in the nation.
Mr. Bilirakis. Thank you very much, Ms. Foley.
Dr. Melski.
STATEMENT OF JOHN MELSKI
Mr. Melski. Thank you, Chairman Bilirakis, for the
opportunity to speak to the House Subcommittee on Health, and
special thanks to Representatives Sherrod Brown and Tom
Barrett.
I speak to you as a physician whose code of ethics
recognizes the solemn duty for confidentiality of what our
patients reveal to us. And I also speak to you as Medical
Director of Informatics, whose mission is to ensure that no
patient ever suffer and to make sure that information is always
available, whenever and wherever needed. Thus, my entire
professional life is a struggle for a balance between
concealment and revelation.
As technology has advanced and the demand for both
concealment and revelation has increased, the stakes have
become higher. I am here to bear witness that some of the well-
intentioned provisions in the privacy regulations may have
undesirable consequences, even though we support the
predominance of the regulations.
If you take away only one thing from my testimony, let it
be that privacy and secrecy can be two sides of the same coin.
As you consider any privacy regulation, substitute in your mind
the word ``secrecy'' to ensure that you fully considered the
consequences of the regulation. Privacy is not exactly the same
as secrecy. Privacy applies to the narrow domain of personal
information. Privacy is essential to our identity and our
autonomy. But within this domain of personal information, your
privacy is secrecy to me and my privacy is secrecy to you. In
the real world of caring for the sick, the poor, the mentally
ill, the aged, and the young, the letters abound because of the
duality of privacy and secrecy.
Consider the estimated 20 percent of patients who are told
that death is near, yet have no memory of the news after a few
days. Or the alcoholic in denial, or the school bus driver with
a serious heart condition, or the parent with a genetic disease
they wish to conceal from their children, or the elderly
patient who is becoming forgetful, or the frightened adolescent
who is pregnant or addicted, or the patient with a disease that
is both contagious and stigmatizing, or the troubled patient
who reveals their intent to harm themselves for another, or the
child with evidence of abuse.
Only by appreciating that the favorable presumption
afforded to privacy is not always correct in the complex worlds
of health care can this committee appreciate that regulation
can never fully substitute for discretion. It is discretion
that is needed to choose between the privacy of the individual
and revelations to the healing community. The sinking of the
Titanic is said to have initiated the modern era of regulation,
but discretion in health care will never be as easily
prescribed as the number of life boats.
Consider the potentially disastrous consequences of the
requirement for prior consent treatment. In a recent
conversation with my mother on the occasion of her 83rd
birthday, she was told that I would be testifying to this
committee on privacy and health care. It was a challenge for
her to understand why I needed to do this, because I hope that
neither she nor any of my vulnerable patients will be
confronted with yet another barrier to health care. It is
because the nine pages proposed as a model of what patients
need to understand in other to consent will be incomprehensible
to those most in need. It is because it is incomprehensible to
me that we would jeopardize the delicate task of building trust
between the physician and patient by requiring a legal contract
before the relationship has even begun.
What message does prior consent send to our patients who
have impaired vision, hearing, or literacy? How will prior
consent help or even work in life's transitions from childhood
to adulthood, from independence to dependence, from competency
to incompetency? How many patients will forsake evidenced-based
medicine in favor of supplements and anecdotal remedies because
of prior consent? How many children will not be immunized
because of the barrier of the prior consent? And what will
become of our dream to share other preventive information with
all providers for the benefit of all our patients?
In the transition to a world of prior consent, how will
patients make appointments, get answers to their questions over
the phone or by e-mail, get new prescriptions, or get old
prescriptions refilled? In a world after prior consent, how
will we help those who ill-advisedly revoke their consent? How
will we process their bills and do peer review or even take
care of them?
Another conundrum resulting from the attempt to regulate
discretion is the minimum standard. The phrase, ``reasonable
efforts to limit the use of health information,'' will likely
consume yet more precious resources in the possibly futile task
in interpreting the definition of the use. What will the
minimum necessary standard mean for teaching, for coordination
of care, for cross coverage, or even consultation? And for
those of us charged with creating an electronic medical record,
how in this century will we ever program the rules of
discretion implied by the minimum necessary standard?
In conclusion I suggest that public disclosure of privacy
policies is reasonable, but the burden of prior consent is not.
I suggest that allowing clinical discretion in matters of
privacy is reasonable, but the burden of the minimum necessary
standard is not.
Thank you for your attention.
[The prepared statement of John Melski follows:]
PREPARED STATEMENT OF JOHN MELSKI, MEDICAL DIRECTOR OF INFORMATICS,
MARSHFIELD CLINIC
On behalf of Marshfield Clinic, I am pleased to have the
opportunity to submit comments on the final rule adopting standards for
the privacy of individually identifiable health information (``final
privacy rule'') published in the Federal Register on December 28, 2000.
I commend you for holding this hearing and believe that Secretary
Thompson should be applauded for seeking public input on the rule. Our
internal analysis of the final rule suggests that patient care will be
compromised significantly if this rule is implemented. In this
testimony I will identify the problems that we have found and suggest
remedies that may be applied.
The Marshfield Clinic is the largest private group medical practice
in Wisconsin and one of the largest in the United States, with 603
physicians, 4,546 additional employees, and 1.6 million annual patient
encounters. A not-for-profit corporation, the Marshfield Clinic system
includes a major diagnostic treatment center, a research facility, a
reference laboratory and 39 regional centers located in northern,
central and western Wisconsin. Patients from every state in the nation
plus patients from every county in Wisconsin were seen within the
system in the last fiscal year. Security Health Plan of Wisconsin, a
not-for-profit health maintenance organization, is a wholly owned
subsidiary of the Marshfield Clinic and provides financing for health
care services for almost 120,000 members throughout northern, central
and western Wisconsin. During the last three decades, Marshfield Clinic
has funded and installed a sophisticated electronic medical record
which now contains years of historical data, including diagnoses,
procedures, test results, medications, immunizations, alert events,
outcome measurements, and demographics. Marshfield Clinic's 39 regional
centers are linked by common information systems. Our physicians have
stated that one of the greatest advantages of the electronic record is
that they can quickly review their patient's care at other Marshfield
facilities so that they can easily use the knowledge gained by their
colleagues to provide the best possible care. Easy access to previous
diagnostic test results avoids duplicate ordering of lab and radiology
tests. Marshfield Clinic has invested significant time and resources to
build a state-of-the-art electronic medical record system to better
serve patients through accessible, high quality health care, research,
and education. We presently put 2.5% of revenue into the operation and
maintenance of the Clinic's information system, a cost for FY 2001 that
works out to $22,073 per physician. We believe that if this rule is
implemented our annual operational costs may increase significantly, in
addition to the start up costs of implementation. We do not believe
that these new costs would add any benefit to patient care.
Marshfield Clinic is committed to protecting patient privacy and
confidentiality. We support the administrative simplification goals of
the Health Insurance Portability and Accountability Act (``HIPAA'') to
reduce the administrative costs of providing health care. However, in
analyzing the impact of the final privacy rule, our overriding
consideration is the best interest of our patients. Certain provisions
of this final rule are incongruent with Marshfield Clinic's mission of
serving patients through accessible, high quality health care, research
and education. We do believe it is possible to balance the goals of
protecting the confidentiality of patient information, while also
allowing health care professionals to obtain the necessary information
to coordinate patient care. We anticipate that the costs associated
with compliance with this rule will substantially exceed HHS'
estimates.
We have spent a great deal of time and resources to gain a working
knowledge of this extremely complex rule--both in its proposed and
final forms--and have kept an accounting of our internal costs, which
are not insignificant. We have also identified problems in the final
privacy rule that are simply unworkable and could seriously disrupt
patient access to health care. We believe that the final privacy rule,
as it is now written, may impede effective and accurate treatment,
curtail preventative health care measures, and impose compliance costs
that are completely antithetical to HIPAA's administrative
simplification goals.
We will focus our comments on two key areas of concern: the prior
consent requirement and the minimum necessary standard. We also
summarize other issues that betray inconsistencies in the rulemaking
process.
Prior Consent for Treatment, Payment and Health Care Operations
Section 164.506 of the final privacy rule requires health care
providers to obtain a patient's written consent prior to using or
disclosing protected health information to carry out treatment,
payment, or health care operations. The consent form must refer the
patient to the provider's notice of privacy practices (as required by
section 164.520) for a more complete description of such uses and
disclosures and it must state that the patient has the right to review
the notice prior to signing the consent.
We are deeply concerned about the potential impact of this
provision on our ability to deliver health care to patients. Although
we submitted comments on the proposed privacy rule, we did not have an
opportunity to comment on this major new provision because it was not
in the proposed rule. In fact, in the Preamble to the proposed rule,
the Department of Health and Human Services (``HHS'') went to great
lengths to explain why a consent requirement was unworkable and
therefore rejected.1 In that regard, we strongly support
HHS' original approach. We question whether HHS's deviation from its
previously stated intent can be supported under the Administrative
Procedures Act. As now codified, the consent and authorization
provisions in the final privacy rule raise serious procedural and
practical issues that were not subject to prior public comment.
---------------------------------------------------------------------------
\1\ See Preamble to the proposed privacy rule, Section 164.506(a),
page 59940, Federal Register, Volume 64, No. 212. For example, HHS
stated that:
``Our proposal [to permit covered entities to use and disclose
protected health information without individual authorization for
treatment, payment purposes, and health care operations purposes] is
intended to make the exchange of protected health information
relatively easy for health care purposes and more difficult for
purposes other than health care. For individuals, health care treatment
and payment are the core functions of the health care system. This is
what they expect their health information will be used for when they
seek medical care and present their proof of insurance to the provider.
Consistent with this expectation, we considered requiring a separate
individual authorization for every use or disclosure of information but
rejected such an approach because it would not be realistic in an
increasingly integrated health care system. For example, a requirement
for separate patient authorization for each routine referral could
impair care, by delaying consultation and referral, as well as
payment.''
---------------------------------------------------------------------------
The prior consent requirement as promulgated in the final rule may
unintentionally compromise the delivery of health care in the following
ways:
We will not be able to use patient information to schedule
appointments, send appointment reminder letters, answer
questions about treatment or medications when patients call, or
conduct similar ongoing treatment and health care operations
activities until we have a signed consent from every patient on
file. We do not currently obtain consents for the use or
disclosure of patient information for these purposes and are
not required to do so by Wisconsin law. We do obtain consent
prior to the release of records outside our system.
Physicians may not be able to order a prescription and
pharmacists may not be able to fill or refill a prescription
without a prior written consent from the patient. This could be
especially harmful to our elderly and disabled patients who
often send a relative or neighbor to pick up their
prescriptions. This requirement may disrupt care for many of
our elderly patients who are ``snow birds'' when they call from
other states to refill their prescriptions. For some patients
this may be a mere inconvenience but for others the prior
consent requirement may prove dangerous. We do not currently
obtain consents for the use or disclosure of patient
information for these purposes and are not required to do so by
Wisconsin law.
Marshfield Clinic has developed innovative preventative health
care measures such as an immunization registry (Regional Early
Childhood Immunization Network or ``RECIN''). RECIN is a
computer program that allows the sharing of immunization
information between and among providers and public health
departments. RECIN allows providers to have electronic access
to a child's immunization history including any alerts or
reactions to immunizations. Such access minimizes the
possibility of over-immunization and potentially severe
allergic reactions. Equally important, access to this
information allows public health personnel to target children
who have not been immunized. As a consequence of this program,
Marshfield Clinic and concerned public agencies have been able
to increase childhood immunization rates from 67% to 92% in
Wood County alone. We hope for similar results throughout the
region, but these will never be achieved under the constraints
of the final privacy rule. Although Wisconsin law does not
require prior consent for the release of immunization records,
Marshfield Clinic has implemented a process to permit parents
to decline to have their children participate in the RECIN
registry and to receive immunization reminder letters. To
comply with the final privacy rule, it appears that we will
have to have a signed consent on file (that permits the use or
disclosure of patient information for treatment, payment, or
health care operations) from every parent before providers may
use or disclose that parent's child's immunization information
in RECIN. Although section 164.512 states that a written
consent (or authorization or opportunity for the individual to
agree or object) is not required for uses and disclosures for
public health activities, this exception is limited to
disclosures to and uses by a public health authority. If the
use or disclosure of preventative health data falls within the
definitions of ``treatment'' or ``health care operations,''
prior written consent must be obtained. This requirement may
actually harm patients rather than protect them and impede the
achievement of the federal Healthy People 2010 objective 14-26,
which has as its target the enrollment of 95% of children under
age 6 in population based immunization registries.
Implementation of the prior consent requirement will be an
administrative burden for the following reasons:
We will have to obtain a one-time consent from patients to use
or disclose their health information for treatment, payment, or
health care operations purposes. While implementing this
requirement in hospitals may be readily achievable (since
hospitals typically obtain an admitting consent from patients),
most group medical practices do not have a comparable process
for obtaining this type of consent. We wonder when and where
patients would sign such a consent document? To achieve 100%
compliance with this requirement the Marshfield Clinic would be
compelled to obtain signatures from patients who come to the
Clinic from every state in the nation. It might also be
necessary to re-configure patient flow processes to assure that
all patient consents are captured uniformly. An alternative to
implementing an admitting-type consent would be to amend
existing consent forms to include the use or disclosure of
patient information for treatment, payment, or health care
operations. This would involve the time-consuming task of
taking an inventory of the consent forms we currently use and
amending these forms to comply with the consent requirements of
the final privacy rule.
We will have to develop a consent form and notice for
patients. The notice requirements of the final privacy rule
will require many pages of information about how we use and
disclose patient information (for example, the model notice
developed by the American Hospital Association is 9 pages
long). The consent and notice will have to be written in terms
sufficiently simple to be comprehensible to our patients, a
task which may be impossible due to the complexity and sheer
volume of the notice (it has taken our physicians and legal
staff months to interpret these provisions). We will have to
explain the consent and notice to each patient. We wonder who
will explain these forms to our patients? We suspect that we
will need to hire and train informed consent counselors who
must staff our regional centers on a full time basis.
Explaining the meaning and significance of the consent document
may add as much as 30 minutes to the duration of each new
patient visit. Will this time be reimbursable? We see several
hundred new patients every day many of which come through
urgent care centers. Our providers already face time
constraints in obtaining consents for treatment and explaining
the attendant risks. The length and complexity of this notice
will ensure that our medical assistants and appointment
coordinators will not be able to explain it to patients in
addition to their normal responsibilities. Moreover, due to the
length and complexity of the notice and in direct contradiction
to the purpose of the notice requirement, it seems unlikely
that patients will actually be able to make an informed
decision. The notice will have to be made available to every
patient before consent for the use or disclosure of patient
information for treatment, payment, or health care operations
may be obtained.
Our estimate of the direct cost of this requirement:
350,000 unique patient per year @ 0.50 Hr/Patient = 175,000 hours
which is equivalent to 103 Full time employees at 1700 hours per year
103 FTES @ $25,000/EMPLOYEE = $2,575,000 in direct personnel costs to
gather consents in the first year.
We are uncertain about the indirect costs associated with
producing, distributing, and tracking consents. Children and other
patients in legal guardian arrangements are included in our patient
population but we remain uncertain about the additional complexity this
will impose.
The notice will have to be changed, reprinted, and staff
retrained whenever we change our privacy practices. We will
have to inform patients about how they may obtain a revised
notice. All of these mandates will require us to devote
enormous time and resources to develop an implementation
process.
The consent must be signed, kept on file and tracked. We will
need to develop a system to track consents to determine whether
we may use or disclose patient information for treatment,
payment or health care operations purposes and to ensure that
patients are not approached to sign a consent more than once.
We will need to develop new information systems to coordinate
the implementation and tracking of consents and notices with
other requirements imposed by the final privacy rule such as
authorizations and disclosures. The Marshfield Clinic presently
tracks all authorized disclosures, but only a small amount of
this information is tracked electronically. We also maintain an
electronic log of every instance when a medical record is
accessed. It is operationally very challenging to program
accurate use categorizations for every instance of access. The
software engineering involved in tracking all disclosures will
require new fields and data capture, vastly expanding the
storage volume of each record. This requirement will
significantly add to the capitalization requirements and annual
operating costs of our information system.
A consent for uses and disclosures to carry out treatment,
payment, or health care operations must state that the patient
has the right to revoke the consent in writing, except to the
extent that the covered entity has taken action in reliance
upon the consent. What happens if a patient gives permission
for treatment but subsequently revokes his or her consent?
Consider the following circumstance: a patient signs a consent,
and then undergoes surgery; a complication occurs; the patient
hires a lawyer; the lawyer requests all medical records, and
sends an authorization that revokes all prior consents and
authorizations. We have the following questions: May we send
the patient's insurance company a bill for the services? May we
do peer review? What if the patient was seen for heart
palpitations, and revokes his consent after the service was
provided? Shortly thereafter, the patient is brought to the
emergency room in congestive heart failure. May we look at the
previous records? Will we have to remove the patient's
information from our all of electronic files to ensure that the
information is not used for treatment, payment, or health care
operations purposes?
A single patient encounter may produce data in multiple
information systems. A purge of the patient's health
information from the electronic files in these systems would
require a file-by-file manual process. This would also result
in throwing our billing books out of balance. A report of
number of patients seen, charges and revenues generated, etc.
would be in error. Lack of accurate information may cause us to
violate existing requirements for Medicare reimbursement and
accreditation agencies.
Some of our electronic files do not readily support removal of
data. How will we be able to prevent use of the patient's
information in these files after a patient has revoked consent?
To add to the confusion, what if a patient revokes consent to
use or disclose only part of his/her health information? A full
or partial revocation will impact our peer review activities
thereby interfering with our quality improvement and quality
assessment activities. All our staff rely upon accessing
patient information electronically. It is unlikely that our
staff would understand all of the exception steps that would be
required to deal with patients who refused to sign the consent.
Clinic costs to handle appointments, documentation, and billing
in a fully manual mode for patients would run $30-100 per
encounter. Clearly the Clinic would prefer not to refuse
service to people who do not sign the consent. In some rural
Wisconsin counties, all physicians are members of the
Marshfield Clinic. How would these people receive care?
The lack of adequate transition rules for the prior consent
requirement raises the possibility of severe disruptions in the
delivery of health care to patients in April 2003. In two
years, a health care provider will not be able to use or
disclose patient information for treatment, payment, or health
care operations without a signed consent form on file. That
consent form must state that permission was given for the use
or disclosure of information for treatment, payment, or health
care operations. Our existing consent forms do not address
these in specific terms. Logistically, it will be impossible to
have a consent on file for all of our patients by the
compliance date.
Even for an entity like Marshfield Clinic with an integrated health
care system and sophisticated electronic medical record, the
implementation costs associated with the prior consent requirement will
be enormous. The start-up costs for compliance with the regulation will
increase our ongoing overhead. For example, the single task of
reviewing and analyzing the final privacy rule over a 2 month period
has cost the Marshfield Clinic approximately $15,000 in personnel time.
Rather than going toward patient care, preventative health care
measures, or quality improvement, these costs will go toward compliance
with administrative burdens imposed by the final privacy rule that do
not improve the confidentiality of medical information and perhaps
detract from patient care. For these reasons, we urge HHS to eliminate
the prior consent requirement from the final privacy rule.
The Minimum Necessary Standard
Sections 164.502(b) and 164.514(d) require that, when using or
disclosing protected health information or when requesting protected
health information from another covered entity, covered entities (i.e.,
providers, plans and clearinghouses) make reasonable efforts to limit
protected health information to the minimum necessary to accomplish the
intended purpose of the use, disclosure, or request. The minimum
necessary standard does not apply to disclosures to or requests by a
health care provider for treatment. As ``protected health information''
is defined in section 164.501, this standard applies to patient
information in any form (oral or written) or medium (paper or
electronic).
We are pleased that the minimum necessary standard does not apply
to disclosures to a health care provider for treatment purposes. This
represents a significant improvement over the initial approach of the
proposed rule. Nevertheless, we need clarification as to whether the
minimum necessary standard applies to the use of patient information by
a health care provider for treatment purposes. In section 164.501 of
the final privacy rule, ``use'' is defined as ``the sharing,
employment, application, utilization, examination, or analysis of such
[i.e., individually identifiable health information] information within
an entity that maintains such information.'' We are gravely concerned
that this exception appears to exclude uses of patient information for
treatment purposes. Limiting the ability of teams of health
professionals and trainees (such as residents and medical students)
within an integrated health care system to use a patient's entire
medical record could be disruptive and dangerous. Similarly, oral
communications between health care professionals in the course of
treatment are an important part of the coordination of care. The
omission of critical information that could result from the application
of the minimum necessary standard to such uses and communications could
place the patient in jeopardy. We strongly urge HHS to exclude both
disclosures and uses by providers for treatment from the minimum
necessary standard.
Another concern we have with the minimum necessary standard is the
lack of an objective standard to guide providers in their
implementation efforts. We do not know what constitutes ``reasonable
efforts'' to limit information to the minimum necessary. In the
Preamble to the final privacy rule, HHS explains that ``the policies
and procedures [to limit access] must be based on reasonable
determinations regarding the persons or classes of persons who require
protected health information, and the nature of the health information
they require, consistent with their job responsibilities. For example,
a hospital could implement a policy that permitted nurses access to all
protected health information of patients in their ward while they are
on duty.'' Consistent with its commitment to protect patient privacy,
Marshfield Clinic has long had confidentiality policies limiting access
to patient information based on job responsibilities. Access to
patients' electronic medical records is granted to a staff member only
if their job responsibilities require this access. Because it is not
possible to know which patients a staff member needs to access, they
have access to all patients' records. (In compliance with Wisconsin
law, some information relating to psych patients has further
restrictions to access.) The Clinic follows a need-to-know policy, and
it is a violation of the policy to access a patient's record without a
need to know. All electronic accesses are electronically logged and
violators of Clinic policy have been terminated from employment at the
Clinic. Since Marshfield Clinic has such a system, will a policy
approach to limit access, without accompanying electronic restrictions,
be deemed ``reasonable'' under the final privacy rule? Our electronic
system is not set up to handle electronic restrictions and adding this
capability to our system would be cost prohibitive. In addition, some
employees presently perform multiple functions and may have access to
the patient record during one activity but would be denied it during
another. Many providers see patients in multiple sites on a changing
schedule. Their staff either travel with them or are reassigned at
their site. It is not unusual for one employee to work in two or three
locations within the course of a week, and sometimes in the course on
one day. They may even change job roles--for example a medical
assistant filling in as a receptionist, appointment coordinator or
phlebotomist. Modifying their ability to access patient information as
they move will require additional security staff, verification by a
manager to confirm that it needs to be done. This will also result in
delays, as an employee arrives at a new location and cannot do their
job until their rights are approved and changed in the computer system.
In such situations will we have to restructure the tasks or hire
additional personnel? The reconfiguration of administrative processes
is not accounted for in HHS cost estimates for implementing the privacy
regulation. We request that HHS provide an objective standard to guide
providers in their implementation efforts with the minimum necessary
standard.
We also see problems in the rule for psychotherapy notes that
contemplates use of the note only by the originator of the note or for
use in training programs. This does not represent the way mental health
care is delivered in integrated systems of care: by a team of
professionals, often in multi-disciplinary staffing arrangements (e.g.,
psychiatrist, psychologist, social worker, psychiatric nurse). These
would not likely be training programs; these individuals are generally
all on staff. This provision also does not seem to allow use by the
psychiatrist on call, a very dangerous proposition. For use by others
on the treatment team who are not the originator of the note, we would
need the patient's authorization (which the patient may refuse to
provide and we may not condition treatment on provision of an
authorization).
We have identified numerous problems in other provisions of the
final privacy rule. However, we chose to focus on the prior consent
requirement and the minimum necessary standard to highlight the most
serious consequences that will result from implementation of the final
privacy rule. We anticipate that the reworking of all business
associate contracts, the development of internal policies and
procedures to comply with the privacy regulation, and the training of
all employees in privacy policies will be costly, time consuming, and
administratively complex.
In summary, we believe that the final privacy rule, as presently
written, threatens to disrupt patient care and unnecessarily divert
time and resources from Marshfield Clinic's foremost priority of
treating patients. We therefore respectfully request that Congress
direct HHS to reevaluate the final privacy rule and revise the
troublesome provisions.
Thank you for considering our views.
Mr. Bilirakis. Thank you very much, Dr. Melski.
Dr. Appelbaum.
STATEMENT OF PAUL APPELBAUM
Mr. Appelbaum. Mr. Chairman, I am Paul Appelbaum, M.D.,
vice president of and testifying on behalf of the American
Psychiatric Association, a medical specialty society
representing more than 40,000 psychiatric physicians
nationwide. I am professor and chair of the Department of
Psychiatry at the University of Massachusetts Medical School
where I treat patients and oversee our department's biomedical
and health services research.
Chairman Bilirakis, and Ranking Member Brown, I would like
to thank you for the opportunity to testify today. We recognize
that there is still work to be done with the HIPAA regulations
to improve their protection of patient privacy. At the same
time, we believe that any delay in implementation is contrary
to the health needs of the American people. Regrettably, the
centrality of confidentiality to high-quality health care is
often overlooked. Some patients refrain from seeking medical
care or drop out of treatment in order to avoid the risk of
disclosure of their records, and some patients simply will not
provide the full information necessary for successful
treatment.
Patient privacy is particularly critical in ensuring high-
quality psychiatric care. Accordingly, the APA recommends that
at the close of comment period, the administration not delay
implementation but, rather, use its regulatory authority to
respond appropriately to comments. And we suggest this
notwithstanding our concerns detailed below.
In our view, the final privacy regulations are an important
step toward protecting patient privacy, because the regulations
ensure, among other positive provisions, non-preemption of more
privacy protective State laws:
A rule that psychotherapists' notes may not be disclosed
without the patient's specific authorization.
A requirement that the entire medical record not be used in
cases where a portion of the record will suffice; that is, the
``minimum amount necessary'' requirement.
However, it is clear that in several places, these
regulations fall short of adequate protection for patient
privacy. Let me offer you four examples, and there are others
cited in our written testimony.
First, holders of medical information should be required to
obtained meaningful consent from patients before their medical
record can be disclosed for treatment, payment, or health care
operations. In this regard, we are concerned about blanket
consent at the time of entry into a health plan. This blanket
consent means a patient is authorizing subsequent disclosures
of personal information without knowing the type of information
to be disclosed or who will receive the information.
Second, significantly narrower definition of the
information that may be released for payment purposes is
needed. Excessive demands by payers for access to patients'
medical information, which often include requests for entire
patient records for which there is no legitimate need, should
not be allowed. We ought to bring the interested parties
together to work out an objective standard for the necessary
information.
Third, additional protections consistent with the Supreme
Court's Jaffee v. Redmond decision for mental health and other
particularly sensitive medical record information are
essential. Language needs to be added to extend the
regulations, psychotherapy privacy protections to all
psychiatric information, including information that is part of
the patient's medical record. Currently only psychotherapy
notes outside the record would receive special protection under
these regulations.
Fourth, we also want all Americans to be free from
unreasonable police access to their most personal medical
record information. Under these regulations law enforcement
agents could simply issue written demands to doctors, hospitals
and insurance companies to obtain patient records without
judicial review. A separate provision would allow for the
release of medical record information any time the police are
trying to identify a suspect. This broad exception would allow
computerized medical records to be sifted through by the police
looking for matches for blood or other traits.
We believe that the same constitutional protections, that
is a Fourth Amendment probable cause standard including
independent judicial review for all requests, should apply to a
person's medical history as applies to their household
possessions.
We also have concerns about the administrative burdens
placed on practitioners. At a minimum, similar to small health
plans, small physician offices should be allowed 36 months for
compliance to spread the costs over a longer period of time,
and responsibility for violation of the regulations by business
associates clearly needs to be rethought.
In conclusion, we believe the privacy regulations are very
much needed, but at the same time believe that some provisions
are inadequate to protect our patients. Yet our biggest concern
is that certain parties who are disappointed at how protective
these regulations are of patient privacy will, in support of
their own interests, be arguing for surrendering many of the
protections that patients have just gained.
To preclude diminution of medical record privacy
protections, we recommend that the Secretary use his regulatory
authority after the close of the comment period to work with
the stakeholders' representatives to find an appropriate
solution to the problems identified.
We thank you for this opportunity to testify, and we look
forward to working with the committee on medical records
privacy issues.
[The prepared statement of Paul Appelbaum follows:]
PREPARED STATEMENT OF PAUL APPELBAUM, VICE PRESIDENT, AMERICAN
PSYCHIATRIC ASSOCIATION
Mr. Chairman, I am Paul Appelbaum, M.D., Vice President of and
testifying on behalf of the American Psychiatric Association (APA) a
medical specialty society representing more than 40,000 psychiatric
physicians nationwide. I am Professor and Chair of the Department of
Psychiatry at the University of Massachusetts Medical School. I
frequently treat patients, and I also oversee the Department's
biomedical and health services research including medical records based
research.
Chairman Bilirakis, and Ranking Member Brown I would like to thank
you for the opportunity to testify today. I would also like to thank
the members of the Committee, Representatives Greenwood and Waxman, who
have focused the Committee's attention on medical records privacy.
Privacy and particularly medical records privacy is an issue all
Americans are concerned about. I thank you for your continued
commitment to protecting medical records privacy and for holding this
hearing on the recently released Medical Privacy Regulation.
We recognize there is still work to be done to overcome
implementation obstacles to achieve compliance if these regulations are
to appropriately serve the needs of the American people. At the same
time please know that any delay in the implementation date is contrary
to the health needs of the American people.
Regrettably, it is often overlooked that confidentiality is an
essential element of high quality health care. Some patients refrain
from seeking medical care or drop out of treatment in order to avoid
any risk of disclosure of their records. And some patients simply will
not provide the full information necessary for successful treatment.
Patient privacy is particularly critical in ensuring high quality
psychiatric care.
Both the Surgeon General's Report on Mental Health and the U.S.
Supreme Court's Jaffee v. Redmond decision conclude that privacy is an
essential requisite for effective mental health care. The Surgeon
General's Report concluded that ``people's willingness to seek help is
contingent to the comments received on their confidence that personal
revelations of mental distress will not be disclosed without their
consent.'' And in Jaffee, the Court held that ``Effective psychotherapy
depends upon an atmosphere of confidence and trust . . . For this
reason the mere possibility of disclosure may impede the development of
the confidential relationship necessary for successful treatment.''
Accordingly, the APA recommends at the close of the comment period
the Administration move forward with the publication of the regulations
and not delay the implementation date but rather use their regulatory
authority to respond appropriately in the public interest and to
protect the privacy of the medical record. And we suggest this
notwithstanding our concerns that we believe changes in the provisions
on mental health records are critically needed to ensure the delivery
of effective mental health care, or other comments that may be
submitted.
The regulations should be implemented, then after the comments have
been reviewed by HHS the ``stakeholders'' can be brought together, and
we can secure the necessary stronger protections to advance patient
privacy which we as physicians believe that our patients and our
families need.
While, the APA is concerned that some provisions are inadequate to
protect patients and that some administrative requirements are
unnecessarily complex. The final privacy regulation is an important
first step toward protecting patient privacy because the regulation
ensures:
the general rule of non-preemption of more privacy protective
state laws
a higher level authorization is required for any use or
disclosure of psychotherapy notes, and most importantly
psychotherapy notes may not be disclosed without the patient's
specific authorization
the requirement that the entire medical record not be used in
cases where a portion of the record will suffice, i.e. the
``minimum amount necessary'' requirement. Physicians can cite
this provision when dealing with unreasonable health plan
requests for information.
the requirement that an entity must notify enrollees no less
than once every three years about the availability of the
notice of privacy policies and how to obtain a copy of it
extension, in many circumstances, of federal ``common rule''
research protections to privately funded research
the right to request restrictions on uses or disclosures of
health information (such as requesting that information not be
shared with a particular individual)
the right to request that communications from the provider or
plan be made in a certain way (such as prohibiting phone calls
to an individual's home)
the right to inspect and copy one's own health information
with the exception of psychotherapy notes and when the access
is reasonably likely to endanger the life and physical safety
of the individual or another person
the right of patients to be provided documentation on who has
had access to this information and the right to request
amendment to the record if it contains incorrect information
Health care plans, and clearinghouses must be required to obtain an
individual's meaningful consent before their medical record can be
disclosed for treatment, payment, or other health care operations it
should not be limited only to providers. Patients should be able to
choose who will see their medical records. In this regard, we are
concerned about blanket consent at the time of entry into a health
plan. This blanket consent means a patient is authorizing subsequent
disclosures of personal information without knowing the type of
information allowed to be disclosed, or who can receive this
information. While the regulations allow the patient to revoke this
consent, the regulations do not protect the patient from being
dismissed from the plan for doing so. The patient should have the
ability to revoke the consent at any time. The APA feels the rule does
not adequately provide this patient protection.
Currently, most hospitals ask patients to sign a consent form for
treatment and payment. Excessive demands by payers for access to
patients' medical information, which often amount to requests for
entire patient records, should not be allowed. The demands routinely
include information for which there is no legitimate need for payment
purposes. Significantly narrower definition of the information that may
be released for payment purposes is needed to protect patient privacy.
We need to bring the interested parties together to work out an
objective standard for the information that is needed, not a subjective
standard.
Patients should have the right to consent to--or refuse--
participation in disease management programs. In addition, an
individual's enrollment or costs should not be affected if he or she
declines to participate in a plan's disease management program. We
oppose any disclosures of health information for disease management
activities without the coordination and cooperation of the individual's
physician. Yet, there is no such requirement in the final rule. We
believe ``disease management'' needs to be defined narrowly, in order
to prevent inappropriate use and disclosure (for example for marketing
purposes) of health information without the patient's consent.The APA
is concerned about the disclosure of medical records for judicial and
administrative proceedings. Patients will lose some existing privacy
protections because the current practice of hospitals and doctors,
generally requiring patient consent and/or notice before disclosure,
will change as a result of the regulation. Patients' ability to decide
when their medical record information will be disclosed outside the
health system will be reduced.
For example, currently when hospitals or doctors receive a request
for a medical record from an attorney for civil and administrative
purposes, they will generally not disclose medical records information
without notice to the patient and/or the patient's consent. But the new
regulation would allow providers to disclose medical records
information to attorneys who write a letter ``certifying that the . . .
information requested concerns a litigant to the proceeding and that
the health condition of such litigant is at issue''. These procedures
provide no check on attorneys' behavior in requesting records of
marginal relevance to a case or for the purpose of embarrassing or
intimidating opposing parties. Once the information is disclosed, the
damage is done; post hoc remedies cannot restore parties' privacy.
The APA is very concerned about a marketing and fundraising
loophole that exists in the regulation. A patient's authorization is
not needed to make a marketing communication to a patient if: it occurs
face-to-face; it concerns products or services of nominal value; and it
concerns the health-related products and services of the covered entity
or of a third party and meets marketing communication requirements. For
example, a marketer could knock on the door of a pregnant woman and try
to sell her a product or service. Under the fundraising loophole a
covered entity may use or disclose patient's demographic information
and dates of health care to a business associate or to an
institutionally related foundation, without a patient's authorization.
We are aware the covered entity must include in any fundraising
materials it sends to a patient a description of how the patient may
opt out of receiving any further fundraising communication. However,
the APA maintains that the patient should be asked for consent before
the fundraising communication is sent. For example, a commercial
fundraising organization for a health facility could use confidential
information about a Governor being a patient at that facility without
the Governor's consent for use in their fundraising. The APA is
particularly concerned about the need for sensitivity with psychiatric
patient's names. Commercial fundraisers should not be allowed to take
advantage of patients especially those with mental illness.
We strongly believe that personal health information should never
be shared for the purposes of marketing or fundraising without the
patient's informed consent and are disappointed that the rule only
permits an ex post facto withdrawal of consent after the marketing and
fundraising damage has occurred. There is an easy solution, merely
require the fundraising endeavors to have a patient consent (opt in)
before the activity occurred rather than the regulation's authorizing
the patient to opt out of any further fundraising endeavors.
Additional protections consistent with the Supreme Court's Jaffee
v. Redmond decision for mental health and other particularly sensitive
medical record information are essential. Without such additions the
protections essential for effective mental health care will be lost.
This is necessary until all medical records enjoy a level of protection
so that no additional protections are needed for psychiatric or other
sensitive information. In fact, the U.S. Supreme Court recognized the
special status of mental health information in its 1996 Jaffee v.
Redmond decision and ruled that additional protections are essential
for the effective treatment of mental disorders.
APA believes that the rule allows for the use and disclosure of far
too much information without the patient's consent. We also believe
that language needs to be added to clarify that the amendment's privacy
protections cover treatment modalities broader than psychotherapy (and
indeed virtually all psychiatric information) and also cover
information that is part of the patient's medical record. The
regulations change the current standard of practice relevant to the
psychotherapy documentation. There is a new requirement for keeping a
second set of records, which most psychiatrists do not now do, and
which will result in increased time, difficulty, and cost associated
with record keeping.
We also want all Americans to be free from unreasonable police
access to their most personal medical record information. The
Administration's proposal falls short in this area. Under these
regulations law enforcement agents would simply issue written demands
to doctors, hospitals and insurance companies to obtain patient
records, without needing a judge to review the assertions. We are also
very concerned by the separate provision that would allow for the
release of medical record information anytime the police are trying to
identify a suspect. This broad exception would allow computerized
medical records to be sifted through by police to seek matches for
blood, DNA or other health traits. In addition, the provision that
allows disclosure on the basis of an administrative subpoena or
summons, without independent judicial review, is particularly
troublesome.
We believe that the same constitutional protections (a Fourth
Amendment probable cause standard including independent judicial review
for all requests) should apply to a person's medical history as applies
to their household possessions.
The business associate provisions of the proposed regulation result
in overly broad physician liability, and the regulations also need to
be reconsidered in light of the need to limit the administrative burden
on physicians who practice independently or in small practices. The
rule identifies most health care related entities other than
physicians, providers, health plans, and health data clearinghouses as
``business partners'' of physicians, which could only be held to the
confidentiality standards of the regulation through contracts with the
covered entities, such as physicians. In essence this enormous
regulatory framework will be achieved largely through the inappropriate
liability placed upon physicians.
A covered entity will have a new duty to mitigate any known harmful
effects of a violation of the rule by a business associates. This duty
may, in effect, compel covered entities to continue to monitor
activities of business anyway. It is not clear if a psychiatrist, for
example, could be held accountable for prohibited activity by its
business associate, if the psychiatrist should have known of the
prohibition. For purposes of the rule, actions relating to protected
health information of an individual undertaken by a business associate
are considered to be actions of the covered entity. Therefore even
though covered entities may avoid sanctions for violations by business
associates if they discover the violation and take the required steps
to address the wrongdoing, they may be vulnerable to a negligence
action. APA believes these provisions present the potential for overly
broad liability for physicians who, themselves, are complying with the
regulation's requirements.
It is not unreasonable to expect that some additional burdens will
fall on physicians as part of efforts to increase patient privacy.
However, the level of administrative burden currently contained in
these regulations is not equitably distributed. Particularly important
is expanding the concept of scalability so that the administrative
burden on physicians in solo or small practices will be manageable,
taking into consideration their limited resources and staffing. As I
discussed, the regulatory framework of this regulation relies too
heavily on physician liability. If indeed it is the framework by the
Secretary that is enacted through regulation or through congressional
action, we could not support providing individuals with a private right
of action.
The special rules in the specialized government functions are
overly broad and do not provide adequate procedural protections for
patients. Except in very narrow circumstances the consent of the
individual should be the rule for the use and disclosure of
governmental employees' medical records information. We also note that
intelligence agencies and the State Department are not even required to
publish a rule, subject to public comment, defining the scope and
circumstances of their access to medical records. Particularly
objectionable are the provisions allowing broad access without patient
consent for use and disclosure of medical records of Foreign Service
personnel and their families.
The APA believes the estimated costs imposed on small
psychiatrist's offices for the first year of $3,703 and consecutive
years of $2,026 seem unrealistically low. Psychiatrists will experience
significantly higher costs and will have a heavy administrative burden,
such as getting satisfactory assurances from a business associate
through a written contract, keeping psychotherapy notes separate and
locked away from the rest of the psychiatric record, and providing
written notice of their privacy practices to their patients. Similar to
small health plans, small physician offices should be allowed to have
36 months for compliance to spread the cost over a longer period of
time.
A clarification is needed on the privacy official provision. For
example, can a psychiatrist who does not have any staff serve as the
privacy official? If a privacy official makes a mistake will only the
privacy official be liable?
In conclusion, we believe the privacy regulations are very much
needed but at the same time believe some provisions are inadequate to
protect our patients. Yet, our gravest concern is that certain parties
that were disappointed at how protective these regulations are of
patient privacy will, in support of their own interests, be arguing for
surrendering many of the protections that patients have just gained. In
order to insure that interested stakeholders' regulatory comments do
not diminish medical record privacy protections we recommend that the
Secretary not only receive all interested stakeholders' (such as
insurers, providers, health care clearinghouses, and consumer groups)
comments, but use his regulatory authority after the close of the
comment period to work with the stakeholders' representatives to find
solutions. Moreover, the regulation's preamble says ``the privacy
standards are consistent with the objective of reducing the
administrative costs of providing and paying for health care''.
We of course encourage the Administration to stand firm on these
issues and support strong protection of medical record privacy.
Secretary Thompson has stated that he would ``put strong and effective
health privacy protection into effect as quickly as possible.'' We hope
the Administration keeps their promise to the American people.
We thank you for this opportunity to testify, and we look forward
to working with the Committee on medical records privacy issues.
Mr. Bilirakis. Thank you very much, Dr. Appelbaum.
To introduce the next witness to us on behalf of himself
and also on behalf of his Congressman Pat Kennedy, the Chair
recognizes Mr. Brown.
Mr. Brown. Thank you, Mr. Chairman.
Congressman Kennedy was up here a moment ago and wanted to
stay and introduce Carlos Ortiz, who also I have worked with
for some years on prescription drug issues. And Congressman
Kennedy had to go to another hearing, but he wanted to extend
his wishes to you and thanks for joining us.
STATEMENT OF CARLOS R. ORTIZ
Mr. Ortiz. Thank you, Congressman Brown.
Mr. Chairman and other members of the subcommittee, my name
is Carlos Ortiz, and I am director of government relations for
CVS Pharmacy, and I am also a pharmacist. I very much
appreciate this opportunity to testify before the subcommittee
today on the impact of the recent Federal privacy regulations
on community pharmacies and the patients we serve.
As the largest private pharmacy provider in the Nation, CVS
operates almost 4,100 pharmacies in 32 States and through our
Internet CVS.com in all 50 States. In 2001, we will provide an
estimated 325 million prescriptions to approximately 40 million
patients. CVS operates 278 pharmacies in the districts of the
subcommittees--districts of the members of the subcommittee.
CVS wants to reiterate our commitment to strong Federal
standards with State preemption to protect the privacy of
medical records. CVS believes that the new Federal privacy
standards that are developed, whether through statute or
regulation, must ensure that patients can obtain prescription
services in a timely and efficient manner.
Unfortunately some aspects of the new final rules are
unworkable and will have unintended consequences for patients
and pharmacies. We support Secretary Thompson's action to seek
further comments on the final regulation. Many provisions in
the final rule were not included in the proposed rule and thus
not fully vetted.
I think most people understandably want to have their
prescriptions filled as quickly as possible. No one wants to
spend more time in a pharmacy than they need to when they are
not feeling well. And it is important to start drug therapy as
soon as possible. However, a new requirement in the final rule
which was not in the proposed rule would require direct
treatment providers such as pharmacists to obtain signed
written consent from the patient before they can use the
patient's information to provide treatment or seek payment.
That is, pharmacies cannot fill or begin the process of filling
prescriptions before the patient's signed written consent is on
file. This will increase waiting times, inconvenience patients,
and negatively impact the quality of care.
Currently no State law requires pharmacies to obtain
written consent from patients, so this requirement represents a
fundamental change in how patients interact with the pharmacies
and how pharmacies interact with patients. We believe in the
concept of statutory authorization; that is, the presentation
by the patient of a prescription to the pharmacy demonstrates
sufficient consent for the pharmacy to use the patient's
information to provide the medication and bill for payment. We
assume the patient--if the patient did not want the
prescription filled or refilled, he or she would not take it to
that pharmacy or have the physician call it in to that
pharmacy.
You should know that approximately 40 percent of all
prescriptions are dropped off and picked up by someone other
than the patient. Problems will result when the patient's
representative shows up at the pharmacy and finds that because
a signed written consent was not on file, they have to go back
to the patient's home, have the consent signed, and then drive
back to the pharmacy and wait and have the prescription filled.
I would venture that this is a prescription for chaos. We
believe it will cost us at least $60 million to communicate in
writing with our 40 million patients about the need to have a
prior consent on file prior to the effective date of the final
rule if they are to go on and continue to receive prescription
service uninterrupted.
Additionally, the oral communications, having the prior
consent apply to oral communications, provides very certain
barriers to the ability of the pharmacist to provide
information concerning nonprescription medication. Imagine a
customer coming in, who is not a regular pharmacy patient,
indicating to you that they are diabetic and would like a
sugar-free cough syrup, and you have to tell them, sorry,
before I can take that information and use it and provide you
with information concerning a proper cough syrup for your use,
I am going to need a written consent from you because you are
not one of my regular pharmacy patients.
At a time of pharmacist and staffing shortages, these added
costs will go toward patient--will not go toward patient care,
quality improvement or innovation.
CVS also believes that the new comprehensive privacy laws
should preempt State privacy law. Community retail pharmacies
are operating thousands of stores in multiple States. Given the
significant length and scope of privacy notices and consents
required, the cost of exchanging and reissuing them every time
a State law or regulation is exchanged is staggering when you
are dealing with millions of patients.
In conclusion, let me iterate our strong commitment to
Federal standards with State preemption to protect the privacy
of medical records. However, we believe that the new written
prior consent requirement, especially for the billions of
prescriptions filled annually by community retail pharmacies,
presents significant operational, logistical and patient care
challenges. The unintended consequences of this requirement
will result in patient frustration and longer waiting times at
the pharmacy counter.
Thank you for the opportunity.
[The prepared statement of Carlos R. Ortiz follows:]
PREPARED STATEMENT OF CARLOS ORTIZ, DIRECTOR OF GOVERNMENT AFFAIRS, CVS
PHARMACY
Mr. Chairman and Members of the Subcommittee. My name is Carlos
Ortiz and I am Director of Government Relations for CVS Pharmacy
Corporation, based in Woonsocket, Rhode Island. I am also a pharmacist
and have been since 1966. I very much appreciate the opportunity to
testify before the subcommittee today on the issue of medical records
privacy and the impact of the recent final Federal privacy regulations
on community pharmacies and the patients that we serve.
As the largest private pharmacy provider in the nation, CVS
operates almost 4,100 community pharmacies in 32 states and through
CVS.com in all 50 states. In 2001, we will provide an estimated 325
million prescriptions to over 60 million patients. CVS operates 278
pharmacies in the districts of this subcommittee's members.
CVS is committed to safeguarding the privacy of patient medical
records. Currently, in most states, licensed pharmacists must abide by
patient privacy standards specified in state pharmacy practice acts,
state board of pharmacy regulations, and other state laws. In addition
to these requirements, retail pharmacies commonly require employees to
comply with stringent patient privacy policies.
CVS wants to reiterate our commitment to strong, Federal standards,
with state preemption, to protect the privacy of medical records. CVS
believes that any new Federal privacy standards that are developed,
whether through statute or regulation, must strike the appropriate
balance of assuring that any new protections do not outweigh the
ability of patients to obtain prescription services in a timely and
efficient manner.
Impact on Patients and Pharmacies of Prior Written Consent Requirement
Unfortunately, these new final regulations, if implemented in their
current form, are unworkable and will have unintended consequences for
community retail pharmacies and the patients that we serve. We support
Secretary Thompson's action to seek further comments on the final
regulation, because we believe that there were many provisions in the
final rule that were not included in the proposed rule, and thus not
fully vetted.
Most people want to have their prescriptions filled as quickly as
possible. That is understandable. No one wants to spend more time in a
pharmacy than they need to when they are not feeling well, and it's
important to start drug therapy as soon as possible.
A new requirement in the final rule, which was not in the proposed
rule, would require direct treatment providers, such as pharmacies, to
obtain signed written consent from the patient before they can use the
patient's information to provide treatment or seek payment. That is,
pharmacies cannot fill or even begin the process of filling
prescriptions before the patient's signed, written consent is on file.
Even HHS said that such a prior consent requirement was unworkable, and
rejected its use in the original proposed rule.
Requiring pharmacies to obtain signed written consent from patients
before we can provide prescription services will increase waiting
times, inconvenience patients, and negatively impact the quality of
care. Currently, no state law requires pharmacies to obtain written
consent from patients, so this requirement represents a fundamental
change in how patients interact with pharmacies and how pharmacies
interact with patients.
We believe that the presentation by the patient of a prescription
to the pharmacy demonstrates sufficient consent for the pharmacy to use
the patient's information to provide that medication and subsequently
bill for payment. We assume if the patient did not want the
prescription filled (or refilled), he or she would not take it to the
pharmacy. If the patient did not want the physician to call the
prescription into a particular pharmacy, he or she wouldn't ask the
physician to do so. That, we believe, represents sufficient consent.
Moreover, we do not see how this prior written consent requirement
creates any additional privacy protections for patients, as long as the
pharmacy's use of the information is limited to that which is allowed
under the definitions of treatment, payment, and health care
operations.
Yet, the requirement for prior written consent was included in the
final rule, without any opportunity for public comment. We do not
believe that the full implications and unintended consequences of this
inclusion are yet understood by patients.
Approximately 40% of all prescriptions are dropped off and picked
up by someone other than the patient. As a result, you can see the
potential for problems being created when the patient's representative
shows up at a pharmacy and finds that, because a signed written consent
is not on file, they have to go back to the patient's home, have the
consent signed, and then drive back to the pharmacy and wait to have
the prescription filled. This could be especially burdensome for those
individuals that live in rural areas, and those who live in urban areas
and don't have easy access to transportation.
For example, parents with sick children, and others, such as
elderly, disabled, and other homebound individuals, would have to come
to the pharmacy to sign a consent or send someone on their behalf to
obtain a consent and take it back home for signature and then back to
the pharmacy before the pharmacist may fill or refill a prescription.
So, a mother, who had expected to pick up the prescription that was
phoned in earlier by the doctor, will now find that she has to wait for
her child's medication.
The homebound elder without any nearby relatives would have to find
someone to go to the pharmacy and get the consent form, bring it back
to the patient for their signature, then return to the pharmacy with
the consent and the prescriptions, and wait for the prescriptions to be
filled.
Furthermore, if the written prior consent requirement goes into
effect, patients with active prescription refills on file would first
have to go to the pharmacy and provide a signed, written consent before
we could refill the prescription. How will we communicate to those
patients that they need to go into the pharmacy and sign a written
consent form before we can refill their prescription? Should we wait
until they call in their refill or until they show up at the pharmacy
counter expecting their prescription to be refilled in a timely manner?
This is a prescription for chaos. I would venture that we will try
and communicate ahead of time, in anticipation of the effective date of
the final rule, if the final rule contains the requirement for prior
written consent, probably in writing. Yet even the simple act of trying
to communicate in writing with 60 million patients will be a difficult
and very expensive proposition, probably in excess of $60 million.
Because the final regulation also extends privacy protections to
``oral communications'' between pharmacists and patients, the
pharmacist cannot talk to the patient about their health condition in
order to recommend a possible over-the-counter product, until the
patient signs a written consent at the pharmacy.
Millions of Americans patronize pharmacies everyday to seek advice
from pharmacists about non-prescription medicines. How can we
logistically obtain all these consents, commit this information to
paper, and then recommend an appropriate medication in a timely manner?
This interference may cause customers to start going to other outlets
that also sell OTCs, such as convenience stores that are not direct
treatment providers. We think this is bad medicine. Consumers should
have the benefit of consulting with a pharmacist without having the
hassle of having to sign a written consent before they are able to do
so.
The cost of compliance with this massive regulation is itself
staggering. Those costs will not go toward patient care, quality
improvement, or innovation. Rather, pharmacies, at a time of pharmacist
and staffing shortages, will be required to implement these time-
consuming regulations at the expense of patient care.
Strong Federal Privacy Protections with Preemption of State Laws
CVS also believes that new comprehensive Federal standards should
preempt state privacy laws. Community retail pharmacies, operating
thousands of chain pharmacies in multiple states, need one Federal
standard rather than 50 different standards to interpret. Subsequently,
conflicts between federal and state law could be virtually impossible
for health care providers to resolve on a patient-by-patient basis.
This final regulation does not preempt many state-based privacy
laws. In fact, states can and likely will enact a ``patchwork'' of
privacy laws, creating a situation where providers will have to
determine themselves which is stronger, state based laws, Federal
regulations, or court cases relating to patient privacy that might be
relevant in particular situations. Moreover, the final rule does not
provide for the Secretary to issue guidance to providers concerning
which state laws are contrary to and more restrictive than the rule, or
to regularly update the guidance.
As a result, community pharmacies will have to develop a process to
regularly monitor which law, regulation, or court case should be
applied, and have to update their ``privacy notices'' accordingly.
Given the significant length and scope of the privacy notices and
consents required under the rule, the cost of changing and re-issuing
them every time a state law or regulation is changed is staggering.
This is especially true when you are providing millions of
prescriptions each year and operating in multiple states.
While we understand that only a new Federal statute can preempt
state law, not Federal regulations, we believe that Federal
policymakers should take action this year to preempt state laws and
create nationally uniform Federal privacy protections. At the very
least, we urge that HHS be required to provide guidance in the
regulations and in their implementation that will provide certainty to
covered entities as to which state laws are ``more stringent'' than the
HHS regulations.
Conclusion
CVS wants to reiterate our commitment to strong, Federal standards,
with state preemption, to protect the privacy of medical records. We
are seriously concerned about this new written prior consent
requirement in the final HHS regulations for direct treatment
providers, which did not appear in the proposed rule, and for which
public comment has not been allowed or the implications for patients
adequately assessed.
We believe that this new written prior consent requirement,
especially for the billions of prescriptions filled annually by
community retail pharmacies, presents significant operational,
logistical, and patient care challenges, and that the unintended
consequences of this requirement will result in patient frustration and
longer waiting times at the pharmacy counter.
We have joined with other organizations in asking Secretary
Thompson to delay the April 14, 2001 effective date of the rule and to
work with us, as well as other affected parties, to determine how we
might best address these and other important implementation issues. We
want to work with Members of this Committee and the Congress to assure
that reasonable privacy protections result from this process, and that
patients' access to efficient, effective pharmacy services remains.
Thank you for the opportunity to submit these comments for the record.
Mr. Bilirakis. Thank you.
Ms. Goldman.
STATEMENT OF JANLORI GOLDMAN, DIRECTOR, HEALTH PRIVACY PROJECT,
INSTITUTE FOR HEALTH CARE RESEARCH AND POLICY, GEORGETOWN
UNIVERSITY
Ms. Goldman. Thank you, Mr. Chairman and members of the
committee, for the opportunity to testify today. No one has
ever said that they can't hear me, but having the mike, I
guess, helps.
I wanted to thank you for inviting me here to testify
today, and I know we don't have much time, so I wanted to say
that while I have heard so many things here today that are
distressing in terms of what the actual regulation says, and I
think there is some misinterpretation and inaccuracies, our
full statement does try to anticipate some of those statements
and to correct them.
And I want to suggest at the outset that this is not a new
process. For those of you who have worked on this issue, we
have been at it for over a decade. Congress has been at this
since the early 1990's, if not before. Many of the issues that
are in the final regulation were incorporated into bills that
were introduced on a bipartisan basis by many members of this
committee and in the Senate as well, so there has been a great
opportunity to look at this.
The comment period on the regulation was extended in
response to requests by industry groups and consumer groups,
and then there was a 10-month fact-finding process where HHS
tried to develop a workable and a strong rule. And I say that
at the end, consumer advocates and providers got some of the
things we asked for, and health plans and others got some of
the things they asked for. Nobody got everything. But there was
an attempt within the constraints that HIPAA set on the
administration to craft a strong privacy rule that was
workable.
Protecting privacy we now know is not only good for
individuals, it is good for health care generally. And many, I
think, of the leaders in the community are already developing
privacy and security standards in their systems.
The regulation is not perfect. There is no question some of
the areas where we think it is weak are again areas where there
were constraints imposed by the Congress in 1996, that it can
only directly cover certain entities, that it only directly
covers information in certain contexts. There is limited
enforcement, limited liability.
We did ask that there be an expansion in the scope of the
regulation. Provider groups were very clear. Doctors and others
said that they wanted a consent requirement because that is
currently the status quo. There is not an--I don't ever go to
the doctor where I am not asked to sign a consent form. I have
never enrolled in a health plan where I am not asked to sign a
consent form. So that is the status quo. And health care
providers were adamant that that not be rolled back.
In terms of the major points that I want to make today, we
are urging the administration to go forward with the April 14
effective date of this regulation. There has been adequate time
over the last few months, and there will be over the next
month, to look at where there may be some concerns, where there
may be real barriers to implementation. And where they exist,
and where they can be shown on a case-by-case basis, and not,
you know, about the hyperbole and extreme concerns, but where
we know there are going to be barriers, we urge Secretary
Thompson to make the modifications necessary to permit
compliance, to issue guidance where that would be helpful to
allay some of the fears that have arisen around the
implementation of the regulation. He has full legal authority
to do that. We urge him to use it and to not further delay this
regulation.
A lot of the opposition, as I said, I think are based on
inaccuracies and misstatements about this regulation, and it
gives us concern that the efforts around delay are really to
try to delay the regulation indefinitely. We have been at this
for over a decade now. While many say they want privacy and
they care about privacy, we have never really seen a true
commitment to moving forward in this area. Many other
industries have moved forward to put privacy protections in
place and have worked closely with consumer groups and others
in the financial area, in the communications area, in the video
rental area, where it was critical to engender consumer trust
and confidence that privacy protections were essential to get
people to fully participate.
E-commerce is a big issue right now, and the No. 1 barrier
to people fully participating is concern about their privacy.
But it appears that the health care industry has not moved
forward with that same urgency to allay public concern and to
calm people.
We have seen major problems. We have seen at the University
of Washington a major breach in security because there weren't
rules in place saying what folks needed to do in order to
adequately protect data. These privacy regulations, while not
perfect, and while not comprehensive, will create tremendous
uniformity. It will certainly, to an industry that needs to
start to build privacy protections in, to say, here is the way
to do it. It will give some calm assurance to the public, who
is very concerned about sharing information and are withdrawing
from full participation in their own care. People are afraid to
get genetic tests because of how the information might be
misused. They are afraid to go online to get access to
information or services because of how the information might be
misused.
We would hope that the Secretary would take into account
what some of the real concerns are. I think that there are some
issues that can be addressed with his legal authority, and we
would urge him to do that. But where, again, there is hyperbole
or misstatements, we would urge the Secretary as well as this
committee to take a look at those and hopefully to set the
record straight. I hope this hearing is an opportunity to do
that.
[The prepared statement of Janlori Goldman follows:]
PREPARED STATEMENT OF JANLORI GOLDMAN, DIRECTOR, HEALTH PRIVACY
PROJECT, INSTITUTE FOR HEALTH CARE RESEARCH AND POLICY, GEORGETOWN
UNIVERSITY
Members of the House Committee on Energy and Commerce, Subcommittee
on Health: As the Director of the Health Privacy Project at Georgetown
University's Institute for Health Care Research and Policy, I very much
appreciate the invitation to testify before you today on the final
medical privacy regulation.
introduction
The medical privacy regulation issued by the Department of Health
and Human Services (HHS) on December 28, 2000, is a milestone in
federal law. It is the first--and only--federal law to protect the
privacy of medical information in the hands of private health care
providers and health plans. This regulation was initially scheduled to
go into effect on February 26, 2001, but its effective date was changed
due to the unfortunate failure of HHS to officially transmit the
regulation to Congress. We urge the Administration and the Congress to
ensure that this regulation goes into effect, as now scheduled, on
April 14, 2001.
After the regulation goes into effect, if covered entities have
real and legitimate implementation concerns that guidance from HHS
cannot address, the Secretary of HHS has the legal authority to make
certain modifications to the regulation, as necessary to permit
compliance. We are fully available to support Secretary Thompson should
such modifications become necessary, and we look forward to working
with him as we move forward. What we would not support, and, indeed,
would vigorously oppose, is any action by HHS or Congress that would
further delay the effective date or roll back the regulation.
As you hear testimony today, we urge you to look at the actual
language of the regulation as it is written and at HHS' intent as
expressed in the preamble. It is essential that we not be swayed by
distortions and exaggerations that we fear are part of a strategy to
not only delay, but also to undermine the regulation. We believe that
some in the health care industry are engaged in a campaign to do just
that. Fortunately, not all health-related entities share that goal.
Most notable are the trade associations and individual companies that
know that protecting privacy is good for business, and support the
regulation and the time line for implementing it.
Our testimony today addresses: the importance of protecting privacy
in the health care arena; the genesis of the health privacy regulation;
why HHS should not further delay implementation of the regulation; a
brief summary of the final regulation; the major areas of contention;
the myths that are being propagated about the final regulation and the
facts; a rebuttal of the industry's cost concerns; and our
recommendations to Congress.
OVERVIEW OF THE HEALTH PRIVACY PROJECT
The Health Privacy Project's mission is to press for strong,
workable privacy protections in the health care arena, with the goal of
promoting increased access to care and improved quality of care. The
Project conducts research and analysis on a wide range of health
privacy issues. Recent Project publications include: Best Principles
for Health Privacy (1999), which reflects the common ground achieved by
a working group of diverse health care stakeholders; The State of
Health Privacy (1999), the only comprehensive compilation of state
health privacy statutes; Privacy and Confidentiality in Health Research
(2000), commissioned by the National Bioethics Advisory Commission;
Privacy and Health Websites, which found that the privacy policies and
practices of 19 out of 21 sites were inadequate and misleading; and
``Virtually Exposed: Privacy and E-Health'' (2000), published in Health
Affairs.
In addition, the Project staffs the Consumer Coalition for Health
Privacy, comprised of over 100 major disability rights, disease, labor,
and consumer advocates as well as health care provider groups. The
Coalition's Steering Committee includes AARP, American Nurses
Association, Bazelon Center for Mental Health Law, National Association
of People with AIDS, Genetic Alliance, National Multiple Sclerosis
Society, and National Partnership for Women & Families.
PRIVACY IS A CENTRAL VALUE IN HEALTH CARE
Americans are increasingly concerned about the loss of privacy in
everyday life, and especially about their health information. The lack
of privacy has led people to withdraw from full participation in their
own health care because they are afraid that their most sensitive
health records will fall into the wrong hands, leading to
discrimination, loss of benefits, stigma, and unwanted exposure. One
out of every six people engages in some form of privacyprotective
behavior to shield herself from the misuse of health information,
including withholding information, providing inaccurate information,
doctorhopping to avoid a consolidated medical record, paying out of
pocket for care that is covered by insurance, and--in the worst cases--
avoiding care altogether. (Survey conducted by Princeton Survey
Research Associates for the California Health Care Association, 1999)
Unfortunately, people's fears are warranted. Medical privacy
breaches are reported with increasing frequency by the media. To
highlight a few--
Terri Seargent was fired from her job after her employer
learned that she had been diagnosed with a genetic disorder
that would require expensive treatment. Terri was a valued
employee who received a positive review and a raise just before
her discharge from the company. A recent EEOC investigation
determined that the employer fired Terri because of her
disability.
A few months ago, a hacker downloaded medical records, health
information, and social security numbers on more than 5,000
patients at the University of Washington Medical Center. The
University conceded that its privacy and security safeguards
were not adequate.
Annette W. and her husband were involved in a difficult and
contentious divorce. In the midst of their separation, Annette
instructed her pharmacy not to disclose any of her medical
information to her estranged husband. Just one day later, the
pharmacist gave Annette's husband a list of all her
prescription drugs. Armed with this information, her husband
embarked on a campaign to label her a drug user. He sent
information to friends and family, to the Department of Motor
Vehicles, and threatened to have her children taken away.
bYears ago, Ben Walker and his wife came to Congress to tell
their story. Ben had worked for the FBI for 30 years, but was
forced into early retirement after his employer learned that he
had sought mental health treatment. The FBI got hold of Ben's
prescription drug records when the Bureau was investigating his
therapist for fraud. In turn, the FBI targeted Ben as an unfit
employee and stripped him of many of his duties, even though he
was later found fit for employment. Ben and his wife testified
that he would never have sought treatment had he believed his
medical records would be used against him.
In the absence of a federal health privacy law, these people
suffered job loss, loss of dignity, discrimination, and stigma. And had
they acted on their fears and withdrawn from full participation in
their own care--as nearly 20% of people do--they would have put
themselves at risk for undiagnosed and untreated conditions. In the
absence of a law, people have faced the untenable choice of shielding
themselves from unwanted exposure or sharing openly with their health
care providers.
THE GENESIS OF THE REGULATION
The new federal health privacy regulation is a major victory for
all health care consumers. In fact, each one of us will benefit from
these rules in some way, from more reliable data for research and
outcomes analysis, to greater uniformity and certainty for health care
institutions seeking to develop privacy safeguards as they modernize
their information systems. The rules represent a significant and
decisive step toward restoring public trust in our nation's health care
system. Not only is it the most sweeping privacy law in U.S. history,
it begins to fill the most troubling vacuum in federal law. The
regulation sets in place a sorely needed framework and a baseline on
which to build. Much of the regulation's unfinished business is due to
the legal constraints imposed on HHS by Congress in its delegation of
authority in the Health Insurance Portability and Accountability Act of
1996 (HIPAA). At this juncture, it is imperative that Congress act to
plug the gaps and strengthen the weaknesses in the rule.
In fact, it was a Republican Congress in 1996 that imposed on HHS
the legal duty to issue a health privacy regulation. Representatives of
health care consumer groups, health plans, and health providers all
reached a consensus in 1996 that the movement toward an electronically
based health care system should not go forward without adequate federal
protections in place for the confidentiality and privacy of health
information. HIPAA reflects this consensus. It sets a schedule for
adopting and implementing not only the standards for electronic
transactions involving health information, but also for establishing
privacy protections for health information.
Many privacy bills were introduced after HIPAA passed in 1996. Some
were bipartisan; others were not. Some were favored by consumer
advocates, others by health plans. Numerous hearings were held in both
the House and Senate, but not a single bill saw a mark-up. Achieving
legislative consensus on health privacy rules is not a simple task.
Congress' failure to meet the 3-year deadline set in HIPAA triggered
the requirement for HHS to promulgate rules in this area by 2000.
Pursuant to its mandate, HHS issued draft regulations in November
1999. In response to requests from industry representatives and
consumer advocates, the Department extended the formal comment period
to allow sufficient time to respond to the proposal. Of the 52,000
comments eventually submitted, more than half came from consumers and
their representatives. After the comment period closed, HHS spent 10
months engaged in extensive fact finding to respond to comments and
concerns before it released the final regulation.
The final regulation incorporates a number of the key changes
sought by consumer groups as well as many of the changes urged by
health care providers, health plans, clearinghouses, researchers, and
others operating in the health care arena. From the text of the
regulation itself, it appears HHS was striving to craft a strong and
workable privacy law.
It is important to note that the privacy rule is one of three
regulations mandated in the section of HIPAA known as ``Administrative
Simplification.'' The other rules address establishing uniform
transaction standards for health care and security rules to safeguard
the data. Congress intended this package of regulations to be
implemented together so that privacy and security measures are built in
as information systems and practices are standardized. The policy goal
was to assure the public that, as their most sensitive personal
information was being computerized and adapted to be shared instantly
and cheaply, enforceable privacy rules would be implemented up front.
The final transactions standards went into effect last fall, triggering
a 24-month implementation period. The security regulations are expected
to be released by HHS this spring.
we urge hhs not to further delay this important privacy regulation
We strongly support maintaining the current effective date of the
final privacy regulation. HIPAA mandated that regulations governing the
privacy of health information be promulgated by February 2000. These
privacy standards are long overdue, already have been thoroughly
debated, and should be put into effect as scheduled.
The rule-making procedure up to this point has been lengthy,
thorough, and orderly. Scores of HHS employees spent almost a year
reviewing, analyzing, and crafting responses to the comments that the
agency received on this rule. The thoroughness with which HHS
considered these comments is reflected by the fact that almost 200
pages of the preamble to the final regulation are devoted to
summarizing and responding to these comments.
Overall, the final product of these extensive rule-making
procedures is a balanced regulation. HHS made many significant changes
to accommodate the concerns of the major stakeholders. For instance, in
response to concerns from the health care industry, the requirements of
the ``business partner'' provisions were substantially relaxed. The
requirement of a third party beneficiary clause in a business associate
contract was eliminated as was the provision that would have held a
covered entity liable for violations of its business associates that it
should have known about. Now, they are merely liable for violations
they actually knew about. Restrictions on marketing and fundraising
activities were also substantially relaxed after vigorous lobbying by
the health care industry. In response to the comments of health
providers and health care consumers, authorization requirements were
tightened. In sum, although no one group of stakeholders received
everything that it requested, the comments of all major stakeholders
were taken into account in crafting the final rule.
If there are legitimate implementation issues that cannot be
remedied through the issuance of guidance by HHS, HIPAA expressly
provides a mechanism for resolving these difficulties after the privacy
regulation becomes effective. Under Section 262 of HIPAA (adding
Section 1174 to the Social Security Act), the Secretary has the
authority to modify the privacy standards during the first 12 months
after the standard is adopted (i.e., becomes effective) when such
modification ``is necessary in order to permit compliance with the
standard.'' Thus, HIPAA anticipates and provides a statutory mechanism
for resolving implementation problems after the regulation becomes
effective.
At this critical juncture, it is time to move forward and devote
our energy, time, and resources toward implementing the final
regulation, rather than wasting precious resources debating whether the
regulation should even take effect. Every day more progress is made
toward electronically storing and transmitting health information. As
Congress recognized in 1996, it is irresponsible to allow these changes
to go into effect without having adequate privacy and security
protections in place.
SUMMARY OF THE FINAL REGULATION
Key provisions of the health privacy regulation are highlighted
below. A more detailed, comprehensive summary of the rule can be found
at our website, www.healthprivacy.org.
Scope: The regulation applies to all health plans and
clearinghouses (entities that process and transmit claims data)
and to health care providers that transmit claims-type
information in electronic form. It covers identifiable health
information in electronic and paper records as well as oral
communications. Due to the constraints imposed by HIPAA, the
law does not directly cover employers, life insurers,
pharmaceutical companies, and others. Instead, the rule
establishes a chain of trust requirement, binding entities that
receive identifiable health information from a covered entity
to a contractual arrangement.
Access: People have the right to see, copy, and amend their
own medical records. Most states do not currently grant people
such broad rights.
Limits on Disclosure: The regulation restricts access to and
disclosure of health information. Of particular importance to
patients and providers, health care providers must obtain
patient consent for disclosures relating to treatment, payment,
and health care operations. We support this approach. However,
we believe the provisions on marketing and fundraising are
fundamentally flawed in allowing ``one free pass'' before first
giving people the chance to opt-out of receiving such
commercial communications.
Employers: Group health plans are barred from disclosing
``protected health information'' to employers except for
specific functions related to providing and paying for health
care. Employers must establish a firewall between the health
care division and those employees who make decisions about
employment. The rules are a powerful new tool to stop workplace
discrimination. However, due to constraints imposed by HIPAA,
employers that collect health information directly from
employees (and not in their capacity as providers, plans or
clearinghouses) fall outside the scope of the privacy rule.
Only Congress can close this gap.
Law Enforcement: Health care providers and plans are
prohibited from releasing patient data to federal, state, or
local law enforcement without some form of legal process,
including a warrant, court order or administrative subpoena.
There is a broad consensus among consumer organizations and the
health care industry that HHS should have established stronger
legal process requirements. The Health Privacy Project had
argued to HHS that it should require a higher Fourth-Amendment
standard and review by a neutral magistrate.
Research: All research, whether publicly or privately funded,
must be overseen by either an Institutional Review Board (IRB)
or privacy board if the researcher seeks a waiver of informed
consent.
Penalties: Health care providers, health plans, and
clearinghouses are subject to civil and criminal penalties (up
to $250,000/year and 10 years in jail) for violating the law.
The Office for Civil Rights at HHS is charged with overseeing
the law and imposing penalties where appropriate. But HIPAA
constrained the Secretary from including a federal private
right of action for individuals to sue for violations of the
law. Congress should act to give people the ability to seek
redress directly if their rights are violated.
Preemption: As required in HIPAA, the federal regulation does
not preempt or override stronger state law. Instead, the rules
establish a baseline of protections, above which states may go
to better protect their citizens. A 1999 report on state laws
issued by the Health Privacy Project demonstrated that such a
baseline is sorely needed.
major areas of contention
As expected, the final rule has been the subject of much criticism
from some of the entities that will be covered by it. In this section
we address those criticisms that reflect policy differences between HHS
and the covered entities--policy differences that were aired, debated,
and resolved as part of this rule's lengthy rule-making process. In the
next section we address the campaign of misinformation that opponents
of the final regulation are waging in an effort to further delay its
effective date.
Consent requirement for health care providers (Section 164.506)
We are pleased that the final rule requires that a health care
provider obtain a patient's consent before using or disclosing
protected health care information. We are disappointed that the consent
requirement was not extended to other covered entities, such as health
plans.
As a general rule, requiring patient consent prior to use or
disclosure can:
bolster patient trust in providers and health care
organizations by acknowledging the patient's role in health
care decisions;
serve as recognition that notice was given and the patient was
aware of the risks and benefits of the use and disclosure of
their information; and
define an ``initial moment'' in which patients can raise
questions about privacy concerns and learn more about options
available to them.
See Best Principles for Health Privacy, a Report of the Health Privacy
Working Group, at 22.
Patients should be encouraged to be active participants in their
own health care--and obtaining an individual's consent is an integral
piece of that picture. Accordingly, we believe that health plans should
also be required to obtain an individual's consent prior to using or
disclosing health information for treatment, payment, and health care
operations purposes. This is particularly true in light of the breadth
of activities encompassed in the definition of ``health care
operations,'' which expanded considerably from the proposed rule.
Some industry groups have claimed that the public comment process
was circumvented because the final rule governing authorization and
consent varied significantly from the proposed provision on this topic.
See, e.g., Testimony of American Benefits Council before the Senate
Committee on Health, Education, Labor, and Pensions at 7 (February 8,
2001); Testimony of the American Hospital Association before the Senate
Committee on Health, Education, Labor, and Pensions at 9 (February 8,
2001). However, the Secretary's actions were well within the standard
of appropriate rule-making behavior. Under the proposed rule,
authorization or consent for treatment, payment, and health care
operations purposes would not have been required. After explaining the
basis for this proposed approach, the Secretary ``invit[ed] comments on
whether other approaches to protecting individuals' health information
would be more effective.'' 64 Fed. Reg. at 59941. The Secretary
received some 52,000 comments on the proposed regulation, many of them
from health care providers and consumer groups addressing the lack of
any requirement for patient authorization for these purposes. Based on
these comments, the Secretary strengthened the standard. This is how
rule-making is supposed to occur: the agency makes a proposal, the
public comments on it, the agency considers those comments and then
modifies the rule, if necessary, in response to those comments. There
was no circumvention of the rule-making process in establishing consent
standards.
In essence, the industry's argument boils down to a policy
difference with HHS over the best approach to consent. Those views were
aired thoroughly and then rejected by HHS as it crafted the final
regulation.
At least one organization has stated that the final consent
requirement could, in fact, lead to actual harm of individuals seeking
health care. They have expressed concern that treatment might be
delayed when ``individuals seek[] medical care or services in those
unavoidable instances where no consent form has been obtained.''
Testimony of American Benefits Council at 8. However, the final privacy
regulation has taken this possibility into account. Section
164.506(a)(3) provides that a health care provider may without prior
consent use or disclose protected health information in emergency
treatment situations and in circumstances where the provider is unable
to obtain prior consent due to substantial barriers to communication
with the patient.
Some pharmacy groups have expressed concern that the consent
requirement would substantially interfere with their current method of
operation. Frequently, prescriptions are phoned or faxed into
pharmacists by doctors. The pharmacist then uses the prescription
information in order to have the medication ready when the patient or
someone acting on behalf of the patient arrives to pick it up. We
recognize that requiring a consent to be on file in advance of using a
prescription for treatment purposes would interfere with these current
business practices. We believe, however, that HHS can remedy this
problem quite easily, either by issuing guidance that a pharmacist in
such a situation would be considered to have an indirect treatment
relationship with the patient or by making a minor change in the
definition of ``indirect treatment relationship'' found in Section
164.501. However, this potential need to ``fine tune'' the regulation
does not justify delaying the effective date.
Business associates (Sections 164.502(e) and 164.504 (e))
We strongly support the requirement that covered entities receive
satisfactory assurance that their business associates will properly
safeguard protected health information before either disclosing this
information or allowing a business associate to receive protected
health information on their behalf. Absent such a requirement, covered
entities could easily circumvent the privacy regulation merely by
contracting out their business functions.
Ideally, a health privacy law or regulation would impose
restrictions directly on all of those who receive protected health
information, including the agents and contractors of health care
providers and health plans. Unlike health care providers, these
downstream users and processors often do not have an ethical obligation
to maintain patient confidentiality. We recognize, however, that HHS
was unable to directly cover these organizations due to the Secretary's
limited authority under HIPAA. Regulating the agents and contractors of
covered entities indirectly, through the covered entities, makes sense
in these circumstances. This is particularly true since many covered
entities already enter into some form of contract with their business
partners.
Some covered entities have protested that it is not fair to hold
them accountable for the actions of others. However, this regulatory
scheme is not a departure from traditional contractor/agency principles
under which a contractor may be held responsible for its agents'
actions. Furthermore, HHS took the fairness argument into account and
weakened this provision in the final rule by limiting a covered
entity's liability to circumstances where the covered entity actually
knew of a material breach of the contract of the business partner and
failed to act.
Other organizations have complained that business associate
contracts would be complex and result in significant time and resource
burdens, and would require the writing or re-writing of many new
contracts. We note at the outset that having contracts in place
specifying what agents are permitted to do with sensitive health
information just makes good business sense. Additionally, the
implementation specifications for business associate contracts are
clear and straightforward and should not result in complex contracts.
In order to reduce any administrative burden, covered entities are free
to develop standard contracts or standard addenda to existing
contracts.
Again, as with the final rule's approach to consent, the business
associate concept was thoroughly debated during the rule-making process
and there is no reason to reopen that debate.
Minimum necessary standard (Sections 164.502(b) and 164.514(d))
We support the general standard that a covered entity must make
reasonable efforts to limit protected health information to the minimum
amount necessary to accomplish the intended purpose when using or
disclosing protected health information or when requesting such
information from another covered entity. We are particularly pleased
that the minimization requirement extends to payment and health care
operations.
The final rule significantly modified the proposed minimum
necessary standard and the related implementation specifications. In
some ways, the rule has been improved, such as subjecting the requests
of covered entities for health information to the minimum necessary
standard. See Section 164.514(d)(4). However, in many other ways the
standard is still lacking because it does not apply to a broad enough
category of uses and disclosures of health information.
Probably the most controversial aspect of the minimum necessary
standard is the method in which it applies to protected health
information that is being used or disclosed for treatment purposes. The
minimum necessary standard does not apply to information that is
disclosed to a health care provider for treatment purposes. See Section
164.502(b)(2)(i). In contrast, the minimum standard does apply to
health information that is being used for treatment. We believe that
the minimum necessary standard should apply to both uses and
disclosures of protected health information for treatment purposes.
Under the structure of the final rule, a covered entity could
adhere to this requirement by fashioning general policies that specify
when and who should have access to medical information for treatment
purposes. See Section 164.514(d)(3). For instance, a hospital might
have a policy that would permit a treating physician access to a
patient's entire medical record, but would limit a nurse's aide's
access.
The establishment of policies governing the amount of information
accessible within a covered entity will become even more important as
the health care delivery system continues to move toward
computerization of medical records. As a practical matter, records in
this format may be readily accessible to a wide range of personnel
within the covered entity. Thus, it is imperative that a covered entity
have policies that limit uses of health information to the minimum
amount necessary.
Oral communications (Section 160.103, definition of ``health
information'')
Much criticism of the final rule has focused on its applicability
to oral communications. Some of this criticism has reached hyperbolic
proportions. For example, Blue Cross and Blue Shield charges that ``new
sound-proof walls and offices may need to be built in health care
facilities.'' See Testimony of Blue Cross and Blue Shield Association
before the Senate Committee on Health, Education, Labor, and Pensions
at 7 (February 8, 2001). The American Hospital Association raises the
specter of doctors not being able to talk to patients who share a
hospital room with another patient ``for fear of running afoul of
HIPAA's many prohibitions.'' See Testimony of the American Hospital
Association before the Senate Committee on Health, Education, Labor,
and Pensions at 10 (February 8, 2001).
Health care professionals, and the hospitals in which they work,
should take reasonable steps to make sure that conversations about one
patient are not overheard by others. The regulation, though, merely
requires covered entities to ``reasonably safeguard protected health
information from any intentional or unintentional use or disclosure
that is in violation of the standards.'' See Section 164.530(c)(2).
Screens or curtains often separate patients from one another in
hospital rooms to protect the privacy of patients. Health care
professionals can and should modulate their voices so that private
conversations can take place. This is true whether the conversation
takes place in the patient's room or in the hallways, corridors, or
elevators.
We believe that HHS has the authority under HIPAA to regulate a
broad range of health information in any format, including oral
communications, and we strongly support this approach. Not only does
HHS have the authority to protect health information in any format, it
should protect this information.
At the outset, protecting only health information in electronic
format would leave a vast amount of health information unprotected by
federal law. Furthermore, limiting coverage to only health information
that at some point had been electronically maintained or transmitted
would be impractical and unenforceable. Health information often
changes format--it can start out as oral, then be written and then be
stored electronically. It would be an administrative nightmare to try
to discern what information in any particular health record had at some
point been electronically stored or transmitted. Additionally, if there
were an improper disclosure, it would be terribly difficult, if not
impossible, to prove that the information disclosed had at some point
been in electronic format.
Leaving health information in paper and oral format outside the
bounds of the privacy regulation may actually induce covered entities
to retain paper record-keeping and filing systems in order to avoid
regulation. This would be contrary to the goals of the administrative
simplification provisions of HIPAA, which are intended to encourage the
development of an electronic health care information system. Moreover,
if oral communications were excluded from the regulation, covered
entities could circumvent this regulation merely by reading aloud or
orally telling someone what is contained in a computer or paper record.
MAJOR DISTORTIONS ABOUT THE PRIVACY REGULATION
Some in the health care industry oppose aspects of the privacy rule
and the time line for implementing it, and are waging a ``chicken-
little-the-sky-is-falling'' campaign to delay and weaken it. In this
section we rebut the major myths and inaccuracies about the final rule.
Myth #1: The regulation will ``jeopardize the quality and
timeliness of patient care'' and ``drive a wedge between individuals
and their care providers.''
Sources: ``HIPAA's Privacy Standards: Driving a Wedge Between
Patients and the Health Field,'' by Marilou M. King, attorney
representing the American Hospital Association (page 1);
Testimony of Blue Cross and Blue Shield Association before the
Senate Committee on Health, Education, Labor, and Pensions at
11 (February 8, 2001)(``This standard . . . could jeopardize
the quality and timeliness of patient care . . .'').
Fact: The regulation will improve the quality of care and the
patient/professional relationship. Concerns about lack of privacy now
drive a wedge between patients and their providers and impede the
provision of quality care because patients withhold information, avoid
asking certain questions, or fail to seek care altogether. Among other
benefits, the regulation creates the opportunity for patients and their
health care providers to engage in a dialogue about how their
information will be used and gives patients more control over uses and
disclosures. This regulation will go a long way toward promoting
confidence in the privacy of medical information and in the health care
system.
Myth #2: Family members and friends will no longer be able to pick
up prescriptions for others at the pharmacy.
Source: `` `As Craig Fuller has told me, the way it's set up
right now, if you are married and you're too sick to go to the
drug store, you can't send your spouse down to pick up your
medicine,' [HHS Secretary] Thompson said during a National
Chamber Foundation meeting March 1 in Washington, D.C.'' F-D-C
Reports' Research Services, ``Consulting NACDS,'' The Pink
Sheet, March 5, 2001 (page 5).
Fact: The regulation explicitly provides that this common practice
can continue. The regulation states that covered entities can use their
professional judgment and experience with such practices so that family
members, friends, and others may pick up items like filled
prescriptions, medical supplies, or x-rays. See Section 164.510(b)(3).
Myth #3: The ``minimum necessary'' standard will disrupt
communications between providers involved in treating a patient. Some
charge that providers treating patients will not be able to examine the
patient's entire medical record.
Sources: ``The minimum necessary rules may still place
artificial limits on the ability of doctors to use and disclose
health information for critical treatment situations--
threatening the overall quality of care.'' Testimony of Blue
Cross and Blue Shield Association before the Senate Committee
on Health, Education, Labor, and Pensions at 11 (February 8,
2001).
``The regulation includes a strong discouragement regarding
the release of entire medical records of patients. The complete
exchange of medical information is absolutely critical to
assuring a patient receives the right treatment at the right
time.'' Testimony of Blue Cross and Blue Shield Association
before the Senate Committee on Health, Education, Labor, and
Pensions at 11 (February 8, 2001).
``Limiting the ability of teams of health professionals, and
health profession trainees, in a hospital setting to use a
patient's complete medical chart or freely discuss and
communicate among themselves in the course of treating patients
could be disruptive and potentially dangerous.'' Testimony of
the Healthcare Leadership Council before the Senate Committee
on Health, Education, Labor, and Pensions at 4 (February 8,
2001).
Fact: The regulation explicitly exempts from the ``minimum
necessary'' standard all disclosures to providers for treatment
purposes. It also exempts all requests by health care providers for
information to be used for treatment purposes. See Section
164.502(b)(2)(i). As a result, information will flow freely between and
among providers involved in treatment. Provisions in the regulation
that require special justification for disclosing the entire medical
record do not apply to treatment-related disclosures because they are
not subject to the minimum necessary standard in the first place.
With respect to uses of health care information for treatment
purposes, the regulation allows the use of the entire medical record
when it is specifically justified as the amount that is ``reasonably
necessary'' to accomplish the purpose of the use. See Section
164.514(d)(5). A provider is only required to have a policy as to the
amount of health information that is to be used: a case-by-case
determination is not required or anticipated. See Section
164.514(d)(3). In fact, HHS states in the preamble to the regulation
that HHS ``expect[s] that covered entities will implement policies that
allow persons involved in treatment to have access to the entire
record, as needed.'' 65 Fed. Reg. at 82544.
Myth #4: Providers that disclose medical information for treatment
purposes must meet the minimum necessary standard.
Source: ``This exemption [from the minimum necessary standard]
does not cover . . . `disclosures by' providers.'' (emphasis
added) Testimony of Blue Cross and Blue Shield Association
before the Senate Committee on Health, Education, Labor, and
Pensions at 11 (February 8, 2001).
Fact: This assertion takes the minimum necessary exemption out of
context. The general rule imposes the minimum necessary standard on
covered entities, including providers, when they are ``disclosing
protected health information.'' See Section 164.502(b)(1). The
provision goes on to state: ``This requirement does not apply to: . . .
Disclosures to . . . a health care provider for treatment.'' See
Section 164.502(b)(2). When read as a whole, it is clear that the
exemption applies to disclosures by health care providers.
Myth #5: The regulation will impede the training of medical
students, in part because the regulation will not allow medical
students to see a patient's entire medical record.
Source: The Association of American Medical Colleges has
``grave concerns'' about ``the effects of the rule on medical
and health education.'' ``The AAMC supports the proposition
that medical residents and medical and nursing students, as
well as other health professions students, as necessary, should
have unrestricted access to medical information of their
patients . . .--a proposition that the rule seems to recognize,
peculiarly, only with respect to psychotherapy notes.''
Testimony of the Association of American Medical Colleges
before the Senate Committee on Health, Education, Labor and
Pensions at 2, 4 (February 8, 2001).
Fact: The regulation respects the important role that covered
entities play in the training of medical students. It includes the
following within the definition of ``health care operations'' found in
Section 164.501: ``conducting training programs in which students,
trainees, or practitioners in areas of health care learn under
supervision to practice or improve their skills as health care
providers.'' Therefore, once a provider obtains a consent, an
individual's health information can be used not only for treating the
patient but also for training medical students. Disclosures, for
treatment purposes, to medical students providing health care services
to patients would not be subject to the minimum necessary standard
because such medical students would be considered ``health care
providers.'' See Section 160.103 (definition of ``health care
provider'')(``any other person . . . who furnishes . . . health
care''). Medical students--even those not actually considered ``health
care providers'' because they do not furnish care--would be able to
review a patient's entire medical record when the covered entity makes
a policy determination that the entire medical record is ``reasonably
necessary to achieve the purpose'' of training medical students. See
Section 164.514(d)(5).
Myth #6: The regulation is so complex it is 1,500 pages long.
Source: U.S. News & World Report (Jan. 29, 2001, page 47)
refers to the regulation as ``the 1,500-page doorstopper.''
Fact: The text of the actual regulation only covers 32 pages in the
Federal Register. The preamble that precedes the regulation covers 337
pages in the Federal Register. Over half of the preamble is devoted to
summarizing and responding to the more than 52,000 comments received by
HHS.
Myth #7: ``Health care providers would have to keep track of
everyone who received medical information from them. Patients could
demand an accounting of all of these disclosures.''
Source: Amitai Etzioni, ``New Medical Privacy Rules Need
Editing,'' USA Today at 13A (February 22, 2001).
Fact: This is simply not true. Providers are not required by this
regulation to keep an accounting of anyone within their own
organization who has received (or had access to) medical information.
This is because the accounting provision only covers ``disclosures,''
which are defined as the sharing of health information with someone
outside of an organization. See Section 164.528(a) (right to accounting
of disclosures) and Section 164.501 (definition of ``disclosure'').
Furthermore, the regulation specifically states that a provider does
not have to keep account of information disclosed (i.e., shared with
someone outside of the organization) for treatment, payment, or health
care operations. See Section 164.528(a)(1)(i). For example, a hospital
would not have to keep track of health information sent to outside
doctors providing follow-up care to patients. The result of these
exclusions is that providers are required to account for only a narrow
category of disclosures that primarily are not related to health care,
such as those made to law enforcement personnel or pursuant to a
request for documents in a lawsuit.
Myth #8: The regulation allows patients to demand that doctors
correct their medical records.
Source: ``We all would be the beneficiaries if the regulations
as currently constituted were not allowed to go into effect
until they are subject to an expeditious and thorough trimming
and simplification . . . And while patients should be allowed
to see their medical records and attach their comments, they
should not be allowed to demand that doctors ``correct'' the
records.'' Amitai Etzioni, ``New Medical Privacy Rules Need
Editing,'' USA Today at 13A (February 22, 2001).
Fact: There is no provision allowing patients to demand that
doctors ``correct'' their records. An individual may request that a
provider (or other covered entity) amend his or her records and append
or otherwise provide a link to the location of the amendment. See
Section 164.526(c)(1). Amending a medical record usually does not
involve actually removing information, but adding an amendment with the
accurate data. There are several grounds under which a provider may
deny such a request to amend. See Section 164.526(d).
Myth #9: The final regulation requires disclosures of protected
health information to a variety of federal government departments and
agencies.
Source: ``What has not been widely reported are the rule's new
mandates requiring doctors, hospitals, and other health care
providers to share patients' personal medical records with the
federal government, sometimes without notice or advance
warning. (See, for example, Federal Register, Vol. 65, No. 250,
December 28, 2000, p. 82802, Sec. 160.310.) . . . Handing
sensitive medical records to federal departments and agencies
that are ill-equipped to protect that information is not a
solution; it is inviting abuse, errors, scandal, and tragedy.''
Letter from Dick Armey, House Majority Leader, to Secretary
Thompson (dated March 5, 2001).
Fact: The regulation requires covered entities to make only two
types of disclosures: (1) disclosures to the individual who is the
subject of the protected health information and (2) disclosures to HHS
for the purpose of enforcing the regulation. See Section 164.502(a)(2).
The regulatory section cited by Majority Leader Armey in his letter
requires disclosures to HHS for compliance purposes. It restricts such
disclosures to that information that is ``pertinent to ascertaining
compliance with [the regulation].'' Without this provision, HHS would
have no way of determining whether a covered entity had complied with
the regulation, making enforcement of the law impossible. Moreover, HHS
is limited in what it can do with health information obtained in this
fashion. The regulation prohibits HHS from disclosing such information
except where necessary to ascertain or enforce compliance with the
regulation or as required by other law. See Section 160.310(c)(3).
Under an executive order issued contemporaneously with the final
regulation, HHS is also prohibited from using protected health
information concerning an individual discovered during the course of
health oversight activities for unrelated civil, administrative, or
criminal investigations against the individual.
The regulation does not require disclosures to any other person or
entity, including to other federal agencies or departments. The
regulation permits disclosures to government agencies only where the
agency requesting or receiving the information has authority to request
or receive the information through some other law. See, e.g., Section
164.512(d)(1) (disclosures for health oversight activities ``authorized
by law'').
COST CONCERNS SUPPORT THE APRIL 14 EFFECTIVE DATE
Industry opponents cite the cost of complying with the regulation
as a reason to delay or weaken it.1 We believe the costs of
not implementing this rule on schedule far outweigh the costs of
implementing it. If we, as a society, do not put federal privacy
protections in place, millions more people will engage in privacy-
protective behaviors--to the detriment of their own health and the
integrity of research--and confidence in our health care system will
continue to erode.
---------------------------------------------------------------------------
\1\ ``An AHA-commissioned study, looking at hospital costs alone,
found that the cost of only three key provisions of the proposed rule .
. . could be as much as $22.5 billion over five years.'' Testimony of
the American Hospital Association before the Senate Committee on
Health, Education, Labor, and Pensions at 6 (February 8, 2001).
---------------------------------------------------------------------------
HHS estimates that the cost associated with implementing the
privacy regulation (approximately $17 billion over ten years) will be
greatly offset by the cost savings associated with implementing HIPAA's
transactions standards (approximately $29 billion saved over ten
years). If implemented together, as contemplated by Congress, consumers
will benefit, health care organizations will benefit, and the health of
our communities will benefit. Delay would actually be more costly for
industry because it would need to redesign and retool systems a second
time if privacy protections are not put in place along with the
transactions standards.
Rather than spending resources on fighting this regulation, we urge
the industry to work toward implementation. Some industry organizations
already have urged Secretary Thompson to implement the regulation
without further delay.2 We are aware of at least one
national health plan that already is beginning the process of moving
forward with this regulation, and we applaud them for doing so. These
groups understand that protecting privacy is good for business.
---------------------------------------------------------------------------
\2\ See, e.g., letters to Secretary Thompson from The Coalition for
Health Information Policy (comprised of American Health Information
Management Association, American Medical Informatics Association, and
Center for Healthcare Information Management) (dated February 7, 2001),
and Association for Electronic Health Care Transactions (AFEHCT)
(comprised of a variety of organizations, including Aetna US
Healthcare, IBM, Medscape, and WebMD) (dated February 2, 2001).
---------------------------------------------------------------------------
CONCLUSION
Americans should be proud of what Congress set in motion with HIPAA
and with the thoughtful and deliberate way in which HHS carried out its
congressional mandate. While we would have preferred that HHS make
different policy judgments in several areas--most notably in the areas
of law enforcement and marketing/fundraising--we do not believe these
weaknesses in the final regulation warrant further delay in the
effective date or a reopening of the regulation. Similarly, the policy
differences that some in the industry have with HHS over some aspects
of the final regulation do not warrant further delay or a reopening of
the rule-making process. We do urge HHS to issue guidance on the
regulation, and to rely on its legal authority to act where necessary
on a case-by-case basis during the two-year implementation phase.
To improve privacy protections for consumers, Congress can
intervene and pass a law that requires consumer consent before medical
information can be used for marketing and fundraising purposes.
Congress can also enact a law that strengthens the limits on law
enforcement access to medical records. And Congress can fill in the
gaps left by HIPAA by directly regulating other entities that collect
and use personal health information and by equipping people with the
federal right to go to court if their privacy is violated under the
law.
We look forward to continued progress on health privacy. Our health
care system has changed dramatically in the last few years, bringing
with it both promise and perils. We have mapped the human genome, but
people are afraid to get tested. The Internet can deliver cutting edge
research and health care services, but people are unwilling to trust
their most sensitive information in cyberspace. We will never fully
reap the benefits of these astounding breakthroughs until privacy is
woven into the fabric of our nation's health care system.
Mr. Bilirakis. Mr. Heird.
STATEMENT OF ROBERT HEIRD, SENIOR VICE PRESIDENT, ANTHEM
BLUECROSS BLUESHIELD
Mr. Heird. Thank you, Mr. Chairman, members of the
committee. I am Bob Heird, vice president of Anthem BlueCross
and BlueShield, headquartered in Indianapolis, Indiana. We are
also the Blue Cross and Blue Shield plan in seven other States.
I am testifying today on behalf the Blue Cross and Blue Shield
Association, and we appreciate this opportunity to share our
views with you.
Blue Cross and Blue Shield plans agree that a basic set of
clear rules is necessary to assure consumers their health care
information is strictly private. For us there is no question as
to whether patient records should be kept private, but only as
to how.
Mr. Bilirakis. You are welcome to repeat that if you would
like. I apologize for that.
Mr. Heird. I was trying to outperform the buzzers.
Our challenge is to review these rules through the eyes of
our consumers. Our members demand and expect superior customer
service. A key question for us is whether this rule meets those
customer expectations, and we have concluded that they do no
not, and that is because the rule is operationally infeasible,
extremely costly, and could threaten quality improvements
throughout the health care system. And because of these
concerns, the need for further analysis, we are pleased Health
and Human Services has provided another comment period to allow
time to identify and correct those serious problems in the
final regulation that could, in fact, harm consumers.
Today I would like to highlight four issues. First, our
members want clear guidelines about where to direct questions
and problems. Unfortunately, the final rule would layer new
Federal rules on top of existing State laws and would only add
more red tape and confusion for everyone. Consider, for
example, an Anthem customer living in Lawrenceburg, Indiana,
working in the Cincinnati/Northern Kentucky Airport, and
visiting a doctor in Cincinnati, Ohio. Each of those stops are
about 25 minutes apart. If there is a concern about privacy,
who do they call? Do they call the regulators in the State
where they live? Do they call the regulator in the State where
they work where the contract was issued; where care was
provided? All three? And what is HHS's role in viewing those
issues? So is it really four entities that they need to contact
to work those issues through?
Second, our customers want timely quality care, the kind of
care that America prides itself on. The minimum necessary rule
would require all of us to establish new procedures, and
reorganize and redesign our operations so we are only using and
disclosing the minimum information necessary. This would
undermine all of our efforts to assure that patients receive
the right care at the right time at the right price. Simply
put, providers need complete and timely access to patient
information, and as pointed out in the recent report of the
Institute of Medicine, access to complete information is
necessary to prevent wrong care.
Third, we are concerned that the business associate
provisions are unworkable, requiring business associates to
establish procedures and notices consistent with the myriad of
covered entities with whom they contract, and that would create
an exponential numbers of different standards for business
associates.
And fourth, our customers want practical rules that
facilitate their interaction with their doctors and hospitals
and health plans. We are concerned that the required consent
provisions applied to providers will generate negative
downstream effects on our customers as you have heard this
morning. We are concerned about these real-life implications.
I want to spend a moment talking about cost. I want to be
clear, for us the question is not whether privacy will increase
costs, because it will. The issue is whether the regulation
costs more than what it needs to, and we think it does. In
addition, the high costs and other problems included in the
privacy regulations are exacerbated by the HIPAA transaction
and code sets that were released last August. These
transactions regulate doctors and hospitals and health plans to
reorganize their operations and codes and reengineer their
systems in yet another way in less than 2 years. They are
massively more complex and costly than Y2K, and many providers
are unaware at this point of what they need to accomplish.
Anthem and the Blue Cross and Blue Shield Association
support administrative simplification; however, we believe a
24-month implementation period is inadequate and should be
extended. We believe that because we think the standardization
of medical codes and the elimination of local codes is complex
and very time-intensive. This requires not only major system
upgrades, but is extremely resource-intensive. And these codes
are intertwined through every aspect and every function of
providers as well as health plans.
Second, the staggered release dates of the various rules
will make it difficult and costly to reengineer all the
systems. In other words, we are effectively building the house
before the blueprints have been signed off. Anthem and the Blue
Cross and Blue Shield Association are advocating that the
implementation time period for all the rules and administrative
simplification be released in one final form. In other words we
need those blueprints. This will allow health plans and
providers adequate time to implement and test the new systems,
spread costs and allow for proper provider education. Thank
you.
[The prepared statement of Robert Heird follows:]
PREPARED STATEMENT OF ROBERT HEIRD, SENIOR VICE PRESIDENT, ANTHEM BLUE
CROSS AND BLUE SHIELD ON BEHALF OF BLUE CROSS AND BLUE SHIELD
ASSOCIATION
Mr. Chairman and Members of the House Energy and Commerce
Subcommittee on Health, I am Robert Heird, Senior Vice President for
Anthem Blue Cross and Blue Shield, testifying on behalf of the Blue
Cross and Blue Shield Association (BCBSA). BCBSA represents 46
independent Blue Cross and Blue Shield Plans throughout the nation that
provide health coverage to 79 million--or one in four--Americans. As
part of the Blue Cross and Blue Shield system, Anthem Blue Cross and
Blue Shield provides coverage to more than seven million members in
eight states including: Connecticut, Maine, New Hampshire, Colorado,
Indiana, Kentucky, Nevada, and Ohio.
We appreciate the invitation to testify today on the final privacy
regulations issued by the Department of Health and Human Services (HHS)
on December 28, 2000. This testimony provides us the opportunity to
view these regulations through the eyes of our customers--and to
identify and discuss those issues that will have the most significant
impact on them.
BCBSA believes that safeguarding the privacy of medical records is
of paramount importance. We support a basic set of clear federal rules
for the health care industry that assures all consumers their health
information is kept strictly confidential. At the same time, we know
that our members demand and value superior customer service. Any set of
rules needs not only to allow for timely delivery and payment of health
care services, but also minimize hassles and costs.
During the comment period following promulgation of the proposed
rule, BCBSA submitted over 50 pages of detailed comments and
recommendations. It is clear from the final regulation that HHS took
into consideration many of our comments and sought a balance in the
final rule.
However, despite their efforts, the regulation still needs
significant revision. Without substantial changes, the regulation is
likely to slow the delivery and payment of care to consumers and the
providers who take care of them.
There are significant new provisions in the final rule--some of
these represent improvements, but many other areas require more thought
and opportunity for comments.
Because of our existing concerns and the need for further analysis,
we are pleased that the Department of Health and Human Services has
provided another comment period to allow additional time to identify
the many serious problems in the final regulation that would harm
consumers. We are committed to helping HHS identify those problems and
construct and implement a regulation that maximizes consumer
protections, while preserving the ability of the health care system to
provide efficient, quality services to consumers. We urge HHS to
correct the serious problems in the regulation before asking the health
care community to begin implementation.
In today's testimony, I will discuss two aspects of the Health
Insurance Portability and Accountability Act (HIPAA). First I will
focus on the final privacy regulation issued late last year. Second, I
will discuss the closely related HIPAA Administrative Simplification
Transactions and Code Set regulation issued last August. And finally, I
will discuss the costs and savings associated with these regulations:
I. Privacy Regulation
A. Background on Privacy
B. Key Concerns with the Regulation
C. Positive Aspects of the Regulation
D. Recommendations on Privacy
II. Administrative Simplification and the Transactions and Code Sets
Regulation
III. Cost of the Regulations
I. PRIVACY REGULATION
A. Background
The Health Insurance Portability and Accountability Act (HIPAA)
provided HHS the authority to promulgate privacy standards for health
information if Congress did not pass legislation by August 1999. The
statute was very narrow and directed HHS to issue privacy rules to
assure that information transmitted as part of the new HIPAA
standardized electronic transactions would be kept confidential.
The final regulation would require covered entities (i.e., health
plans, providers, and clearinghouses) to:
Obtain new authorizations from consumers before using or
disclosing information, except for purposes of treatment,
payment, health care operations and other limited circumstances
(providers would be required to obtain consent even for
treatment, payment, and health care operations);
Allow individuals to inspect, copy and amend much of their
medical information;
Track all disclosures made other than for treatment, payment
and health care operations;
Recontract with all business associates to require them to use
and disclose information according to the new privacy rules;
Institute procedures to assure that only the ``minimum
necessary'' information is used or disclosed for a given
purpose;
Designate a privacy official and train staff;
Follow specific rules before using protected health
information for research; and
Develop a host of new policies, procedures and notices.
In understanding the full scope and implications of the regulation,
it is important to be aware of the following:
The Regulation is Not Limited to Electronic Records: The
privacy standards under HIPAA were intended to apply to
electronic transactions that are developed and maintained under
the law's Administrative Simplification provisions. While the
proposed rule's application to paper records was arguably
ambiguous, the final rule clearly applies not only to
electronic records, but also to any individually identifiable
information ``transmitted or maintained in any other form or
medium.''
The Regulation Affects Internal Uses of Information as Well as
Disclosures: A common misconception regarding the regulation is
that it regulates only the disclosure of information to a third
party. In fact, the regulation has enormous implications for
the use of information internally within an organization. This
means that organizations will be required to comply with rules
for internal treatment purposes, claims processing, utilization
review and other routine health care purposes even though the
information never leaves the organization's possession.
The Regulation Affects a Broad Array of Organizations and
Information: The definition of ``covered entity'' is broad in
scope--including not only doctors, hospitals and health
insurers, but also employer health plans (insured and self-
funded, except for self-administered plans with fewer than 50
participants), laboratories, pharmacists and many others. All
organizations that service health care organizations that are
not included specifically as a ``covered entity'' are
indirectly subjected to the privacy rule through a provision
that requires covered entities to contract with their
``business associates.'' For instance, lawyers, auditors,
consultants, computer support personnel, accountants and other
non-health oriented organizations would fall into this
category.
In addition, the definition of ``protected health information''
(PHI) is much broader than what most individuals consider their
health information. The definition goes beyond an individual's
medical records to include insurance records, oral information,
and demographic data.
B. Key Concerns with the Privacy Regulation
Our overall concern with the final privacy regulation is that its
intricate complexity will require a major reorganization of every
doctor's office, hospital, pharmacy, laboratory, research facility, and
health plan--as well as other organizations. We expect the final rule
will lead to extremely costly infrastructure and procedural changes in
each and every entity. For example, new sound-proof walls and offices
may need to be built in health care facilities, new computer systems
may need to be installed, and more lawyers and training personnel may
need to be hired.
Although BCBSA has a number of concerns with the final rule, we
have highlighted the four most problematic regulatory provisions in
this testimony:
1. Dual Federal and State Regulation
The privacy regulation layers a new comprehensive set of federal
rules on top of an already existing complex patchwork of state privacy
laws. The regulation follows the HIPAA regulatory construct in that
state laws are preempted only if they are contrary to the regulation
and are less stringent. In addition, the regulation specifically
``saves'' certain state statutes from preemption, such as those
relating to health surveillance.
We know our customers want a clear understanding of their privacy
rights. However, we are concerned that the intersection between state
and federal privacy laws under the complex construct of the HIPAA
regulatory model will create more red tape and frustration for health
care providers and consumers. It will be unclear whom to call for
resolution on specific rules--HHS or the states-- and this lack of
clarity will lead to more telephone calls, more steps, and more hassles
for everyone.
Doctors, health plans and other covered entities must determine, on
a provision by provision basis, which parts of state law would be
retained and which would be replaced by federal law. This is further
complicated by the necessity for rapid transfer of information in
today's health care industry because of the mobility of patients. For
instance, an individual may live in the District of Columbia, work in
Virginia, and visit a physician located in Maryland. Covered entities
dealing with this individual will have to evaluate the interplay of
three state statutes with the federal law. In addition, covered
entities also must factor in the interplay of other federal laws
relating to privacy. Even if each covered entity engaged an attorney to
prepare a preemption analysis, different attorneys are likely to
prepare conflicting interpretations--possibly leading to costly
litigation with the states, the federal government and consumers.
This regulatory construct will be problematic for our customers.
Instead of facilitating a member's ability to know his or her privacy
rights, this complex preemption process is sure to confound that
individual. First, individuals will be hard pressed to determine which
aspects of the state and federal privacy laws apply to them, so it will
be extremely challenging for them to determine if in fact, they have
been wronged. In addition, consumers will not know where to direct
complaints if they do feel that their rights are violated--Maryland?
Virginia? The District of Columbia? The Secretary of Health and Human
Services? It is likely that consumers will be bounced from one
jurisdiction to the next until the consumer locates the one which has
the law that has been violated--or the consumer becomes frustrated and
gives up.
Our preference--and the clearest path for everyone in the system--
would be for federal privacy law to preempt state law. Having a clear
federal law would provide consumers and doctors with a clear path when
answers are needed. However, we recognize that a complete preemption of
state law is outside the statutory authority of HHS. Therefore, in our
comments on the proposed rule, we recommended that HHS prepare a
detailed privacy guide for each state explaining how existing state
laws intersect with the new federal rules. We asked that the guide also
address whether a privacy provision is triggered by a consumer's
residence, location of provider or other criteria and that HHS prepare
the guide in collaboration with state government officials. We also
asked HHS to assure the guide incorporates other federal privacy laws,
such as the Federal Privacy Act and Gramm-Leach-Bliley Act. As part of
this process, we recommended that each individual state should certify
agreement with HHS' analysis so everyone has a clear understanding of
the rules.
We believe this legal guidebook needs to be prepared well in
advance of implementing the final regulations. Doctors, health plans,
and other covered entities will need this completed analysis before
computer systems can be redesigned, forms and notices are changed,
consumer brochures are modified and updated, and other procedures can
be brought into compliance. Bringing plan and provider operations into
compliance with these complex new regulations will consume a
significant share of health care dollars. It is critical that these
affected entities only have to modify systems and other items once.
Unfortunately, HHS failed to provide for this legal guide in the
final regulation. In the preamble to the final regulation, HHS said
that ``many commenters'' requested a similar state by state analysis.
However, HHS declined to perform the analysis for the same reason they
decided against a formal advisory opinion process: First of all, they
indicated that ``such an opinion would be advisory only . . . it would
not bind the courts.'' In other words, they felt that even with HHS
guidance, there was no guarantee regarding final decisions or outcomes.
Second, HHS indicated that workload issues drove their decision
against formal preemption guidance. The preamble says that ``the
thousands of questions raised in the public comment about the
interpretation, implications and consequences of all of the proposed
regulatory provisions have led us to conclude that significant advice
and technical assistance about all of the regulatory requirements will
have to be provided on an ongoing basis . . . but we will be better
able to prioritize our workload . . . if we do not provide for a formal
advisory opinion process on preemption as proposed.''
We urge HHS to reconsider this decision and issue a state-by-state
analysis prior to implementation of the final rule.
2. Minimum Necessary Standard
The regulation instructs doctors, health plans, and other covered
entities to use or disclose only the minimum information necessary to
accomplish a given purpose and discourages the exchange of the entire
medical record. At first blush, this standard seems to be a perfectly
reasonable, common sense provision.
However, we are concerned about how we can best operationalize this
concept without creating significant unintended consequences. It is
important to recognize that this standard applies to the use of
information as well as disclosure, and that the definition of
disclosure includes broad terms such as ``provision of access to.''
This standard may require a massive reorganization of workflow as
well as possible redesign of physical office space, and could
jeopardize the quality and timeliness of patient care, benefit
determinations and other critical elements of the health care system.
Many news accounts have inaccurately portrayed this provision as
including an exemption for treatment purposes. HHS includes a very
narrow exemption in the final rule--for ``disclosures to or requests by
a health care provider for treatment.'' This exemption does not cover
``use'' of the information, nor does it cover ``disclosures by''
providers. As a result, the minimum necessary rules may still place
artificial limits on the ability of doctors to use and disclose health
information for critical treatment situations--threatening the overall
quality of care.
A few examples of other potential problems with the minimum
necessary rule include:
As part of the description regarding the minimum necessary
standard, the regulation includes a strong discouragement
regarding the release of entire medical records of patients.
The complete exchange of medical information is absolutely
critical to assuring a patient receives the right treatment at
the right time. The recent Institute of Medicine report, ``To
Err is Human,'' highlighted the medical mistakes that are
common in our health care system today. The IOM report states
that errors are more likely to occur when providers do not have
timely access to complete patient information. Discouraging the
sharing of complete medical records would make it more
difficult to guard against these medical errors. One covered
entity may determine that a subscriber's prescription is not
relevant to be released. Further down the line, that lack of
information may impede clinicians' decisionmaking. It is
critical to use complete medical records for a variety of
important quality assurance functions, such as accreditation
and outcomes measurement.
It is well documented that fraud and abuse is a costly element
of our health care system. The Medicare program as well as
private health plans have made combating fraud and abuse a
priority. However, the minimum necessary standard is likely to
impede fraud detection, because fraud and abuse units may be
accused of using more than the minimum information necessary.
Any impediment to fraud detection would increase the cost to
consumers. For instance, the sign-in sheets used in doctors'
offices are also used to verify that doctors are seeing the
volume of patients they report for payment purposes. It does
not appear that the privacy regulation would allow for these
sign-in sheets to continue to be used.
Health plans and providers actually may be forced to redesign
their facilities to comply with the minimum necessary standard.
For instance, when visiting friends in maternity wards, there
generally is a white board describing all of the patients and
their medical needs. Any visitor may view the information on
the board--a likely violation of HIPAA. Another example of
potential renovation is an orthopedist's office, where the x-
ray lightboard is centrally located outside of the patients'
rooms for easy access by the physician. Anyone in the office
could view these x-rays containing patient social security
numbers or names. Would the regulation require these providers
to renovate their facilities to comply with the regulation?
These are a few examples of the types of activities that could fall
awry of the privacy regulation. If implemented, this could impose
incredible costs on consumers--not just in dollars and cents--but in
lives as well.
3. Business Associates
The business associate provisions of the regulation require that
doctors, health plans and other covered entities use prescribed
contract terms with all of their ``business associates'' to assure
these associates follow the HHS privacy rules. Doctors, health plans
and other covered entities could be subject to civil monetary penalties
if they ``knew'' of privacy violations by their business associates.
The contractual specifications included in the regulation compound
the problems in the business associate framework. The rule requires
business associates to use and disclose protected heath information in
accordance with the notice and policies and procedures established by
the covered entity with whom they contract. Many business associates
will contract with multiple covered entities--each of whom have their
own set of notices and their own uses of health information. This will
create an exponential number of differing standards for business
associates.
The confusion is exacerbated because some organizations--like
health insurers--are covered entities in some areas (e.g. a healthcare
coverage provider) and business associates at other times (e.g. third
party administrator). Keeping track of what kind of relationship and
what contractual rules to follow with which organization will be very
difficult, confusing and time-consuming.
For example, Anthem Blue Cross and Blue Shield has many different
relationships with other organizations. Anthem plays the role of
licensed insurer and third party administrator (TPA) for medical and
dental plans. Anthem is a pharmacy benefits manager (PBM) as well. In
some cases, Anthem would be considered a covered entity; in other cases
we would be considered a business partner. In fact, in some cases, like
when we perform coordination of benefits (COB) with other insurers,
both Anthem and the other insurer would be acting as covered entities,
not as business associates of each other. We would not only have to
follow rules as a covered entity but a host of other organization's
rules and procedures as their business associate.
The timeframe for re-negotiation of contracts with business
associates is also a significant problem. Health plans and other
covered entities will have two years to update contracts in conformance
with the privacy rule. Considering the multitude of relationships that
we have with other organizations, we are concerned that two years is
insufficient time to inventory all business associate relationships and
re-negotiate contracts. Moreover, if a contract lacks a unilateral
agreement clause that allows the health plan to change the contract
only with respect to the privacy rule's requirements, the entire
contract could be opened up for re-negotiation--a time-consuming
process possibly involving discussions over new payment rates and other
contract clauses.
And finally, we believe the business associate provisions are
outside of the statutory authority of the Department of Health and
Human Services. HIPAA clearly delineates the covered entities subject
to HHS oversight: health plans, clearinghouses, and providers
conducting standard transactions. By attempting to indirectly regulate
other organizations, we believe HHS acted beyond its regulatory
authority.
4. Consent and Individual Restrictions
The final regulation requires health care providers to obtain
consent before using or disclosing protected health information for
treatment, payment or health care operations. In addition, it allows
individuals to ask the provider to restrict the use or disclosure of
certain health information.
We remain concerned that a requirement to obtain consent for
treatment, payment and health care operations could unintentionally
delay and impede routine operations that are essential to providing
quality care and timely payment.
The regulation's transition rules allow providers to use and
disclose information collected prior to the compliance date based on a
patient's prior consent. However, if a provider has not obtained a new
consent by the compliance date for treatment, payment or health care
operations, he/she would be unable to use or disclose information
collected after April 14, 2003 for that patient. The regulations
anticipate that providers would simply obtain consents when patients
arrived for treatment. The rule also states that consent forms obtained
before the compliance date may meet the rule's requirements--however
many providers may not have consents on record, and if they do they may
not be for treatment, payment and health care operations--but only for
one of these imperative functions.
Imagine that a mother is calling her pediatrician on the phone for
advice on her sick baby. Her last actual visit was well before the
compliance date and there is no consent on record. Does that mean the
pediatrician cannot look at the child's medical record while on the
phone? What about an individual calling on behalf of an elderly
relative for clarification about a particular medication but with no
consent for that individual to access information? Or requesting
additional payment information where the historical consent on file was
only for treatment?
If a provider obtains a new consent but it does not list
``payment'' or ``health care operations'', there may be downstream
impediments for some routine operations because providers could only
disclose information for treatment purposes. For instance, claims may
not be able to be paid, case management programs could suffer, and
special pharmacy programs and other programs that benefit consumers
also could be impaired because disclosures for these purposes depend on
consent forms including treatment and health care operations.
C. Positive Aspects of the Privacy Regulation
Clearly, we believe there are significant issues in the final
privacy regulation. However, HHS did address many comments in the final
regulation in their effort to balance operational impacts with the
overall goal of privacy.
A few of the most positive elements in the final regulation
include:
``Statutory'' Consent for Treatment, Payment and Health Care
Operations for Health Plans: The regulation does not require a
new consent for treatment, payment, and health care operations
for health plans. We believe a ``statutory'' consent, meaning
that covered entities may use or disclose protected health
information without consent as a matter of law, is imperative.
Requiring health plans to obtain a new consent from current
members would require numerous mailings and phone calls from
health plans--a process akin to a ``late bill'' collections
process--in order to obtain the new consents. In the interim,
members and providers would experience delays in payment and
other services.
Improved Definition of Health Care Operations: The final
regulation includes a modified definition of what constitutes
``health care operations'' that reflects many of the comments
received by HHS. The definition is critical since items
encompassed within it are exempt from new authorizations and
tracking of disclosure requirements that would create obstacles
to conducting essential health plan activities.
We are pleased that HHS has incorporated many important and
routine health plan activities into the final rule's
definition. For example, we believe the definition may now
allow health plans to continue many of their beneficial disease
management and other quality improvement programs. The new
``business management and general administrative activities''
category will facilitate routine plan operations such as
security activities, data processing and general maintenance.
The ``business planning and development'' category will help
plans to continue to develop more cost-efficient services and
products.
No Third Party Liability in Business Partner Contracts: The
final rule deletes the requirement that makes individuals third
party beneficiaries of business associate contracts. We support
deletion of this clause since HHS did not have the authority to
create a new private right of action. The third party liability
clause was not only beyond the scope of HHS' authority, but it
would have left health plans and other covered entities exposed
to substantial liability for breaches of privacy by business
associates.
D. Recommendations on the Privacy Regulation
While we continue to analyze this complicated rule, our specific
recommendations to date are:
(1) Provide a Detailed Analysis on Preemption of State Law (A Road
Map for Consumers): While we recommend a full preemption of state law
in the privacy area, we understand that it is outside of the statutory
authority for HHS. In the absence of full preemption, we recommend HHS,
working with the states, prepare a detailed analysis of state and
federal law to provide a clear guide on all provisions affecting the
health care industry.
It is critical that this guidance is available at least two years
prior to the compliance date of the regulation. Bringing operations
into compliance with these complex new regulations will be expensive,
so it is critical that doctors, health plans, and other covered
entities only have to modify systems and other items once.
(2) Change the Minimum Necessary from Legal Standard to Guiding
Principle: While we believe the minimum necessary standard is a
laudable goal, we are concerned that it would be extremely difficult
and expensive to implement this standard operationally and comply with
it as a legal standard. Therefore, we recommend that HHS ask
organizations to include the minimum necessary standard concept only as
a guiding principle, not as a legal standard.
(3) Remove Business Associate Provisions. The business associate
provisions should be removed from the regulation because they are:
Outside of the Secretary's statutory authority;
Confusing and create unnecessarily expensive relationships
between doctors, health plans, and other covered entities; and
Unnecessary since the vast majority of protected health
information is maintained by organizations that are covered by
the regulation.
At a minimum, we feel the business associate provisions should be
changed as follows:
Covered entities should not be considered business associates
of each other; and
Covered entities should be given at least three years to re-
negotiate contracts and come into compliance with the business
associate provisions.
(4) Provide a Statutory Consent for Health Care Providers: In the
proposed rule, HHS recognized some of the operational problems of
requiring authorization forms for treatment, payment and health care
operations. We agreed with HHS' views, but recommended that covered
entities be given the flexibility of requesting authorizations for
treatment, payment and health care operations. The proposed rule would
have actually prohibited it, unless required by State or other law.
We are pleased that the final rule retains a statutory consent for
treatment, payment and health care operations for health plans, with
the flexibility to request a consent if desired. However, we have
concerns that the final rule requires health care providers to get
consent for these essential functions. We feel that required consent
may lead not only to operational issues, but could also affect
treatment activities and quality of care.
(5) Include Additional Funding for Medicare Contractors and other
Government Programs. We also urge congressional appropriators to factor
the additional cost of privacy compliance into budget development
regarding the Medicare fee-for-service contractors, Medicare+Choice
plans, the Federal Employees Health Benefit Program, and other federal
programs.
II. ADMINISTRATIVE SIMPLIFICATION AND THE TRANSACTIONS AND CODE SETS
REGULATION
HHS' authority to promulgate privacy regulations specifically stems
from Subtitle F of HIPAA--Administrative Simplification. Subtitle F was
intended to facilitate the development of electronic data interchange
(EDI) in the health care industry. In addition to the privacy
regulations, this Subtitle directs HHS to establish national code sets,
electronic standards for certain routine transactions, security rules,
and standard identifiers for providers, health plans, employers and
individuals.
In August 2000, HHS finalized the first of a series of regulations
implementing the administrative simplification provisions of HIPAA.
This first final rule standardizes electronic transactions used by
health plans and providers for several routine functions (e.g., claims
submission, eligibility inquiries, remittance), and codes for services
and procedures used by hospitals, physicians, drug stores, and other
providers. The rule generally requires compliance by October 2002.
Although Blue Cross and Blue Shield Plans and many others in the
health care community have been working diligently to implement the
transactions and code sets final rule, we have uncovered significant
obstacles that make it unlikely that the health care community can
complete implementation by 2002 without significant disruption and
assumption of unnecessary costs. We urge HHS and the Congress to
recognize the significant implementation problems that exist and to
extend the implementation timeframe. Other organizations, such as the
National Governors' Association and the American Medical Association
also are calling for an extension.
We believe the current compressed implementation timeframe is
inadequate and will lead to significant cost issues which we discuss in
the next section of testimony. In addition, the current time frame will
prevent resolution of numerous unintended consequences and the fact
that there is limited availability of technology resources.
Unintended Consequences
The scope and complexity of the changes required by HIPAA will be
difficult to implement during a two-year time frame, let alone test
thoroughly. The two-year implementation timeframe simply does not allow
time to test the massive system changes that are required. Without
proper advance testing, system glitches will result in incorrect
payments, complete payment breakdowns and other service problems that
would hurt both consumers and doctors. The system breakdowns could also
impede the answering of basic customer service questions, responding to
provider eligibility inquiries, and other critical functions.
Even more importantly, with less than 19 months of implementation
timeframe remaining, numerous key issues remain unresolved. For
example:
There are several new mandatory code sets that the industry
has little or no experience using--such as the NDC drug codes.
The implications of changing from J codes to NDC drug codes
have not fully been realized or resolved to date--for instance,
how will these changes affect payment policies?
Standardized national code sets preclude the use of local
codes for commercial use and this may have unidentified
repercussions. The use of locally developed non-standard codes
is particularly prevalent for home health services, long term
care services and certain mental health services. Not only do
the national code sets have to adopt new codes for these
areas--a traditionally time-intensive process--but the new
codes must be adopted and distributed in time for covered
entities to make extensive system changes, train their
personnel and evaluate any impact the new codes will have on
payment, different state and federal laws, and other issues. To
maximize efficiency and minimize costs--these codes should be
available at a date prior to when providers and health plans
begin their major system upgrades to implement the HIPAA
standard transactions. At this point, it is questionable as to
whether these codes will even be ready by the compliance date.
In addition, today local codes are used to reimburse for new
technologies, to respond to state legislative mandates and to
comply with employer benefit administration requirements. It
remains to be seen how these new codes will be developed and
distributed in a timely basis after October 2002. A system to
address new code adoption on an accelerated basis should be
established--and tested for operationability--prior to HIPAA
implementation.
A preliminary comparison of the new claims transaction and
paper claim formats have identified 60 differing data elements
to date. These data elements are included in the electronic
standard but are elements that providers do not currently have
to collect, store, or transmit as part of the current process.
In the future, all providers will need to be able to gather and
input these new data elements. This will change the way all
providers operate--including those that are paper-based only.
The implications of these data changes need to be understood
and communicated to covered entities before a successful HIPAA
implementation can occur.
Limited Availability of Technology Resources
Hospitals, doctors, and health plans will be simultaneously
revamping their systems to meet HIPAA compliance standards between now
and October of 2002. This will generate an extraordinarily high demand
for programmers, consultants, and other technical experts. Given the
tight job market and shortage of technology professionals, it is
unlikely that the technology community could meet this demand within
the current implementation timeframe.
Additionally, vendor readiness and availability will directly
impact the ability of hospitals, doctors, and payers to even begin to
assess HIPAA needs. According to a recent Gartner Group Survey, 74
percent of healthcare organizations--payers and providers--expect to
require assistance from consulting firms or systems integration firms
to complete HIPAA assessment projects. Despite this great demand, only
15 percent of those surveyed had begun to assess HIPAA needs.
Finally, many providers and payers are dependent on vendor software
to become compliant. Yet several major vendors have indicated that they
will not have compliant applications available until the end of the
first quarter of 2002. This further reduces the time the industry will
have to implement and properly test systems. In addition, with less
than 19 months left for implementation, Tillinghast-Towers-Perrin
indicates that they are not aware of any provider clearinghouse or
billing agency that is fully HIPAA compliant at this time.
III. THE COST OF THE PRIVACY AND TRANSACTION AND CODE SET REGULATIONS
As we discussed previously, BCBSA supports a basic set of privacy
rules for the health care industry that assures consumers that their
health information is kept private. We recognize that assuring consumer
privacy involves additional resources. For us, the question is not
whether privacy will generate costs, but whether the costs are more
than they need to be. We believe a new final rule could be structured
in a way to provide our customers with a better value.
HHS estimated the proposed privacy regulation to cost $3.8 billion
over five years. HHS updated its cost estimate in the final rule to be
almost $18 billion over ten years--more than double its estimate for
the proposed rule. However, we believe HHS' cost estimates continue to
be understated.
In response to the original proposed regulation, BCBSA commissioned
Robert E. Nolan Management Consulting Company to provide an independent
estimate of several key provisions of the proposed regulation. Nolan
estimated more than $40 billion over five years in added costs for
health plans, providers and other members of the health care community.
A new, soon to be released, analysis by Nolan indicates most of these
costs remain applicable to the final privacy regulation and that HHS
continues to dramatically underestimate the potential costs of the
privacy standards.
For instance, HHS assumes that the privacy officer function will be
assigned to a current employee and only will add 15 minutes of time per
week for non-hospital providers on an ongoing basis, and only 1.5 hours
for hospitals and health plans per week on an ongoing basis. Nolan
believes that the breadth and weight of responsibilities of a privacy
officer will consume significantly more time and many organizations
will assign a full-time officer. This is just one example of a privacy
standard for which we believe the HHS estimates are low.
The final privacy regulation assumes that the privacy costs will be
fully offset by savings from the implementation of the administrative
simplification standards. We believe that the cost of administrative
simplification implementation has been underestimated by HHS as well,
and that smaller and rural providers will find it especially
challenging to absorb these very significant costs. For instance:
Code Standardization Triggers Costly Process: One of the most
significant changes required by the transactions and code set
August rule is the standardization of all codes. Providers will
now have to use the exact same codes for every procedure,
instead of a host of locally grown codes. This requires not
only major systems upgrades, but is extremely resource
intensive because codes are interwoven throughout every
function a provider performs (e.g., treatment, quality
assurance, fraud detection).
Because of the August 2000 release date of this rule, many
hospitals were unable to include these costs in their 2001
budget cycle and have not allocated funds. Smaller providers
and rural providers will find it especially challenging to meet
these cost requirements.
Staggered Rule Release Increases Costs: It is important to
recognize that the transaction and codes sets rule is one of
several rules composing HIPAA. The industry expected that it
could implement all the rules (i.e., security, privacy,
transaction/code sets, and identifiers) as part of one
comprehensive system upgrade. However, only privacy and the
transactions rule are in final form. The staggered nature of
the issuance of these rules will unnecessarily increase
compliance costs by requiring covered entities to continually
revisit system changes. Ultimately, these expenses will be
passed onto consumers and employers through the increased cost
of medical care.
Current Timeframe Creates Unnecessarily High Costs: The 24
month timeframe (now fewer than 19 months) precludes covered
entities from making HIPAA changes as part of the normal
systems replacement, consolidation, and upgrade process. As a
result, many organizations will have to waste valuable
resources making older, existing systems compliant--even though
those systems already are slated for replacement. Additional
implementation time would allow the industry to spend resources
more efficiently by converting to a new HIPAA compliant system
from the outset--instead of upgrading and then eliminating old
systems.
Timing Could Drive Providers Away from EDI: Many providers
will be unable to become HIPAA compliant within the
implementation timeframe remaining. Some of these providers
already submit claims electronically, but will revert to paper
claims once the HIPAA deadline is reached. This would run
counter to the goals of HIPAA, and would unnecessarily increase
costs as well. Rural providers and those with limited resources
will be the least likely to have the capacity to comply and
thus realize the benefits of standardized EDI.
Because of our concerns regarding the cost impact of administrative
simplification on providers, BCBSA asked Tillinghast-Towers-Perrin
(TTP) to analyze the provider costs of the administrative
simplification transactions and code sets rule released in August.
The TTP study predicts implementation costs significantly higher
than those estimated by HHS: it estimates that hospitals will incur
costs between $775,000 and $6 million for the transactions and code
sets alone. HHS had estimated costs of $100,000 to $250,000.
The TTP report also indicates that physician's offices with 3 or
fewer physicians are expected to incur between $3,000 and $10,000 of
costs, while offices with upwards of 50 physicians could incur costs
between $75,000 and $250,000. HHS had estimated physician costs of
$1500 for three or fewer physicians and $4,000 for groups of three or
more.
In addition to estimating costs that were three to twenty-four
times higher than HHS, TTP also reported that many hospitals may be
underestimating the cost to migrating to standardized formats. A TTP
survey of hospitals found that none of the survey respondents had
completed comprehensive budgets to implement the electronic standards.
In addition, only a few hospitals had completed even preliminary
ROI analyses and those few analyses do not account for ongoing changes
to standardized formats once they are implemented. For example, it is
highly likely that the American National Standards Institute (ANSI)
will recommend movement to the International Standard Format in the
near future that the remainder of the business world already is
adopting. Consequently, three years from now it is likely that the
health care industry will be implementing the international standard,
souring any ROI projections that have been adopted today.
C. Conclusion
Once again, we appreciate the opportunity to testify before you on
this critical issue.
We would like to continue working with you, and the Department of
Health and Human Services, on crafting privacy rules that meet our
common goals of protecting consumers, improving quality, and minimizing
costs. We also look forward to working with you to adopt a workable
timeframe for the implementation of administrative simplification
transactions and code sets.
Mr. Bilirakis. All right. The bells again. There is a
series of votes. It is more than one vote, so we are going to
break long enough to give you an opportunity to grab a bite if
you would like, and to give you some stability here in terms of
a certain time. But I just wanted to give you something to
think about during the break. I daresay there isn't a single
one of you that does not want to do something from a privacy
standpoint, and that something should be something substantial,
that is real.
As I understand it, the implementation would be effective
April 14, this year. But the compliance would not really take
effect until 2 years hence. Does that mean that the providers
and the patients, do not have to do anything for 2 years, or
does that mean that the rule is in effect, and they have to
follow the regulations during that period of time, however,
they can't be punished until the compliance period is met? Is
that correct? It is something that we want to find out. I see
Ms. Goldman shaking her head.
I daresay probably at least half of you, if not all of you,
know more about this than we do.
I guess my point goes to the fact that we want privacy, and
we want it as soon as we can have it. Every one of you has
indicated that you want the regulations; however, you would
like to see some changes made to those regulations. You feel
that there are some weaknesses in certain areas that have you
mentioned in your testimony, and that there are other areas.
As I understand it, once the regulations go into effect,
they can't be changed for 1 year, and any changes to those
regulations, other than rate changes that directly affect
compliance, or other areas that need to be cleared up, would
have to go through the same process of comment period. So I
think we are talking about quite a delay in any changes to
these regulations if, in fact, they go into effect. Which they
automatically would after the comment period is concerned.
The point is that we want this done right. We want it to be
done as soon as possible. But I am not sure that we are going
to get it done right if we have the regulations go into effect
immediately after the comment period, which is up at the end of
this month. So we don't have much time.
We have 6 minutes, so we are going to have to run. Just
think about it, Ms. Goldman. If you have responses or answers
to it, which I trust you do. Thanks. So we are going to break
until 12:45.
[Brief recess.]
Mr. Bilirakis. The hearing will come to order. Again, the
Chair apologizes to the witnesses and to the audience, but this
is commonplace up here, unfortunately.
I would, with unanimous consent, place into the record a
letter dated March 13 from Helen Ellis Memorial Hospital,
Tarpon Springs, Florida, to Secretary Thompson; and a letter
dated March 16 from Eckerd Corporation to me.
Without objection, those will be made a part of the record.
[The letters referred to follow:]
Helen Ellis Memorial Hospital
March 13, 2001
Tommy Thompson, Secretary
U.S. Department of Health and Human Services
Attn: Privacy I, Room 801
Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington, D.C. 20201
RE: Standards for Privacy of Individually Identifiable Health
Information
Dear Secretary Thompson: On behalf of Helen Ellis Memorial Hospital
in Tarpon Springs, Florida, I am writing to comment on the Department
of Health and Human Services' final rule implementing the medical
Privacy standards under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA).
Helen Ellis, and all hospitals, are committed to Protecting the
Privacy of their patients' information. We believe that patients have
the right to every consideration of Privacy, including the right to
review and understand medical records. However, in their current form,
the rules are so complex and prescriptive that they are both unworkable
and excessively costly.
Therefore, we strongly urge HHS to suspend the April 14, 2001
effective date and to fix the rules and get them right. Hospitals
should not be asked to begin implementing a rule that needs to be
fixed.
We have many concerns about the final rule. Here are the most
pressing:
Consent (Sec. 164.506)--Reform the rule and grant hospitals
sole discretion to determine whether and how to obtain consent
from patients for information used or disclosed for purposes of
payment, treatment and health care operations.
Minimum Necessary (Sec. 164.514)--Reform the rule and
eliminate applicability of minimum necessary requirements--the
single most costly requirement under the rules to uses of
information for treatment, and substantially revise them for
other uses.
Oral communications (Sec. 164.501)--Reform the rule and
eliminate its applicability to oral communications. HHS clearly
exceeded its statutory authority in extending the rule's
prohibitions to oral communications and, unless reformed, this
requirement could stifle doctor-patient communications.
Business Associates (Sec. 164.502)--Reform the rule, including
eliminating restrictions that would prevent third parties from
sharing medical information among hospitals organizations that
provided the information in the first place--for important
quality improvement and assurance purposes.
Implementation Date (Sec. 164.534)--Reform the rule and delay
the implementation date to a workable, more realistic time
frame beyond the current two years.
By suspending the rules and fixing them according to these
recommendations, the result will be an improved, more effective privacy
regulation.
Thank you for considering this request.
Sincerely,
Joseph N . Kiefer, FACHE
President/CEO
cc: U.S. Congressman Michael Bilirakis
U.S. Senator Bob Graham
U.S. Senator Bill Nelson
______
Eckerd Corporation
March 16, 2001
The Honorable Michael Bilirakis
U.S. House of Representatives
Washington, D.C. 20510
Dear Representative Bilirakis: I am writing to request your help
with revising certain portions of the recent federal regulations
relating to medical records privacy. As currently written, these
regulations would have an enormously negative impact on community
pharmacy operations, threatening the convenience and quality of care
that consumers have come to rely upon from their local pharmacists.
While we support strong protections for patient medical records,
certain parts of the rule are simply unworkable and impractical.
Specifically, the final regulation requires a patient to provide a
signed, written consent to the pharmacy before they can obtain
prescriptions and other health care services.
What this means is that a pharmacist could not recommend over-the-
counter products and treatment without written patient consent. A
parent with a sick child could not pick up prescriptions phoned in by a
physician until a written consent is provided. Prescription refills
called in after the regulation's compliance date could not be filled
and ready for pick up until a consent is on file at the pharmacy.
Moreover, after the compliance date, a pharmacy could not even remind
patients to refill their prescriptions for chronic use medications.
Given that pharmacies expect to provide over 4 billion
prescriptions in 2004 it is clear that these regulations would disrupt
the lives of thousands of patients. The additional burdens, time, and
cost imposed on patients and pharmacies by requiring this signed
written consent far outweigh any additional privacy protections that
would result from this approach.
Therefore, I am asking you to write Health and Human Services
Secretary Tommy Thompson to urge him to remove the requirement that
pharmacies obtain prior written consent from patients before they may
use patient information for treatment, payment or health care
operations. Please write Secretary Thompson with this request by March
30, 2001, the deadline for public comments on this regulations.
Please respond as soon as possible, so I may inform my colleagues
of your actions on behalf of the community pharmacy industry. Thank you
for your assistance.
Sincerely,
Jimmy Jackson, R.Ph.
Vice President Pharmacy Relations
Eckerd Corporation
Mr. Bilirakis. I have many questions for Mr. Ortiz, Dr.
Clough, and Ms. Goldman; and we can go on and on regarding
specifics, the effect on the neighborhood pharmacists for
instance, on the current regulation and things of that nature.
I also have a question for Dr. Appelbaum. I expect that we will
have more members coming in as we talk here, and other
questions will probably be raised. We will also ask that you
respond to us in writing to questions that we will send to you
in writing after the hearing.
But what I asked is kind of the bottom-line, and that is,
do we put these regulations is to effect immediately, knowing
that there are refinements that must be made? When could those
refinements be made part of the regulations if we put these
into effect at this point in time? It is my understanding that
depending on the interpretation of what the refinement is,
whether it is just a technical change, or whether it is a
policy change will determine that.
So having gone into that and asked you all to think about
it during the break, Dr. Clough, we can start with you, and
hopefully you all can get your viewpoints in during my short
period of time.
Mr. Clough. We recommended delay. And although we agree
with the importance of getting some regulations in place and
making sure that people feel comfortable about privacy, we
think that there is a downside, a serious downside, to
beginning to implement something which is wrong. And I would
say that at our place if these--if this regulation does go into
effect, we will immediately start spending money to make sure
that we can meet them as they stand at that date.
It is sort of analogous in some ways to the Y2K issue. When
the time approaches, you had better be ready. And you have
spent the time and money to get ready. That cost us a lot of
money, and I think it cost everybody a lot of money; and to
some extent the outcome was ho-hum. But I think it was ho-hum
because that money was----
Mr. Bilirakis. You are saying that if these changes can be
made now before they become a part of the law, then fine. But
if they can't be, you would want to see delays until they are
done right.
Mr. Clough. Not indefinitely, but for some period of time.
Mr. Bilirakis. Ms. Foley.
Ms. Foley. Our association would support that the
regulations commence on the time that they have been identified
to commence. And certainly if there are areas of interpretation
for the Secretary for clarification because of some of the
misunderstanding or interpretations, that would be very
appropriate. But we think--in the public advocacy role, we
support the sooner the better.
Mr. Bilirakis. But how about some of these areas that these
good people have brought up, which are certainly beyond the
realm of interpretation or clarification?
Ms. Foley. They are not my area of great expertise. I would
be sensitive to them if they were barriers of the regulation. I
think the regulation is well intended. Clarification is
required.
Mr. Bilirakis. Comments were made previously by many
members of this subcommittee that the Congress did not do the
job, that we asked the administration to do it. They spent time
doing so, and we appreciate that. You are right about that. It
is just that some of these real practical matters are not
included.
I am going to take the prerogative and say we have 10
minutes since my time is already up. Each one of us will have
10 minutes and no second round.
Continue on, Dr. Melski.
Mr. Melski. Yeah, the main issue is one of planning. When
we fund large information systems projects out of our own
budget, it often takes 3 to 5 years to implement them. You can
always accelerate these timetables by spending more money and
doing it more quickly, but to have uncertainty over a long
period of time about exactly what is going to be changed
creates havoc for us. Two-and-a-half percent of our revenue in
your operations is to support clinic information systems in
fiscal year 2001. That is $22,000 per each of our 600
physicians.
We are in capital equipment planning right now for the next
fiscal year, which for us starts in October; and if we do not
know how to plan, we have a lot of problems.
Our estimate of the direct personnel costs for getting
consent from the 350,000 unique patients that we see each
year--we can't wait until the final date. We have to start
tooling up now, because if it took a half-hour to explain the
notification in order to get valid consent, that is 175,000
hours; and it would take 103 full-time employees at 1,700 hours
each, and $25,000 per employee or $2,575,000.
Now, you can't say, well, start planning, do your capital
budgets, do your operational budgets, and then maybe in a year
all the things that you plan for now are pulled out. What that
does is, it hurts health care. In other words, we have projects
that we are scrambling to do to decrease errors in medications,
for example, we will have to put them at a lower priority so we
can be in compliance with these applications.
Mr. Bilirakis. Doctor, forgive me. I want to get through.
Dr. Appelbaum.
Mr. Appelbaum. Mr. Chairman, we understand these
regulations will not go into effect, that is, compliance will
not be required for 2 years after their formal adoption. We
also understand that the Secretary has the authority within the
first 12 months after formalization of the regulations to make
whatever changes may be necessary.
Mr. Bilirakis. After the first 12 months, as I understand
it.
Mr. Appelbaum. During the first 12 months.
The Secretary--I have the language in front of me, Mr.
Chairman, in section 160.
Mr. Bilirakis. Only to affect compliance, staff tells me.
Mr. Appelbaum. Necessary to permit compliance with the
standard or implementation specifications. And I think we would
interpret some of the comments that were made here today as
falling well within that standard. For example, no one ever
intended these regulations to interfere with the ability of a
family member to pick up a prescription at the neighborhood
pharmacy, and clarification of that by the Secretary would be
well within his authority under this standard.
Mr. Bilirakis. I know Ms. Goldman agrees with that. But she
will speak for herself.
Mr. Ortiz.
Mr. Ortiz. We believe they should be delayed. We are not
sure that they can be fixed unless you go out with a new
proposed rule. For example, the concept of statutory
authorization which was in the original proposed rule and was
deleted in the final rule, which would have allowed the
pharmacies to accept the prescription as an implied consent to
fill out that prescription is something that should be put back
into the final rule. And I don't know that that can be done
with simply delaying.
Additionally there are other components of this which we
are waiting for before you can even begin to implement some of
the necessary changes. For example, the security regulations
are not finalized. I don't know how we can move forward in
doing some of the software changes, et cetera.
Mr. Bilirakis. I don't want to get into details, Mr. Ortiz,
because of time element, but thank you for that.
Ms. Goldman.
Ms. Goldman. Mr. Chairman, I think there are two areas
here, and if we could divide them up, this might make the
conversation a little easier.
There are a number of policy differences that have been
identified on this panel today, disagreements over whether
there should be a consent requirement or not a consent
requirement. Those things--I think if the Secretary is going to
make changes in those, he can probably make changes in those
before the effective date.
Mr. Bilirakis. Before the end of the month?
Ms. Goldman. Or before the April 14 date.
We do not support doing that. I don't want to signal that
we do support doing that, but he certainly could do that.
The second area is the area where there are things that
were not intended--as the title of this hearing suggests,
things that were not intended by the legislation, glitches that
might be in there, clarifications that are needed, guidance
that the administration can issue or modifications, where
necessary, to permit compliance as Dr. Appelbaum just cited,
within the first 12 months of the regulation being effective.
But that authority, the legal authority the Secretary would
have to make those modifications, is not triggered until that
April 14 effective date. Then within those first 12 months he
could make those changes and we would support him doing that,
so people do have the certainty they need to move forward.
Mr. Bilirakis. Thank you.
Mr. Heird.
Mr. Heird. April 14 is a shotgun start and we have 24
months to begin. If the rules change, as was pointed out by a
couple of answers a moment ago, how much of that work is going
to be thrown away while we restart? So that is a very serious
concern of ours.
Also it seems that for the last 30 days the industry, all
parties, are giving the Secretary comments. I don't understand
how they could go through the comments they are going to
receive in less than 2 weeks, make changes, and understand the
impact of change A to change B to change C. So I think it is
almost disingenuous not to think about change.
Mr. Bilirakis. I believe they have already received many of
these comments. Some maybe they haven't.
Mr. Heird. But that is problematic.
Mr. Bilirakis. My time has expired.
Mr. Stupak, may I yield to the full committee chairman? Is
it all right with you?
Chairman Tauzin. Either way.
Mr. Stupak. Thank you.
Dr. Melski, I am looking at your testimony and I see your
cost estimate for the new rule. Could you describe the details
that are assumed in your calculations that it is going to take
30 additional minutes for each patient? In all seriousness, I
don't think there is anyone on this panel that has ever spent
30 minutes with the doctor, now you are telling us that you are
going to spend 30 minutes explaining an informed consent.
Mr. Melski. You haven't met my mother.
Mr. Stupak. Is she a physician?
Mr. Melski. No, but she is an example of an elderly patient
who would be frightened by signing something she doesn't
understand.
And you also have to understand that we are talking about
children who are transitioning into adult life, where there are
ambiguities about whose consent you actually need and the whole
concept of an emancipated minor and whether we get consent from
them or their parents.
All of this has to be worked out. Not only does it have to
be worked out, we have to track it.
Mr. Stupak. Don't you really--in all seriousness, if you
are going to do the mother or young child, don't you perform
complicated procedures on them and don't you have to explain to
them the complicated procedures that are going to follow? How
can that be more complicated than explaining an informed
consent?
Mr. Melski. I don't think it is, but why do you want to
double the work?
Mr. Stupak. If it doesn't take 30 minutes to explain a
complicated medical procedure, why would it take 30 minutes to
explain an informed consent? I think most people have an idea
about privacy, and they do not want their name and personal
information used outside of our procedure.
Mr. Melski. Your point is very well taken and so well taken
that I am concerned, in practice, what will happen if people
don't understand the notification. They will be coerced into
signing; and I think that is a bad thing to do; I think people
should not sign something they don't understand.
Mr. Stupak. Before you do a medical procedure, let's say
outpatient surgery, the patients sign a form allowing you to do
that.
Have you ever asked any of your patients after they did
that, did they understand what they just signed?
Mr. Melski. I understand very well the exact dilemma that
you were talking about, and that is exactly why I am concerned
about complicating it by adding another process that has the
same problems of what is consent, what does it mean, and what
value does it add? That is the real issue.
We have much common ground here. We really want to take
care of people. We want to do the right thing. And I know it is
dramatic to make it a good guy-bad guy kind of scenario, but we
are all trying to do the right thing. But I genuinely believe
that adding a consent with whatever time it takes, or if it
takes very little time or it is meaningless because people are
not really looking at it--see, I think the emphasis should be
on the public disclosure. People should know what your privacy
policies are.
We hope at Marshfield Clinic to set an example that other
clinics in the Nation can follow. We have many of these
things--we have been doing this for a long time. And we have
very strong language to protect patients.
Mr. Stupak. If you have been doing it for such a long time,
how then does the Secretary's proposed rule differ from what
you have been doing for a long time? Why should this be more
complicated, that it is going to cost you over $2.5 million a
year in direct cost?
Mr. Melski. The problem is that there are all kinds of
costs that are not there. So if it is not a half-hour, it is 15
minutes.
Mr. Stupak. I am basing it on your half-hour, 103 full-time
employees, $25,000 per employee, that is 2.575 in direct
personnel cost, to gather consents in the first year.
Realistically, look, you go in there, here is the
operation, here is the consent. You will see maybe an
anesthesiologist. I never see them the morning they put you
under, but you sign for them. You don't know who it is. The
doctor may say I am going to use the Green Bay
Anesthesiologists, and you sign for that. And here is your
outpatient and here. Sign here so we can bill your insurance
company.
I don't know one patient that sits there and reads it and
then is quizzed by the doctor afterwards about what went on
there.
Realistically you can give the forms to the folks, there is
the privacy. The people understand it. It can't be more
complicated to the people that understand it.
I take exception to 30 minutes, 103 full-time employees at
the Marshfield Clinic.
Mr. Melski. Well, the average consents that we have for
complicated surgical procedures are seldom more than a page or
two. These notifications that were sent out as a model are nine
pages long, single-spaced.
Mr. Stupak. So if you can do a very complicated procedure
that is only a page long, you are telling me that you can't do
a consent that is a page long.
Mr. Melski. No, the consent is different than the
notification. But the consent is required to refer to the
notification, and unless people understand the notification, it
is sort of like saying, sign here, but you have to go somewhere
else to understand what you really signed.
That seems to me that that is not the kind of, it is just--
--
Mr. Stupak. If they sign your consent form, why do they
have to go somewhere else to understand it?
Mr. Melski. Because what they signed is saying you agree to
something that is nine pages long, single-spaced;that is what
they are signing.
Mr. Stupak. You are saying that people are not smart enough
to figure out the nine pages?
Mr. Melski. I think people are sick and they are sometimes
ill and they are young and they are old and they have a lot of
other problems; and so, yes, I am concerned that they don't
know what they are signing.
Mr. Stupak. Does anyone else share the concern that they do
not know what they are signing?
Ms. Foley--Goldman.
Ms. Goldman. Can I just clarify something that Dr. Melski
said?
This nine-page notice that has been referred to a few times
was not a notice that was put out by the administration. It is
a notice developed by the American Hospital Association as kind
of a worst-case scenario of what a notice might look like. As
we saw--under the Financial Modernization Act, the notice that
is required under there; I just got one in the mail the other
day--it is a small brochure.
The notice that is required under the regulation could be a
one-page notice; it does not have to be nine, single-spaced,
complicated, overwhelming. And the notice is a notice about the
regulation, not about the consent. It is about your rights
under the regulation, what you can do about your rights to get
access to your own medical records.
Their consent is not even a meaningful consent under the
regulation. Yes, it is required, as consents are now required
in health care generally today, but it is a consent that could
be coerced. You can say, you must sign this--and it could be
one paragraph--you must sign this in order to get care in this
facility, you must sign this in order for us to get
reimbursement for your care. And the notice that is to
accompany that is a much broader--serves a lot of different
purposes, and doesn't have to look like one the AHA wrote.
Mr. Melski. I must say I am astonished by the phrase that
the consent is not meaningful. I just heard you say you could
have a consent that is not meaningful. How do we interpret
that? How do we plan for that? What are you telling us?
Ms. Goldman. Maybe what would be helpful is for you to try
to explain what people currently do sign when they are
admitted.
Most people do sign--when I say it is not meaningful, they
can't say, we don't want to sign something that allows you to
use my information to treat me, yet you must still treat me. In
that sense, from a strict privacy standpoint, it is not
meaningful because it is not voluntary. And it is not--it is
meaningful in the sense that there is their signature, and they
say they have signed it and they authorize the information to
be shared. But they cannot withhold that authorization under
this regulation and continue to get care and continue to get
payment if that facility chooses not to do that.
Mr. Melski. The other area that complicates this is that
there is preamble language that says, we could say that these
consents are not revokable; but there is also strong language
that says we should not do that. We are trying to do the right
thing.
If we have a consent that is not revokable, this creates an
administrative catastrophe because then we have to segregate
records based upon whether the consent has been revoked or not;
or once again, we have to exercise the prerogative that we were
told we should not do, that they hope we will not, and that is
put into our consents that it is nonrevokable.
Mr. Stupak. People revoke their services all the time. They
pay their bill and they leave. Because I revoke my consent and
I no longer want you using my information, should I not have
that right?
Mr. Melski. Let's get away from money. Let's take a child
who has a broken arm by parental abuse and has it taken care of
and revokes the consent for that to be revealed. You need to
understand in child abuse it is the pattern of injuries over
time that determines whether you have concern or not; and the
parent could use the revoking of consent to hide from one
provider to another a pattern of behavior.
Mr. Stupak. But now we are talking about a criminal case,
and in any child abuse case in any State, you as a physician
have a right and a legal obligation to report it to the
authorities.
Mr. Melski. This is absolutely true. That is certainly true
in Wisconsin. That is a very good point.
I am trying to explain that my level of suspicion is based
on a pattern, and the only way I can understand the pattern is
to have access to the information of the care that was given
previously. So when the consent is revoked, I have great
difficulty doing that.
Not only that, we have questions about how we can process
bills, what we have to do with the record, how we have to
extract it or segregate it electronically. The revocation
sounds easy. It sounds superficial. But come talk with my
programmers when we try and implement this.
This has profound implications, because you have to track
this very complex situation of whether the consent is in effect
or not; or what you have to do is, as suggested, make a consent
that is nonrevokable, again adding to the intimidation factor.
When you say, here, sign this, you can't revoke it and you are
sick and you need help, what does that do to the trust
relationship? How does that help.
Mr. Bilirakis. The gentleman's time, the 10 minutes, has
long expired. I would appreciate it.
Mr. Stupak. Thank you, Mr. Chairman.
Mr. Bilirakis. The Chair yields to the chairman of the full
committee.
Chairman Tauzin. Thank you, Mr. Chairman, thank you for
this hearing.
In the opening statement I know was made a part of the
record already, I quoted the Hippocratic Oath section, that
says, ``Whatever in connection with my professional service or
not in connection with it I see or hear in the life of men
which ought not to be spoken of abroad I will not divulge as
reckoning that all such should be kept secret.'' That is the
current oath that doctors, physicians, and health care
providers take.
Mr. Appelbaum, I am holding in my hand a letter from the
APA to the Secretary of Health and Human Services, I want to
quote from it. It says that, and I quote, ``Patients will lose
some existing privacy protections because the current practice
of hospitals, doctors generally requiring patient consent,
notice of full disclosure, will change as a result of the
regulation. Patients' ability to decide when their medical
information will be disclosed outside the health system will be
reduced.''
The letter goes on to cite one of those cases. It points
out that under this regulation ``that attorneys can simply
certify that the information requested concerns a litigant to
the proceeding and the health condition of such litigant is at
issue between,'' and the letter goes on to say, ``These
procedures provide no check on the attorney's behavior in
requesting records of marginal relevance to a case or for the
purpose of embarrassing and intimidating opposing parties.''
That is a pretty strong statement. These regulations allow
attorneys--in fact, require doctors to breach the Hippocratic
Oath, and to give a patient's personal medical information to
be used simply to embarrass without the court ever supervising
the demand for this information.
You go on in your statement to cite seven other cases where
you find these regulations significantly deficient. On the
first of these, you are concerned that the language is not
broad enough to protect all forms of psychotherapy, and that
these requirements require a second set of records which most
psychiatrists will not do. This will increase time, difficulty
and costs associated with recordkeeping.
Third, you make the point that police officers, under these
regulations, have the right, and I quote, ``to simply issue
written demands to doctors, hospitals, and insurance companies
to obtain patient records without meeting with a judge to
review the assertions.''
You cite a further exception that allows the release of
medical record information anytime the police want to identify
a suspect. That is pretty broad loophole.
You mention that, additionally, administrative subpoenas or
summonses are particularly troublesome because they do not have
any judicial review, and doctors are consistently, under these
regulations, required to compromise their oath and to turn over
information to police, to lawyers, to administrative summons.
You mention on the next page the overly broad physician
liability, because a physician is liable with his business
partners, and the physician may have to keep track of his
business partners to make sure that none of them violate the
guarantee he's made to a patient. And you question, for
example, whether this overly broad liability is going to create
lawsuits against physicians for what business partners may do.
On the next page, you talk about the intelligence agencies
and the State Department compromising private information under
these regulations. You are particularly concerned about the
requirement for broad access without a patient consent for
disclosure of medical records of Foreign Service personnel and
their families.
You go on to talk about the fact that the APA believes that
the cost associated with these regulations is significantly
understated; that a psychiatrist will experience significantly
higher costs and will have heavy administrative burdens
following this extensive and broad regulation.
And finally you ask, can a psychiatrist who does not have
any staff and therefore is the privacy official, and if the
privacy official makes a mistake, is he the only one liable or
is the doctor liable too?
You ask some pretty significant questions in your
statement. I read your statement in the letter from your
association to the department, and you have got massive
concerns about these regulations that need to get addressed,
yet you tell us today we should proceed with this.
Can you reconcile what appears to be a very apparent
conflict in those two statements?
Mr. Appelbaum. I would be very happy to try to do that for
you, Congressman.
These regulations give us what is clearly half a loaf.
There are many ways in which they were inadequate, and you have
cited many of them here this afternoon. And we could focus on
those inadequacies and should at some point in an effort to
correct them.
But there is the half a loaf that they do give us. They
give us the first national standards for medical record privacy
that provide some set of protections for patients which do not
exist at the moment. They give us a requirement that entire
pieces of medical records not be released when you can do with
less. They give us protection for psychotherapy notes which may
be the most sensitive information in those records. They give
us the right to inspect and copy one's own health information
and correct it if it is erroneous.
Chairman Tauzin. They give you those protections unless a
lawyer demands them.
Mr. Appelbaum. They give you those protections unless many
of the circumstances you cited occur.
Chairman Tauzin. These regulations are desperately in need
of repair. You are right. It is a good step. It is the right
thing to do, to try to create medical privacy rights.
But you pointed out a list of real dangerous problems, and
your association actually makes a case for these reduced
patient rights, rather than expand them, when it comes to some
people's right to access private information, but a doctor
swears an oath he won't give it to anybody.
Mr. Appelbaum. And in many respects they do, but we live in
the real world.
Chairman Tauzin. The real world is the Secretary is
reviewing them now. He is taking public comment. He will be
before this committee, we expect, next month. We have his
commitment to do that, to tell us what he thinks about it.
But the real world is, we have a review process on. We have
time to correct them and make them right. Don't you think we
should do that?
Mr. Appelbaum. I think we should correct them as best we
can.
Chairman Tauzin. Let me turn to the pharmacy issue, because
it is a huge one.
Gentlemen, imagine--Mr. Chairman, I can't imagine going
home to town hall meetings to face a public that tells me they
can't get their prescription filled, that they have to sign
these consent forms after they have already authorized their
doctor to issue the prescription for them; and they send a wife
or child or friend to go to the pharmacy to pick it up, and
they come back empty.
I cannot imagine the first liability suit that will be
filed because, as recently happened with one of my friends, he
forgot his nitroglycerine and had to get some real quick and he
shows up at a pharmacy--and I go to get it for him, and I can't
bring it back for him, and something happens in the interim--
you know, bad.
You make an awfully good case, Mr. Ortiz, that the patients
have given their consent for the prescriptions. They go see the
doctor. The doctor says I am writing out a prescription; go
pick it up at the pharmacy. You have a problem. You can tell
the doctor, I don't want you to have the pharmacy know I have
this problem. I don't want that issued from that pharmacy. You
can do it right there if you like.
But the fact that you make no objection, the doctor says, I
have issued a prescription; here is a copy; take it to the
pharmacy. And you take it in your hand and you give it to your
niece, your uncle, or your friend or wife to go pick it up, and
they come back empty-handed because the government issued a
regulation that will not let them pick up your prescription for
you. I can't imagine going to a town hall meeting and facing
the complaints of my constituents on that.
I live in a rural area. There are not drug stores on every
corner in the bayou, I promise you. And going to the drug store
can be a difficult task for some people who are sick and
infirm. They have to send somebody else to do the job for them.
And it occurs to me, Mr. Chairman, that when regulations
are written without common sense like this, they really cause
me to step back and say, wait a minute. We had better examine
every line, dot every I, cross every T that has to be crossed
in these regulations before I have to go home and answer to
constituents that can't understand why we have done this to
them when it was not necessary to protect their privacy.
Ms. Goldman. Mr. Chairman, would you allow me to respond to
that?
I could not agree with you more. I don't think there should
be anything in these regulations that keeps a relative from
picking up someone's prescription or keeps a pharmacy from
being able to fill a prescription; and I actually do not
believe there is anything in these regulations that prevents
either of those activities.
And if there is a concern about whether or not next of kin,
as it is clearly defined in the regulations, should be able to
pick up a prescription, if someone has not acted
affirmatively----
Chairman Tauzin. Can you imagine us writing a rule defining
which next of kin qualifies and which does not?
Ms. Goldman. Excuse me, Mr. Chairman.
What I was trying to say is that in the regulation next of
kin are able to receive information about individuals. Only if
someone takes an affirmative step to limit a disclosure to next
of kin will that occur. I cannot imagine that a pharmacist will
not allow a relative or family member or even a friend to pick
up a prescription, unless that individual said----
Chairman Tauzin. Staff tells me that you are wrong, that is
only true if they are under care, not if you are just picking
up a prescription.
Mr. Ortiz is testifying to that effect.
Mr. Ortiz?
Mr. Ortiz. First of all, in the preamble, which is not part
of the----
Mr. Bilirakis. Let's keep it brief.
Mr. Ortiz. In the preamble it says that the next of kin
could possibly pick it up. That is only if, in fact, there is a
filled prescription waiting for them to pick up. I am saying
there won't be a filled prescription waiting for that
individual to pick up unless we have that written, prior
consent.
Chairman Tauzin. I think we have it on the record.
Mr. Chairman, thank you. I want to say finally, we will
have the Secretary here. I will assure the committee he
committed to come and to brief us on what they are finding out.
I want to thank you for having this hearing, for giving us
a chance to shed some light on it, because frankly I hope he
does a good job of reviewing this regulation before it becomes
final, and we fix it so that it isn't half a loaf. It is a
good, full loaf and it is simple and it makes sense and it is
practical. And when I go home to a town hall meeting, I am not
roasted alive because I let this happen in a way that doesn't
make sense.
Mr. Bilirakis. Thank you, Mr. Chairman.
Ms. Capps.
Mrs. Capps. Thank you. I would like to express my thanks to
this large panel for your persistence and endurance through
this testimony. It is really valuable to us; and I appreciate
it and I hope Mr. Chairman you will allow me to confess that
after Ms. Foley gave her statement, I uttered a ``Right on'' to
myself; I didn't say it out loud. Because I do appreciate the
voice of nurses being heard on many of our health issues.
And I am thinking about this particularly with respect to
the topic at hand. There are 2.2 million nurses across this
country, and I daresay in the real world of today, where
privacy is being both invaded and protected, as we speak, in a
variety of health care settings that many of those consent
forms are actually being corrected by nurses. And I want to
give you a chance to talk about that. You are one of the most
enthusiastic or optimistic about where we are right now.
In this country, I would imagine we have a patchwork of
privacy protections, and again, nurses are experiencing all of
this in various settings. And yet you remain optimistic that
this is something we can go forward with, given the
circumstances with which it was reviewed.
Can you summarize or describe the time and effort that you
believe compliance with this regulation--what that will mean
for providers of health care?
Ms. Foley. Thank you, Congresswoman. I appreciate the
opportunity to explain a little further why we are optimistic.
While--on balance, many providers in this country are
making their very best effort to meet this very standard;
however, it is not uniform, and that is one of the reasons we
were very supportive of it as a Federal regulation. In
reality--and I appreciate the doctors' concern about informed
consent, but in the normal course of nursing work, we are
constantly informing and obtaining consent and verifying that
the information is well understood and then thoroughly
documented. That is very much a part of our role in the
admitting and even in outpatient settings, all the way through
each procedure and each test; and it is an ongoing process. And
if it is time-consuming, it is time very well spent, so that
people in our country understand the care they are receiving.
And if the disclosure of information is part of that
information that is shared, then well it should be.
So we really continue to support the principle that this is
the right way to approach the information and that it is doable
within the context of the many other commitments that we have.
I want to give an example, if I could, under the definition
of the minimum necessary standards.
Mrs. Capps. Yes. I was going to ask you about that very
thing.
Ms. Foley. I think that is an opportunity to give some of
our real-world experience.
In balance of the treatment and in reading the
clarification of the regulations and the provision,
coordination and management of care, certainly the judgment
prevails that in exchanging information that is appropriate,
that is required to give full treatment. Let me give a quick
example of two reasons, two ways we can look at this, and these
are policies that already exist--at least in acute care
settings that I am familiar with.
If I am the nurse and I have been asked to administer a
unit of blood to a patient who needs blood, and I have a
physician order to do so, and I have obtained the laboratory
consent, the blood consent form from the patient, after
informing them, verifying that they understand the physician's
information that they need to receive a unit of blood--and
again this is with somebody who is competent, and I understand
the doctor identified the issues for guardianship and
competency--I will take this chart--in order to provide better
patient safety, I actually take the full chart down to the
laboratory.
And I, in my facility, was required to share with the
laboratory technician the patient identification, the physician
order and the blood consent form; and nothing else in that
chart was to be shared with that lab technician nor would it
have been appropriate for me to start flipping through the
medication records, the surgical report or any other
information. In other words, that minimum necessary for me to
get a safe unit of blood for that patient specifically was
indeed the standard, and it is common practice.
The dietitian wants information about the patient--minimum
necessary could be more expansive. For example, they want to
know what medications the person is on because of drugs,
medication, adverse events.
I think the standard is quite interpretable, and in many
cases, already well enforced by policy and practice in many of
our institutions. And as employees of facilities--all of the
employees, whatever category, licensed and unlicensed--are
required to respect those policies and adhere to those
confidentiality matters.
And so, again, it is a standard that most people strive
for. The uniformity of a Federal regulation can only help us do
better.
Mr. Melski. May I respond?
Mrs. Capps. Yes.
Mr. Melski. I agree. We basically--we have so much common
ground here. That is why it is painful to cast it as a
struggle. But what you just heard was a description of a person
with a single role. We have a very complex organization where
roles are constantly changing.
Mrs. Capps. Could I interrupt just for a second?
I believe the illustration was meant to lift out a single
role in a very complex setting of health care.
Mr. Melski. Right. That is exactly my point.
That is, when we have nurses that need to cross-cover or
change their roles from day to day, when we have to build
electronic systems which track what role they are playing today
and, therefore, the minimum necessary in their role this day is
different than the minimum necessary in their role another day,
this becomes exceedingly burdensome. I see you shaking your
head.
Mrs. Capps. Well, I want Ms. Foley to be able to respond to
you.
Mr. Melski. I hope you are right. But the problem is that
the hopes and the opinions are not in the regulations, and that
is where we are concerned.
Ms. Foley. I actually think I described a couple of
multidisciplinary interactions that give an example of the role
of the entire treatment team. And it is the provision,
coordination and management of health care, including
consultations and referrals between health care providers. It
does allow--I don't know how the doctor could say nurses change
roles. We have a scope of practice and a license, so I am not
sure what he is describing. I don't wish to argue that point.
The very ability in which we all find our work settings does
not mean it to be more restrictive. It is still very possible
to meet the standards and protect the policy.
Mr. Appelbaum. May I follow up on that? Because I think
there is a helpful way of amplifying that.
With regard to the minimum requirement, the regulations say
specifically that ``minimum necessary'' does not apply to
disclosures to or requests by a health care provider for
treatment. So anything that is treatment-related, health care
provider, nurse, physician, or anyone else directly involved in
care, this minimum necessary requirement is simply out the
window. It is not an obstacle to the transfer of information.
If I can add----
Mrs. Capps. Please.
Mr. Appelbaum. The extent of opposition to the prospective
consent requirement is in many respects staggering because it
is a minimal requirement that was considerably scaled back from
the status quo at the request of many of the entities in the
health care industry that are now currently complaining about
how extensive the requirement is.
The status quo is that we get consent from all of our
patients prior to any release of information--contemporaneous
consent, not blanket advance consent. So it is truly a minimal
requirement that was designed to minimize costs and burden and
ought to be seen in that light. We were doing a little bit
toward protecting patients privacy and by no means going
overboard in that direction.
Mr. Melski. What was said was correct for disclosure; what
was said was not correct for use. In other words, the minimum
necessary standard as it applies to the use of the information,
we have the paradoxical situation where I can disclose the
entire medical record to another health care organization, the
entire record, and yet as I try and use it within my own
organization, to use it the minimum necessary standards
applies.
Now that is a tremendous paradox, and in terms of the
amount of time--I mean, I understand and respect the consents
that are done every day for surgical procedures and so forth;
but let me share with you that we also do a tremendous amount
of research, and our research consents more closely resemble
the notification, and that is, they are many pages long. And we
have statistics based upon obtaining consent for research that
do take 20 to 30 minutes.
Mrs. Capps. Yes. I think we are describing a lot of
different things. But if I could, Mr. Chairman, if you will
allow me say--and I want Ms. Foley to respond.
Mr. Bilirakis. Just in a few seconds, please----
Mrs. Capps. I know.
Mr. Bilirakis. [continuing] because we have another series
of votes, and it would be great to finish up.
Mrs. Capps. It strikes me how much education is required in
all we are talking about, that whoever is consenting also needs
to be apprised of in a setting not conducive to reading nine
pages.
But if you would like to give a response, very----
Mr. Bilirakis. Very briefly, please.
Ms. Foley. Absolutely, Congresswoman.
It does require the exchange of good information,
oftentimes done verbally in addition to the written because it
does require interpretation and clarification of understanding.
If someone is to receive an operative report, I would ask them
questions about that procedure; and that is common practice to
make sure they understood if because the written word, and
oftentimes our medical jargon, does confuse.
Mr. Bilirakis. Thank you.
Mr. Buyer to inquire.
Mr. Buyer. Thank you, Mr. Chairman.
Mr. Heird, the comments that you have made in your
statement, I want to let you know I agree with when you mention
about the unintended consequences, about the scope and
complexity of the changes required by HIPAA to implement this
in a 2-year timeframe. I want to associate myself with your
comments here.
But I am also bothered by such stark differences in
testimony about costs. First, HHS estimated that the proposed
privacy regulation costs $3.8 billion, over 5 years. Then they
update the cost estimate. They think the final rule will cost
$18 billion.
Then with regard to the administrative side of the house--
this implementation, the administrative simplification, and the
transactions and code sets regulation--that somehow is not
supposed to cost anything. That is going to save money as I
read the testimony of Ms. Goldman. I don't believe that because
there are going to be some costs here.
So, Mr. Heird, you are a senior officer here in a very
large health insurance company, talk about the costs and
implementation here and then give some recommendations to the
committee on what we should do as we try to implement this
rule.
Mr. Heird. Congressman, our views about the cost of the
program square with yours. We believe that in our particular
case--for instance, Health and Human Services suggested that a
large health plan would spend about a million dollars to be
compliant with HIPAA and all its dimensions; we are going to
spend approximately a hundred times that number. About half of
that will be for transactioning code sets.
Mr. Buyer. A hundred million dollars?
Mr. Heird. Yes. And about $50 million of that will be for
transactioning codes.
And I point out to you that about 70 percent of our claim
transactions today are already automated. In other words, they
come in in a paperless mode. So from our point of view we do
not know where these alleged savings will occur.
The remaining $50 million will be in privacy and security,
and so from our standpoint, it is, as I pointed out in my oral
testimony to you, pure cost to us. I don't want to say that
privacy is an issue because it costs money, but clearly the
value will be delivered.
But as we also look at hospitals, we have issued a report,
and I would like to suggest the committee see that report
yesterday from Tillinghouse Towers Perry where they estimated
what the cost would be for the provider industry. The initial
estimates for hospitals for transactioning codes alone were
between $100- and $300,000. The latest study would suggest that
the cost would be $750,000 to over $3 million to implement just
the transactioning codes.
Our thought is that privacy for hospitals will be more
expensive than the transaction and code set requirements, so we
think that the cost estimates are woefully inadequate and there
really will not be savings to offset the cost of desired
privacy features.
Mr. Buyer. Mr. Chairman, I would ask unanimous consent that
the Tillinghouse-Towers Perry report, as referenced by Mr.
Heird, be incorporated in the record.
Mr. Bilirakis. Without objection.
[The report follows:]
Blue Cross and Blue Shield Association
Final Report: Provider Cost of Complying with Standardized Electronic
Formats
MARCH 2001
EXECUTIVE SUMMARY
While the move to standardized electronic transactions in the
health care industry is long overdue, most hospitals and provider
organizations are underestimating the magnitude of the challenge--both
in terms of time and money. The standardization of transactions and
code sets will generate significant financial issues for providers. The
changes to provider information systems will affect nearly every aspect
of business operation and will require significant coordination across
the healthcare industry.
All of this takes time, but time is running out. Under the current
rule, wholesale change to the billing platform of the health care
industry must be done by October of 2002. The unanswered question is:
will the industry be ready to embrace this change without significant
reductions in service and a short-term increase in costs as
organizations seek and implement remedies?
Study Findings:
Most provider organizations are underestimating both the
investment costs and the time required to comply with
standardized formats.
The migration to standardized codes and loss of unique
identifiers and local codes may cause some providers to lose
special payment considerations that have been historically
negotiated.
A November 2000 survey of hospitals found that none of the
surveyed organizations have completed a comprehensive budget to
implement the electronic standards. These results were
substantiated by follow-up calls in January 2001.
Tillinghast-Towers Perrin estimates that it takes roughly five
years to generate payback and payback estimates are highly
dependent on achieving a significant reduction in accounts
receivable.
These ROI calculations do not account for the potential of
significant changes to standardized formats and code sets that
may occur during the payback period.
Cost Estimates:
In the final rule for standardized formats, HHS estimated
hospital costs to be $100,000 to $250,000, however Tillinghast-
Towers Perrin estimates costs to a mid-sized hospital (200-300
beds) are $775,000 to $3.5 million.
Costs to teaching hospitals and other integrated delivery
systems are $1.5 to more than $6 million per organization.
Costs to individual physicians are approximately $3,000 to
$5,000.
For a typical 50-physician practice costs could range from
$75,000 to $250,00 depending on age and characteristics of the
information systems.
FINAL REPORT: PROVIDER COST OF COMPLYING WITH STANDARDIZED ELECTRONIC
FORMATS
History
The Secretary of HHS released final rules regarding electronic
formats for the health care industry in August 2000. Developed under
the auspices of the Administrative Simplification section of the Health
Insurance Portability and Accountability Act of 1996, these
standardized formats are one in a series of rules that are required by
the Act. Under the regulations, covered entities (health plans, health
care clearinghouses, and providers who transmit administrative data in
electronic form) will have two years to comply--October 2002. The
standard transactions required are:
Health claims and equivalent encounter information
Enrollment and disenrollment in a health plan
Eligibility for a health plan
Health care payment and remittance advice
Health plan premium payments
Health claim status
Referral certification and authorization
Coordination of Benefits
Under the rule, if a covered entity conducts any of the above
transactions with another covered entity (or between covered entities
owned by the same parent) using electronic media, the covered entity
must use the standard formats adopted by HHS.
In addition to standardized formats, the regulation requires the
use of specified national medical code and non-medical code data sets.
A code set is any set of codes used for encoding data elements, such as
diagnosis codes, and medical procedure codes. In general, the code sets
adopted by the Secretary include:
ICD-9 coding for diagnoses and inpatient services
CPT-4 for professional services
CDT-3 for dental services instead of HCPCS ``D'' codes
NDC for drugs instead of HCPCS ``J'' codes
* All locally defined codes are eliminated
Other aspects of HIPAA Administrative Simplification include:
Privacy................................. Final rule issued December
28, 2000
Security................................ Proposed rules
Provider Identifier..................... Proposed rules
Employer Identifier..................... No proposed rules issued to
date
Health Plan Identifier.................. Proposed rule
Individual Identifier................... No proposed rules issued to
date
Implementation of all aspects of this first Administrative
Simplification regulation is to take place over the coming two years.
For electronic formats, all sectors of the health industry wishing to
do business electronically must implement the standardized formats and
code sets required by HIPAA by October 2002. This timetable will
require massive effort and significant investment by hospitals and
other health care providers. The alternative is a disruption of
existing electronic transactions and a return to the use of paper and
telephone transactions.
Hospitals and physicians will be required to make wholesale changes
to their information systems that will affect nearly every business
operation. And, unanswered questions remain regarding how electronic
formats will be implemented. In many cases, business rules to guide how
electronic formats will be used have not been developed. Answers to
these business rules may have an impact on how providers are paid and
the level of payment. The migration to standardized codes, loss of
unique identifiers, and elimination of local codes may cause some
providers to lose special payment considerations that have been
historically negotiated.
Finally, implementation of standardized formats will require
significant coordination across the healthcare industry, requiring
hospitals, doctors, other health care providers, insurers, HMOs,
government and others to coordinate activities.
Hospital And Provider Considerations Regarding Electronic Formats
Tillinghast-Towers Perrin has found that hospitals, physicians and
other providers have been slow to recognize the magnitude of migration
to standardized electronic formats. Our industry telephone survey of
hospital executives conducted in late 2000 found that virtually no
hospitals have carefully considered the implications of HIPAA. A
typical comment is ``our core mission is patient care, not data
communications''. Subsequent telephone interviews conducted in January,
2001 reinforced this earlier finding and showed that many providers
have still done little to prepare. This is consistent with a recent
national survey conducted by the Gartner Group which found that ``less
than 10 percent of respondents have completed or are currently involved
in estimating their organizations' expected return on investment for
implementing HIPAA-compliant electronic transactions.'' Many hospital
executives have been focused on more immediate concerns such as Y2K,
implementation of the outpatient prospective payment system, and
reductions in Medicare reimbursement rates.
Standardization of electronic formats will require significant
business process change and investment in several components of the
organization, including:
Billing and accounting systems
Electronic medical records
Data warehouses
Electronic data interchange (EDI) systems
Data translators
Other information technology
In general, we found that hospital executives are looking to health
plans to take the lead in implementing and coordinating the transition
to standardized formats. Hence, there has been very little planning
around identification of current processes, gaps compared to HIPAA
requirements and strategies to address these gaps. In this regard, the
timing of format releases and specific questions regarding data content
of transaction formats remain open issues. While hospitals are looking
to health plans to take the lead in release of formats, they do not
feel that they must follow health plan timeframes prior to October
2002.
Cost Estimates for Implementing Standard Electronic Formats
Many consultants and government agencies have attempted to estimate
the cost to hospitals and physicians of migrating to standardized
electronic formats and code sets. Overall, we have found that most
provider organizations are underestimating both the investment cost and
the time required to comply with standardized formats.
Costs to develop standardized transaction formats for any
particular hospital or provider practice are highly dependent on
several factors, including:
Degree of electronic data interchange already in place and
level of current compliance
Hardware configuration and age of system
Software packages and degree of integration between business
platforms
Data warehouse capacities
Use of data translators or clearinghouse functions
Use of billing agencies and ability of these organizations to
comply with standardization within current cost structures
Other factors
HHS Estimate
The electronic format final rules estimate that average costs to
hospitals range from $100,000 to $250,000. Furthermore, HHS anticipates
that billing agencies and clearinghouses will offer services that
address standardization issues.
Zero-based Budget Estimate
Many health plans and some hospitals are currently budgeting for
remediating to standardized electronic formats. A representative budget
for a mid-sized hospital (200-300 beds) that is presented below shows
that the total technology cost to implement standardized transaction
formats and code sets ranges from $775,000 to over $3 million.
Representative Hospital Electronic Format Remediation Budget
------------------------------------------------------------------------
Area/Gap Estimated Cost
------------------------------------------------------------------------
Reprogramming billing systems............. $100,000 to $1 million
Purchasing a HIPAA compliant data $100,000 to $250,000
translator (necessary investment for most
hospitals).
Business office and provider training (new $50,000
codes, new formats, new identifiers,
etc.).
Charge slip and charge master (changes in $25,000
how charge slips are designed and charge
masters maintained).
EDI upgrade for eligibility and claim $50,000 to $100,000
status check (migration from non-
compliant dial-up systems to new
platforms).
Consulting (including estimate revenue $100,000
impact of standardized code sets).
Data mapping and data warehouse upgrade $100,000 to $1 million
(most hospitals must map current
transactions to standard formats. Those
that operate data warehouses for analytic
purposes must revise layouts and map old
fields to new).
MSO/PPO/PHO remediation (virtually all $250,000 to $1 million
hospitals now have affiliated
organizations that bill on behalf of
staff physicians and other organizations).
Estimated total:.......................... $775,000 to $3,525,000
------------------------------------------------------------------------
Teaching hospitals and other integrated delivery systems that
include both insurance functions, physician office administration,
facilities and ancillary services will require significantly greater
investment. Again, depending on the state of the current information
systems, total costs would be roughly two to three times the averages
noted above, or $1.5 million to over $6 million.
Likewise, physicians must upgrade and change internal billing
systems, referral authorization procedures and claims status checks.
Depending on age and characteristics of the information system, costs
could range from a low of $75,000 to a high of $250,000 to remediate
for a typical 50-physician practice. For a typical solo physician
practice, a retooled billing system would require a $3,000 to $5,000
investment. The upper estimates assume that the current information
platform cannot be sufficiently modified and a replacement must be
purchased.
Clearinghouses and Billing Agencies
Many organizations are turning to clearinghouses and billing
agencies for assistance in meeting the new requirements. In the near
term, this solution may seem to be a cost effective and efficient way
to meet the October 2002 deadline. However, while these organizations
often work on behalf of solo physicians, the introduction of a
clearinghouse may not be preferable for high volume providers,
hospitals and those providers that wish to maintain direct contact with
payer organizations. Additionally, clearinghouses add another
``middleman'' layer to the health care delivery system. They do not
represent a long-term solution to enhanced administrative efficiency.
Transaction costs for clearinghouses reportedly range from less
than 5 cents per transaction to approximately 20 cents per transaction.
Low cost options depend on very high volumes of transactions, not
limited to claims. Other transactions include eligibility checks,
referral authorizations, claims status checks and other EDI functions.
Depending on the volume of transactions, even at relatively low per
transaction costs, the total annual costs are significant.
Finally, it is not clear that most billing agencies and claims
clearinghouses are rapidly moving to comply with administrative
simplification requirements. Compliance for these organizations
requires significant capital investment and time to implement. With
less than two years to go, TTP is not aware that any provider
clearinghouse or billing agency is HIPAA fully compliant.
Return on Investment Analysis
While the short-term costs are high, many hospital executives are
positively disposed to implementation of electronic formats. Since many
hospitals already bill electronically over 90 percent of claims,
positive ROI is dependent on:
Increased billing accuracy due to elimination of plan-specific
codes
Reduction of errors due to plan-specific claims formats
Front-end insurance eligibility verification through a
standardized interface with all health plans
Some hospitals anticipate significant one-time revenue increases in
the form of reduced accounts receivable due to electronic
standardization. One organization anticipates a one-time reduction of
at least 10 days in receivables. Others anticipate even greater
savings. These reductions would result in a one-time increase in
hospital revenues that would help offset standardization costs.
Secondary benefits are also noted by selected hospital financial
analysts. Administrative simplification is anticipated to generate a
reduction in billing office administrative costs due to rejected claims
and other manual processes. This assumes that the standardized
electronic formats will reduce billing errors generated by the
hospital. Overall, payback for developing the infrastructure to support
electronic standardization is anticipated to be within five years.
However, Tillinghast-Towers Perrin has found that many hospitals
may be underestimating the cost of migrating to standardized formats.
Interviews with hospitals nationwide that Tillinghast Towers Perrin
conducted in November 2000 showed that none of the surveyed
organizations have completed comprehensive budgets to implement the
electronic standards. Among those few organizations that have conducted
preliminary ROI analysis, it takes roughly five years to generate
payback and payback estimates are highly dependent on achieving a
significant reduction in accounts receivable.
Finally, these informal ROI studies do not account for the required
changes to standardized formats once they are implemented. In fact,
once the mandated formats are fully implemented in two years, it is
highly likely that American National Standards Institute will recommend
movement to the International Standard Formats that the remainder of
the business world is already adopting. The HHS mandated formats are
based on a batch mode format standard. In the world of e-business,
batch mode has been replace by real-time transmissions. In fact, those
dot-com vendors that currently service the health care industry, to
comply with mandates, must remediate their internet applications to the
previous generation of EDI-batch mode transmissions. Three years from
now, the health care industry will likely be adopting International
Transaction format standards, souring positive ROI calculations.
Conclusions
While the move to standardized transactions in the health care
industry is long overdue, most hospitals and provider organizations are
underestimating the magnitude of the challenge--both in terms of time
and money. Additionally, standardization of procedure codes in some
markets and for some organizations may generate significant financial
issues. For instance, when all local codes are mapped to standard
codes, the revenue associated with the standard code will likely be
different--either higher or lower, than current payments. While health
plans will seek, at a minimum, a revenue neutral solution, for any
particular provider organization, payments will change. These
unintended windfall gains and losses must be anticipated and mitigated,
by both health plans and provider organizations.
All this takes time. And, time is growing short. Wholesale change
to the billing platform of the health care industry must be
accomplished by October 2002. The unanswered question is: will the
industry be ready to embrace this change without significant reductions
in service and a short-term increase in costs as organizations seek and
implement remedies?
Mr. Buyer. I also ask unanimous consent that--the full
committee chairman cited a letter by the President of the
American Psychiatric Association, dated March 12, 2001, to the
U.S. Department of Health and Human Services--that that letter
also be placed in the record.
Mr. Bilirakis. Without objection, that will be the case.
[The letter referred to follows:]
American Psychiatric Association
March 12, 2001
U.S. Department of Health and Human Services
Attention: Privacy I
Room 801
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201
RE: American Psychiatric Association technical amendment to the final
rule-Standards for Confidentiality of Individually Identifiable Health
Information (Federal Register, February 28, 2001, PP12738-12739.)
Dear Secretary Thompson: The American Psychiatric Association
(APA), a medical specialty society representing more than 40,000
psychiatric physicians nationwide, believes the final privacy
regulation is an important first step toward protecting patient
privacy. We recognize there is still work to be done to overcome
implementation obstacles to achieve compliance if these regulations are
to appropriately serve the needs of the American people. At the same
time please know that any delay in the implementation date is contrary
to the health needs of the American people.
Regrettably, it is often overlooked that confidentiality is an
essential element of high quality health care. Some patients refrain
from seeking medical care or drop out of treatment in order to avoid
any risk of disclosure of their records. And some patients simply will
not provide the full information necessary for successful treatment.
Patient privacy is particularly critical in ensuring high quality
psychiatric care.
Both the Surgeon General's Report on Mental Health and the U.S.
Supreme Court's Jaffee v. Redmond decision conclude that privacy is an
essential requisite for effective mental health care. The Surgeon
General's Report concluded that ``people's willingness to seek help is
contingent on their confidence that personal revelations of mental
distress will not be disclosed without their consent.'' And in Jaffee,
the Court held that ``Effective psychotherapy depends upon an
atmosphere of confidence and trust . +. . For this reason the mere
possibility of disclosure may impede the development of the
confidential relationship necessary for successful treatment.''
Accordingly, the APA recommends at the close of the comment period you
move forward with the publication of the regulations and not delay the
implementation date but rather you use your regulatory authority to
respond appropriately in the public interest to protect the privacy of
the medical record to the comments received. And we suggest this
notwithstanding our concerns hereinafter expressed that we believe
changes in the provisions on mental health records are critically
needed to ensure the delivery of effective mental health care, or other
comments that may be submitted.
The Administration's efforts seeking comments are commendable, and
while the regulations need to take these additional steps, delayed
implementation would be more harmful. When you have reviewed all the
comments you can then bring the ``stakeholders'' together, and secure
the necessary stronger protections to advance patient privacy which we
as physicians believe that our patients and our families need.
The APA urges the following revisions to the proposed regulations:
1) Section 164.506. Consent for uses and disclosures for treatment,
payment, or health care operations. Health care plans,
providers, and clearinghouses must be required to obtain an
individual's consent before their medical record can be
disclosed for treatment, payment, or other health care
operations. Patients should be able to choose who will see
their medical records.
The APA is concerned about blanket consent at the time of entry
into a health plan. This blanket consent means a patient is authorizing
subsequent disclosures of personal information without knowing the type
of information allowed to be disclosed, or who can receive this
information. While the regulations allow the patient to revoke this
consent, the regulations do not protect the patient from being
dismissed from the plan for doing so. The patient should have the
ability to revoke the consent at any time. The APA feels the rule does
not adequately provide this patient protection.
Excessive demands by payers for access to patients' medical
information, which often amount to requests for entire patient records,
should not be allowed. The demands routinely include information for
which there is no legitimate need for payments purposes. Significantly
narrower definitions of the information that may be released for
payment purposes is needed to protect patient privacy. There needs to
be an objective standard for the information that is needed not a
subjective standard.
Patients should have the right to consent to--or refuse-
participation in disease management programs. In addition, an
individual's enrollment or costs should not be affected if he or she
declines to participate in a plan's disease management program. We
oppose any disclosures of health information for disease management
activities without the coordination and cooperation of the individual's
physician. Yet, there is no such requirement in the final rule. We
believe this term needs to be defined narrowly, in order to prevent
inappropriate use and disclosure (for example for marketing purposes)
of health information without the patient's consent.
2) Section 164.512(e). Standard: Disclosure for judicial and
administrative proceedings. Patients will lose some existing
privacy protections because the current practice of hospitals
and doctors, generally requiring patient consent and/or notice
before disclosure, will change as a result of the regulation.
Patients' ability to decide when their medical record
information will be disclosed outside the health system will be
reduced.
For example, currently when hospitals or doctors receive a request
for a medical record from an attorney for civil and administrative
purposes, they will generally not disclose medical records information
without notice to the patient and/or the patient's consent. But the new
regulation would allow providers to disclose medical records
information to attorneys who write a letter ``certifying that the . . .
information requested concerns a litigant to the proceeding and that
the health condition of such litigant is at issue''. As long as
reasonable efforts are made to give notice of the request to the
patient and to secure a qualified protective order. These procedures
provide no check on attorneys' behavior in requesting records of
marginal relevance to a case or for the purpose of embarrassing or
intimidating opposing parties. Once the information is disclosed, the
damage is done; post hoc remedies cannot restore parties' privacy.
3) Section 164.514. Standard: Uses and disclosures of protected health
information for marketing and fundraising.
The APA is very concerned about a marketing and fundraising
loophole that exists in the regulation. A patient's authorization is
not needed to make a marketing communication to a patient if: it occurs
face-to-face; it concerns products or services of nominal value; and it
concerns the health-related products and services of the covered entity
or of a third party and meets marketing communication requirements. For
example, a marketer could knock on the door of a pregnant woman and try
to sell her a product or service. Under the fundraising loophole a
covered entity may use or disclose patient's demographic information
and dates of health care to a business associate or to an
institutionally related foundation, without a patient's authorization.
We are aware the covered entity must include in any fundraising
materials it sends to a patient a description of how the patient may
opt out of receiving any further fundraising communication. However,
the APA maintains that the patient should be able to opt out before the
fundraising communication is sent. For example, a commercial
fundraising organization for a health facility could use confidential
information about a Governor being a patient at that facility without
the Governor's consent for use in their fundraising. The APA is
particularly concerned about the need for sensitivity with psychiatric
patient's names. Commercial fundraisers should not be allowed to take
advantage of patients especially those with mental illness.
We strongly believe that personal health information should never
be shared for the purposes of marketing or fundraising without the
patient's informed consent and are disappointed that the rule only
permits such not to occur futuristically. Effectively, an ex post facto
withdrawal of consent after the marketing and fundraising damage has
occurred. There is an easy solution, merely require the fundraising
endeavors to have a patient consent (opt in) before the activity
occurred rather than the regulation's authorizing the patient to opt
out of any further fundraising endeavors.
4) Section 164.508. Use and Disclosure for Treatment, Payment, and
Health Care Operations-exception for psychotherapy notes.
Additional protections consistent with the Supreme Court's Jaffee
v. Redmond decision for mental health and other particularly sensitive
medical record information are essential. Without such additions the
protections essential for effective mental health care will be lost.
We believe that all medical records should enjoy a level of
protection so that no additional protections are needed for psychiatric
or other sensitive information. In fact, the U.S. Supreme Court
recognized the special status of mental health information in its 1996
Jaffee v. Redmond decision and ruled that additional protections are
essential for the effective treatment of mental disorders.
APA believes that the rule allows for the use and disclosure of far
too much information without the patient's consent. We also believe
that language needs to be added to clarify that the amendment's privacy
protections cover treatment modalities broader than psychotherapy (and
indeed virtually all psychiatric information) and also cover
information that is part of the patient's medical record.
The regulations change the current standard of practice relevant to
the psychotherapy documentation. There is a new requirement for keeping
a second set of records, which most psychiatrists do not now do, and
which will result in increased time, difficulty, and cost associated
with record keeping.
5) Section 160.203. Standard: Disclosure for law enforcement.We also
want all Americans to be free from unreasonable police access
to their most personal medical record information. The
Administration's proposal falls short in this area.
Under these regulations law enforcement agents would simply issue
written demands to doctors, hospitals and insurance companies to obtain
patient records, without needing a judge to review the assertions. We
are also very concerned by the separate provision that would allow for
the release of medical record information anytime the police are trying
to identify a suspect. This broad exception would allow computerized
medical records to be sifted through by police to seek matches for
blood, or other health traits. In addition, the provision that allows
disclosure on the basis of an administrative subpoena or summons,
without independent judicial review, is particularly troublesome.
We believe that the same constitutional protections (a Fourth
Amendment probable cause standard including independent judicial review
for all requests) should apply to a person's medical history as applies
to their household possessions.
6) Section 164.502. Business Associate Provisions. Section 164.300.
Compliance and Enforcement.
The business associate provisions of the proposed regulation result
in overly broad physician liability, and the regulations also need to
be reconsidered in light of the need to limit the administrative burden
on physicians who practice independently or in small practices.
The rule identifies most health care related entities other than
physicians, providers, health plans, and health data clearinghouses as
``business partners'' of physicians, which could only be held to the
confidentiality standards of the regulation through contracts with the
covered entities, such as physicians. In essence this enormous
regulatory framework will be achieved largely through the inappropriate
liability placed upon physicians.
A covered entity will have a new duty to mitigate any known harmful
effects of a violation of the rule by a business associate. This duty
may, in effect, compel covered entities to continue to monitor
activities of business anyway. It is not clear if a psychiatrist, for
example, could be held accountable for prohibited activity by its
business associate, even if the psychiatrist should have known of the
prohibition. For purposes of the rule, actions relating to protected
health information of an individual undertaken by a business associate
are considered to be actions of the covered entity. Therefore even
though covered entities may avoid sanctions for violations by business
associates if they discover the violation and take the required steps
to address the wrongdoing, they may be vulnerable to a negligence
action. APA believes these provisions present the potential for overly
broad liability for physicians who, themselves, are complying with the
regulation's requirements.
It is not unreasonable to expect that some additional burdens will
fall on physicians as part of efforts to increase patient privacy.
However, the level of administrative burden currently contained in
these regulations is not equitably distributed. Particularly important
is expanding the concept of scalability so that the administrative
burden on physicians in solo or small practices will be manageable,
taking into consideration their limited resources and staffing.
As noted above, the regulatory framework of this regulation relies
too heavily on physician liability (via business associates). If indeed
it is the framework by the Secretary that is enacted through regulation
or through congressional action, we could not support providing
individuals with a private right of action.
7) Section 164.512 (k). Standard: Uses and disclosures for specialized
government functions (Military, State Department and others).
The special rules in this section are overly broad and do not
provide adequate procedural protections for patients. Except in very
narrow circumstances the consent of the individual should be the rule
for the use and disclosure of governmental employees' medical records
information. We also note that intelligence agencies and the State
Department are not even required to publish a rule, subject to public
comment, defining the scope and circumstances of their access to
medical records. Particularly objectionable are the provisions allowing
broad access without patient consent for use and disclosure of medical
records of Foreign Service personnel and their families.
8) Volume 65 Federal Register page 82790. Costs: The APA believes the
estimated costs imposed on small psychiatrist's offices for the
first year of $3, 703 and consecutive years of $2,026 seem
unrealistically low.
Psychiatrists will experience significantly higher costs and will
have a heavy administrative burden, such as getting satisfactory
assurances from a business associate through a written contract,
keeping psychotherapy notes separate and locked from the rest of the
psychiatric record, and providing written notice of their privacy
practices to their patients. Similar to small health plans, small
physician offices should be allowed to have 36 months for compliance to
spread the cost over a longer period of time.
9) Section 164.530 Administrative requirements.
A clarification is needed on the privacy official provision. For
example, can a psychiatrist who does not have any staff serve as the
privacy official? If a privacy official makes a mistake will only the
privacy official be liable?
10) Section 160.104 Modifications.
The APA believes implementation should not be delayed because the
Secretary has discretion under section 160.104 to adopt a modification
to a standard every twelve months and the provision expressly allows
modification within the first twelve months after the effective date.
11) We welcome the many very positive provisions contained in the
regulation and urge that they be retained including:
the general rule of non-preemption of more privacy protective
state laws (Section 160.203)
a higher level authorization is required for any use or
disclosure of psychotherapy notes, and most importantly
psychotherapy notes may not be disclosed without the patient's
specific authorization (Section 164.508)
the requirement that the entire medical record not be used in
cases where a portion of the record will suffice, i.e. the
``minimum amount necessary'' requirement. Physicians can cite
this provision when dealing with unreasonable health plan
requests for information. (Section 164.502 (b))
the requirement that an entity must notify enrollees no less
than once every three years about the availability of the
notice and how to obtain a copy of it (Section 164.520)
extension, in many circumstances, of federal ``common rule''
research protections to privately funded research (Section
164.512)
the right to request restrictions on uses or disclosures of
health information (such as requesting that information not be
shared with a particular individual) (Section 164.522)
the right to request that communications from the provider or
plan be made in a certain way (such as prohibiting phone calls
to individual's home) (Section 164.502)
the right to inspect and copy one's own health information
with the exception of psychotherapy notes and when the access
is reasonably likely to endanger the life and physical safety
of the individual or another person (Section 164.524)
the patient needs to be provided documentation on who has had
access to this information and the right to request amendment
to the record if it contains incorrect information (Section
164.528)
In conclusion, we believe the privacy regulations are very much
needed but at the same time (as above noted) believe some provisions
are inadequate to protect our patients. Yet, our gravest concern is
that certain parties which were disappointed at how protective these
regulations are of patient privacy will in support of their own
interests be arguing for surrendering many of the protections that
patients have just gained. In order to insure interested stakeholders
regulatory comments do not diminish medical record privacy protections
we recommend that the Secretary not only receive all interested
stakeholders (such as insurers, providers, health care clearinghouses,
and consumer groups) comments, but also convene a meeting of the
interested stakeholders as soon as possible after the conclusion of the
regulatory comment period BUT before publication of the ``new'' final
medical record privacy regulations.
Secretary Thompson we agree with you to conclude April 14, 2001. We
of course encourage the Administration to stand firm on these issues
and support strong protection of medical record privacy.
Thank you for considering our views, and we look forward to
discussing them with you further. Please feel free to contact Jay
Cutler, Special Counsel and Director Government Relations or Nancy
Trenti, Associate Director, at (202) 682-6060.
Sincerely,
Daniel B. Borenstein, M.D., President
American Psychiatric Association
cc: Anne Phelps
Mitchell Daniels
Sally Canfield
Mr. Buyer. I yield the balance of my time to Mr. Norwood.
Mr. Norwood. I thank my colleague. I have a minute or 2
here.
I want to ask a question that is probably too late to ask,
but I am curious. How many of you feel we should have a Federal
standard to cover privacy? Just do like that so I can see.
Everybody agrees we should not worry about the States and
just have Federal coverage that is uniform?
Mr. Appelbaum. No.
Mr. Norwood. Well, respond, Dr. Appelbaum.
Mr. Appelbaum. Dr. Norwood, the States have been historic
regulators of health care in this country, and have, in that
role, initiated many of the experiments that later evolved into
national policies.
State regulation is a day-to-day reality in health care.
Physicians are licensed by their States, hospitals are licensed
by their States. Medicaid is a State program, and the industry
is used to operating within the confines of State legislation.
That is the status quo.
To the extent that States decide that for their citizens
they would like to provide a higher level of privacy
protection, and their citizens agree, we think they should----
Mr. Norwood. Thank you. I understand.
In other words, you want a Federal law that is the bottom
line, and then you want the States to be able to add to it in
whatever manner they see fit?
Mr. Appelbaum. That is correct.
Mr. Norwood. I have got reams of paper up here from a lot
of people who object to this particular regulation on different
grounds. People have different thoughts as to why it is not
right.
A lot of you have objected to this regulation too, and even
those of you who want to see this rule effective have pointed
out this is not efficient, it is not perfect. It has a lot of
flaws, but let's go ahead with the rule, some of you say, and
then we will worry about correcting it a little later.
Now, that gives me some pause for thought. If you are
trying to say to us, okay, in the next 23 days let's perfect
this rule so it really does work and let's take care of the
concerns that all of you have, that all of these people have, I
would tell you that we can't do it within 23 days, I don't
believe. Nothing up here moves very fast. And my suggestion to
you is that we pass rules and regulations in this town all the
time that have unintended consequences, that come back to bite
us, that are way too expensive, that simply do the opposite of
what the rules set out to do. Why in the world on something
this important wouldn't we try to get this right before we have
a rule?
I understand there is 2 years to comply. I understand the
Secretary--staff says different, but some of you say that the
Secretary within a year could get in and fix it. Why in God's
name put a rule in place we know is wrong? And you have all
pointed out, I think, many areas where it is wrong.
And, incidentally, Mr. Chairman, I have a simple letter
with unanimous consent I would like to offer for the record. It
is from the American Medical Association, and if we could, I
would like to have that put into the record.
Mr. Bilirakis. Can you identify it by date?
Mr. Norwood. Yes, February 28, 2000, and it is from Dr.
Andy Anderson, Jr., M.D.
Mr. Bilirakis. Without objection, it will be made a part of
the record.
[The letter referred to follows:]
American Medical Association
February 28, 2001
The Honorable Tommy Thompson
Secretary
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201
Dear Secretary Thompson: The American Medical Association (AMA)
appreciates your willingness to provide an opportunity for additional
comments on the final privacy regulation recently issued by the Clinton
Administration (65 Fed. Reg. 82472) as authorized by the Health
Insurance Portability and Accountability Act of 1996 (HIPAA). Your
decision properly reflects the complexity of the rule and the potential
for unintended consequences that are now being identified. We believe
that significant changes to the rule are necessary to adequately
protect patients and to make certain portions of the regulation
workable before it is implemented. We respectively request a limited
extension of the effective date so that new comments can be evaluated
and improvements to the rule can be effectuated before the compliance
period commences.
Patient privacy is fundamental to the physician-patient
relationship and a right long advocated by the AMA. Physicians and
other health care providers are the guardians standing between patients
and the unrestricted use and access to patients' private medical
records. We believe that preservation of patient trust and autonomy in
an increasingly technological health care environment is imperative to
continue high quality patient care that is expected in this country.
We commend the Department of Health and Human Services for the
tremendous work it took to write the final regulation. In fact, we were
pleased to see certain improvements from the proposed regulation.
However, many serious problems remain and others have surfaced from new
requirements in the final rule.
For example, although we are pleased with the new requirement for
health care providers to obtain consent before a patient's protected
health information can be used for routine matters, the final rule
inappropriately exempts health plans from its requirement. Some aspects
of the consent requirement also appear to be unworkable without certain
modifications. In addition, law enforcement will have virtually
unfettered access to protected health information without patient
authorization and without a court order. There are also significant
loopholes that allow the use and disclosure of protected health
information for marketing purposes.
Mr. Norwood. If any of you believe that we can correct this
rule within the next 23 days to solve problems, almost every
one of you pointed out, just give me--let the record show,
nobody believes we can do that.
Why don't we just step back here a little bit and try to
get this right?
Part of what, really, I am trying to understand is this
rule puts so much on us, on the health care provider--Ms. Foley
and Dr. Appelbaum and others. I am not aware that there is a
privacy problem in this country with the physician, the nurse,
the dentist, et cetera, et cetera. I just do not think that is
where the privacy problem is. But we put all of this on their
back.
And, Ms. Goldman, you know, you are saying this consent
form isn't but nine pages, and we may not use that anyway, but
the Federal Government has never put out a form that was short
and they are not going to start now. And if you don't believe
me go to any agency and pick one. They are all burdensome at
the very best.
So why cannot all of us just simply agree--I know this has
been worked on a long time. Let's step back, give this new
Secretary some time, give us some time to address what I
consider very legitimate problems. And at some point, perhaps
this year, we can make this rule effective and then have the 2
years for compliance and the year for the Secretary to go in
and alter where we have made mistakes.
But, Mr. Chairman, please, let's don't make a rule that we
know has so many problems in it right now.
And if there is anybody out there that can explain to me my
problem with understanding--well, I have got 36 seconds. I
would like to know if any of you believe the problem in privacy
happens to be with the health care provider. Does anybody
believe that is where the privacy problem is?
Let the record show, nobody does. I will yield back.
Mr. Bilirakis. The Chair now yields to Mr. Green.
Mr. Green. Thank you, Mr. Chairman. I will be as quick as I
can. It does seem like it is so much effort when really all we
want our insurance carriers to do is pay it, but do not share
that information. It seems so simple.
Dr. Melski, your testimony, one of things that concerns me
is, I have a district in Houston, Texas. We have a low
immunization rate. We work with our immunization coalition. We
do an Immunization Day every year. We use our hospital
district. We use our city of Houston health department. We use
our county health department, and they provide immunization in
our district.
Your testimony would say that it would limit it, but the
way the practice is now, there is already information provided
to parents; and in my area, it is bilingual--Spanish and
English--to those parents. Why would it be so difficult to
provide something else--and the CDC requires providers to keep
records of those vaccines right now. Why would it be hard for
them to keep records of that consent?
Mr. Melski. Thank you for addressing that, because all
these minor points are hard to cram into 5 minutes.
There is currently an exemption for public health, but what
we have found in Wisconsin with a project we initiated, an
early childhood immunization network, is that the cooperation
between the public and private sector is where you really raise
the immunization rates, and you have to share information
between public health and private.
But in the private sector these consent forms would then
have to be enforced. See, the public health has been exempted
in them, but the practitioner has not. And so it is just
paradoxical.
Mr. Green. Maybe that is why we do not use private
practitioners. We use public health agencies to provide that.
Mr. Melski. Right. What happens is, if you really want to
get the kids immunized, you have to get them when you have got
them. When they come in for health care into our organization
and we have records that we share with the public health
nurses----
Mr. Green. But you are required by law to share the
immunization record, aren't you, with the State health
department, because we have created a registry for so many of
our States for immunizations?
Mr. Melski. Right. But then the question would be--is
whether--see, that is part of the problem with these
regulations, that some people that are in favor of them sort of
have this positive interpretation that, okay, in that area we
don't have to have a consent.
Mr. Green. That is the problem with any regulation, that
is, somebody's way to interpret it. And hopefully, whether you
are a provider or health care, insurance carrier or someone
else----
Mr. Melski. It is only the foot in the door. The real issue
where we can really save lives is if we could share preventive
information on mammograms, prostate exams, colon exams and so
forth; and the ability to share that information among all
providers would save lives.
Mr. Green. Okay. With the permission of that person. I
really don't want my colon scope to be sent out on a Christmas
card unless it is with my written permission and greeting with
it.
Mr. Melski. It is true. The problem with immunizations and
a lot of preventive health and research for that matter, is it
is always good if everybody else agrees to do it except you. It
is true for immunizations; it is certainly true for research.
Mr. Green. Again, I understand that. But on immunization,
like you said, public health has an exception, but for my own
records, you still should have my permission to share that.
Mr. Melski. And we do require that for immunization, but it
is not nine pages, single-spaced. When you talk about consents
for surgery that are two pages long, and now you have a nine-
page consent for a sore throat or a nine-page consent for
immunization.
Mr. Green. I haven't seen a nine-page consent, but having
signed those consents for minor surgery, I think we could
probably--and I am sure the Secretary, hopefully before this
month is out, there would be an effort to reduce that to
something and also in lay language. If it is nine pages,
obviously ten lawyers drafted it.
Mr. Melski. Right. And technically it is notification that
has to be referred to in the consent. But still it is the whole
implication of what is our obligation before we can carry out
some of these very important tasks.
Mr. Green. Again, that is what HHS is there for.
Thank you, Mr. Chairman. I yield back.
Mr. Bilirakis. I thank the gentleman.
Mrs. Capps. Mr. Chairman, could I ask unanimous consent so
that members of the committee may have a week to submit
questions to these witnesses?
Mr. Bilirakis. Yes, by all means. Of course, I have already
mentioned that.
I know that you are willing to respond to those questions.
It has been quite a hearing and you have made it so. It is
important that we have this knowledge. It is also important
that HHS has this knowledge. Hopefully the right thing will be
done. I know the bottom line is, we all want some sort of
privacy protection.
Thank you very much. The hearing is adjourned.
[Whereupon, at 1:50 p.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
Prepared Statement of Robert C. Lower, Alston & Bird LLP
Mr. Chairman and distinguished members of this Committee: My name
is Robert C. Lower. I am a partner with the law firm Alston & Bird in
Atlanta, Georgia, where I lead a group of lawyers who focus on health
care law and health care privacy. I appreciate this opportunity to
share with the Committee my personal observations regarding the impact
of the HIPAA privacy regulations, as well as some thoughts on how those
regulations could be improved.
Let me start by saying that the health care community is committed
to the confidentiality and security of personal health information. In
almost 30 years of practice, I have observed countless instances where
medical practitioners and the management of health care facilities have
demonstrated their determination to protect the privacy of patients. I
believe that the thousands of companies and millions of individuals who
are part of the best health care system in the world are protecting,
and will continue to protect, the confidentiality and security of
Americans' personal health information under existing confidentiality
laws.
I also believe that the Department of Health and Human Services
(HHS) should be commended for the hard work that went into the HIPAA
regulations and for their good intentions in pursuit of the protection
of medical records. However, as outlined below, I have a number of
practical concerns about the HIPAA privacy regulations. I believe they
are fundamentally flawed and must be revised.
Bureaucratic overload
HHS created the HIPAA privacy regulations with virtually no
legislative foundation and, unfortunately, the regulations are a
textbook example of regulatory excess. From time to time, I advise
clients in other industries, including e-business and financial
services, on privacy matters and I am struck by the contrast between
the HIPAA rules and, for example, the rules issued by the financial
services regulatory agencies under the Gramm-Leach-Bliley Act. That law
addresses the privacy of another type of highly sensitive information,
namely, personal financial information. In comparing the two sets of
regulations, it is interesting that the rules issued by HHS have an
aura of suspicion about them, as if the writers distrusted the
intentions of the entire health care industry. Why else would HHS
create such detailed rules, and provisions like the ``minimum
necessary'' requirement, that appears to be premised on the notion that
health care professionals cannot be trusted to collect and use
information appropriately in order to deliver first class health care?
I am concerned that the HIPAA regulations will interfere with the
convenient and flexible delivery of health care, curtail the free flow
of information for medical research and health care quality management,
and impose huge costs on the health care system without corresponding
benefits to consumers. By micro-managing the collection and use of
personal health information, HHS is substituting its bureaucratic
judgment for the business judgment and the innovative creativity of the
health care community.
Costs and administrative burden
As just noted, the HIPAA regulations will impose enormous costs and
administrative burdens on health care providers, health plans and
health care clearinghouses. The requirements to obtain affirmative
consents prior to rendering care, to respond to requests for individual
restrictions on the disclosure or amendment of personal health
information, and to provide a grievance procedure places major system
burdens on the health care system.
I am not an economist but, based on my experience, HHS greatly
underestimated the cost of compliance. I know that in drafting HIPAA
implementation plans for clients during the past three months, I have
been dismayed by the enormous number of changes to systems, policies
and procedures, training, patient communications, and compliance
programs that these regulations impose on businesses large and small.
These changes will cost a lot of money--far more than HHS estimated--
and will be passed on in some combination of higher health care costs
or reduced benefits.
Minimum Necessary
The HIPAA regulations require that when using or disclosing
protected health information or when requesting protected health
information from another covered entity, a covered entity must make
reasonable efforts to request, collect, or use only the ``minimum
necessary'' protected health information to accomplish the intended
purpose. This requirement does not apply with respect to disclosures to
or requests by a health care provider for treatment, for disclosures
required by law and certain other disclosures.
I find this provision troubling for several reasons. First, as
noted above, it appears to reflect a suspicion that health care
professionals collect and use personal health willy-nilly, for no valid
reason. Moreover, the ``minimum necessary'' requirement is not even
mentioned in the Act which raises the question of HHS's statutory
authority to adopt this requirement. The cost of this requirement is
also a major concern. By the HHS's own estimate, compliance with this
will cost $5.8 billion--roughly one-third of the estimated cost of
compliance for the entire privacy regulation.
Finally, in my view, the ``minimum necessary'' requirement has the
potential to be ``maximum dysfunctional'' by adding unnecessary
administrative red tape to payment processing and health care
operations. Even though the rule allows for routine uses to be defined
and general protocols to be developed to facilitate the minimum
necessary determination, it will be very difficult to define parameters
for requests for information from health care insurers and other
payers. Each patient encounter is different, and the information
necessary to process a claim for payment will vary depending on the
medical condition involved, the terms of the health insurance coverage,
and the medical history of each patient. For non-routine uses or
disclosures, a minimum necessary determination would be required for
each use or disclosure. Likewise, health care operations will be
impaired by the requirement. Activities involving patient care
information, such as peer review, quality assurance, mortality and
morbidity studies and medical education do not involve patient
treatment directly and, therefore, will require that a minimum
necessary determination be made for each use and disclosure of
protected health information involved in those complicated processes.
I also question the need for the minimum necessary requirement in
the context of health care payments. Health insurers already are
required by state insurance law to maintain the confidentiality of
medical records and to utilize only the information that is
``reasonably necessary'' for enrollment or payment purposes. In
addition, the transactions standards under development by HHS will
specify the items of information necessary to process health claims
under the requirements applicable to health claims attachments. When
the items of information are specified as part of the transactions
standards, it will be unnecessary to impose a minimum necessary
requirement on the parties involved in the claims process.
With regard to health care operations, I am concerned that the
minimum necessary requirement will unduly impair the delivery of
healthcare. Patient care information is vital to carrying out peer
review, quality assurance, statistical studies, and medical education
activities. Confidentiality laws already protect medical records in
every state. Imposing a minimum necessary requirement on those
activities will affect the quality of care and is unnecessary. I
recommend that with regard to health care operations, the standard be
changed to permit the disclosure of information that is ``reasonably
necessary'' for a particular purpose. Such a requirement would be far
less burdensome, would be flexible to accommodate the wide variety of
activities and would provide adequate protection for the privacy of
protected health information.
Regulation of ``business associates''
The HIPAA privacy regulations impose new requirements on thousands
of companies and individuals that do business with covered entities.
HHS's goal, namely, to complete the circle of protection for personal
health information, is commendable but flawed. The requirements imposed
on business associates--including writing policies and procedures,
keeping records of disclosures, providing access to personal health
information, and making amendments upon request--are unnecessarily
burdensome.
In addition, I question the appropriateness and the fairness of
attributing the behavior of a business associate to a covered entity
for purposes of determining compliance with the HIPAA regulations. I
suggest that the regulations be clarified to ensure that a violation by
a business associate cannot be used by the Secretary as a basis for an
enforcement action against a covered entity.
Consent before treatment
The requirement that health care providers obtain consent before
treating an individual is unnecessary and will interfere with the
efficient and convenient delivery of health care. For example, under
the final regulation a pharmacist could not permit a relative or friend
to pick up medication for a sick person unless the patient had
consented in advance.
State medical record confidentiality laws and professional ethical
principles have protected the privacy of personal health information in
the treatment setting for many years. The new regulation will be very
costly to implement and will not significantly increase the protection
of personal health information.
Thank you, Mr. Chairman and members of the Subcommittee, for
providing this opportunity to share my views.
______
PREPARED STATEMENT OF THE AMERICAN ASSOCIATION OF HEALTH PLANS
The American Association of Health Plans (AAHP) is the principle
national organization representing HMOs, PPOs, and other network based
health plans. Our member organizations arrange for health care services
for approximately 140 million members nationwide. AAHP and its members
have long been committed to protecting the confidentiality of personal
health information. AAHP's members are ``covered entities'' for
purposes of the HIPAA privacy regulation that has been issued by the
Department of Health and Human Services (HHS). Consequently, AAHP's
member plans are directly affected by the HHS regulation.
AAHP continues to support uniform federal standards that encourage
patients to communicate openly and honestly with their physicians,
while at the same time ensuring that health information vital to
helping patients get the care they need when they need it continues to
flow freely among entities that are responsible for providing,
coordinating, and paying for health care. AAHP believes that it is
possible to meet the dual goals of maintaining the confidentiality of
personal health information and permitting information to be used to
perform essential functions. While the final regulation has been
improved from its proposed form in many areas, AAHP believes further
improvements are necessary to meet these dual goals. The concerns
discussed here are among AAHP's most significant. We will be submitting
formal comments to HHS highlighting more thoroughly our comments on the
final regulation during the additional comment period recently provided
by HHS.
Consent:
AAHP fully supports the final regulation's provision that permits
health plans to use and disclose protected health information for the
essential, routine activities of treatment, payment, and health care
operations without separate patient consent. The department recognizes
plans' need for protected health information to perform their essential
health care functions. However, AAHP is concerned that the final
regulation requires providers to obtain consent for these same routine
functions. This bifurcated consent approach is a complete reversal from
the proposed regulation, which allowed both plans and providers to use
protected health information for routine purposes without separate
consent.
Today, physicians and health plans work together to organize care
for patients. As a practical matter, health plans depend on providers
to supply health information about plan members which often times is
not provided through claims data. The final regulation creates
obstacles to patients getting preventive care by requiring physicians
to have patients fill out paperwork (consents) that will let the
providers share that information with health plans. The information is
critical, for example, to making sure that a person with diabetes gets
annual eye exams to prevent blindness. If the paperwork isn't done
exactly right, is missing, or runs into some other problem, the patient
may not get the care they need when they need it. This conflicts with a
recent Institute of Medicine report that identifies the lack of
coordination as one of the big problems in American medical care. These
rules would make that problem worse, not better.
AAHP is concerned that the new consent approach will have
significant consequences on health plans' ability to obtain critical
patient information needed to conduct certain health care operations
activities. Again, unless the provider obtains adequate consent, plans
may not have the necessary information at their disposal.
If a health plan cannot obtain health information about its
members, it cannot perform essential health care operations required by
purchasers or private accreditors, such as reporting HEDIS measures and
conducting quality assurance and utilization management activities, all
of which are essential to ensuring quality care.
Preemption:
AAHP recognizes that HHS has limited authority to change the
statutory mandate of HIPAA with respect to the preemption of state
privacy laws. However, we would like to take this opportunity to
reiterate our support for confidentiality standards that recognize that
increasingly, health information moves across state lines--whether from
one physician to another for consultation or from a physician to a
claims processor in a neighboring state. The dual state and federal
regulation created under the final privacy regulation poses significant
confusion for consumers and compliance issues for covered entities. The
final regulation layers a new comprehensive set of federal rules on top
of an already existing complex patchwork of state privacy laws.
AAHP is concerned that the inconsistent demands of state and
federal privacy laws under the complex construct of the HIPAA
regulatory model will create more red tape and frustration for health
care providers and consumers. Doctors, health plans and other covered
entities must determine, on a provision by provision basis, which parts
of state law would be retained and which would be replaced by federal
law. Instead of facilitating health plan members knowledge of their
privacy rights, this complex regulatory framework is sure to confound
individuals.
Unanticipated Consequences for Consumers:
In addition to being concerned about the bifurcated consent
structure and preemption, AAHP is concerned about unintended
consequences the final regulation creates that we are only beginning to
identify and that will have a direct impact on care provided. For
example, pharmacists are extremely concerned that they will not be able
to fill or refill prescriptions for consumers, and prescriptions called
in by physicians will not be filled, unless a written consent is on
file at the pharmacy. This will create delays for patients, for parents
with sick children, and others who will have to come to the pharmacy to
sign consents before the pharmacist can fill or refill a prescription.
Elderly and disabled individuals will have to obtain and sign a written
consent form and somehow deliver it to the pharmacist before anyone can
pick up their prescriptions for them. While the creation of such
consequences were surely inadvertent and unintended when the final
regulation was being developed, other similar examples will undoubtedly
surface as covered entities begin to implement the final regulation and
encounter other practical limitations.
We need only look to the experience in the states to see how
unintended consequences have arisen. In some of the states that have
gone ahead and enacted comprehensive privacy laws, we've seen a number
of unforeseen consequences that, in some cases, have caused states to
repeal or amend their laws. In Maine, for example, florists were unable
to deliver flowers to hospital patients. In Hawaii, the state's
workers' compensation program had to be shut down for three months in
order to collect patient authorizations. And, in Minnesota, researchers
were unable to conduct meaningful medical records research because not
enough patients were mailing back their permission forms. These are
real examples of what occurs when the flow of information is restricted
between and among covered entities who need information to conduct
routine, quality enhancing activities for patients.
Treatment of Existing Protected Health Information:
Another key issue is the application of the regulation to protected
health information created or collected even before the compliance date
of the regulation. As a result, providers will be unable to use
information they already have unless they've obtained patient consents.
In states where patient consent is not required for treatment purposes
(for example in California), providers will have to go back to all of
their patients and obtain consent to use the information they already
have and have been using all along in order to be in compliance with
the regulation. The task of obtaining consent forms from over 200
million Americans within the two year compliance date is a staggering
problem that could interfere with everything from refilling routine
prescriptions as discussed above, to sending out reminder notices about
appointments, medication compliance, etc.
Moreover, given health plans' reliance on providers for patient
information to conduct quality improvement and other activities, the
impact of this issue will be felt throughout the health care system.
These are just a few of AAHP's concerns with the final HIPAA
privacy regulation. Further concerns will be expressed in our comment
letter to HHS on the final regulation. We appreciate the opportunity to
submit written testimony before the Subcommittee on this very important
issue.
______
American Association of Occupational Health Nurses Inc.
March 26, 2001
Honorable Michael Bilirakis
Chair, Energy and Commerce Health Subcommittee
The Committee on Energy and Commerce
2125 Rayburn House Office Building
Washington, DC 20515
Attention HHS Privacy Regulations Hearing March 22, 2001
Dear Representative Bilirakis: On behalf of the American
Association of Occupational Health Nurses Inc. (``AAOHN''), I would
like to thank you for the opportunity to provide written comments to
the March 22 hearing record on the Final Rulemaking released by the
Office of Assistant Secretary for Planning and Evaluation, Department
of Health and Human Services (``HHS''), regarding standards for privacy
of individually identifiable health information.
AAOHN, a 12,000-member professional association, is dedicated to
advancing and maximizing the health, safety, and productivity of
domestic and global workforces by providing education, research, public
policy, and practice resources for occupational and environmental
health nurses. These nurses are the largest group of health care
providers serving the worksite. As health care providers, we are
committed to ethical standards that place a high priority on
maintaining the confidentiality of the individually identifiable health
information contained in the medical records that we create and/or
maintain as an integral part of our jobs.
We know from first-hand experience that our members' clients--
employees across the country--are especially concerned about the
confidentiality of the health information available to employers
through their operation of employee health benefits plans and
occupational health departments. Workers are afraid their companies
will use health information inappropriately when decisions are made
about hiring, job placement, promotion and firing.
Unfortunately, we also know from first-hand experience that
workers' fears are sometimes warranted. The HHS rule represents a
significant first step toward health privacy in the workplace,
particularly because of the protections it creates for health
information heretofore available to employers through their sponsorship
of employee health benefits plans. Still, the rule does not do enough
to eliminate employees' risk of inappropriate health information
disclosures to their employers because it does not adequately protect
occupational health information. As a result, many employers will
continue to have relatively free access to personal health information
obtained through fitness-to-work examinations, occupational safety and
health initiatives, and workers' compensation programs.
The HIPAA statute itself limits the definition of ``covered
entity'' to health care providers who engage in the statute's standard
electronic transactions. Neither the statute nor the rules designed to
implement it apply to the majority of occupational health care
providers because they do not bill third-party payers for their work.
Thus, the rule fails to support the professional responsibilities of
occupational health professionals who are ethically bound to keep
health information on employees confidential.
AAOHN recognizes that employers do have legitimate needs to have
access to certain health information for managing workers' compensation
or other benefits, accommodating a disabled employee, or assessing an
employee's physical capability to complete assigned tasks. However,
this does not mean that an employer should have unfettered access to
unrelated information--such as an employee's diagnosis or entire
medical file.
Additional legislation is needed to authorize the development of
privacy rules that will draw the privacy lines appropriately for
information collected and used in the work environment. Extending
coverage to all health care providers would close the gap in
protections for occupational health information in the work
environment, preventing the possibility that it will be used in making
determinations about hiring, firing or promotion. Without additional
legislation, misuse of much personal health information in the work
environment will remain unchallenged.
Despite the statutorily required shortcomings of this rulemaking in
protecting all occupational health records, it is imperative that the
implementation of the rule not be delayed. AAOHN believes that you have
the authority to make refinements to the final rulemaking without undue
delay of these regulations. These new privacy regulations are a major
step towards protecting the health and medical information of
Americans. It is time to move forward and devote our energy, time, and
resources toward implementing the Privacy Rule, rather than wasting
precious resources debating whether the regulation should even take
effect.
Should you need additional information related to our comments,
please feel free to contact me at 770-455-7757 ext. 104 or by email at
[email protected]. Thank you in advance for your thoughtful consideration
of these comments.
Sincerely,
Kae Livsey
Public Policy and Advocacy Manager
general comments on the rule
Overall, the American Association of Occupational Health Nurses
(AAOHN) believes that the final standards for the privacy of
individually identifiable health information (``Privacy Rule''),
published December 28, 2000, constitute a significant step towards
restoring the public trust and confidence in our nation's health care
system and should be implemented without delay.
Sec. 164.534
AAOHN strongly supports maintaining the current effective date of
the Privacy Rule. The Health Insurance Portability and Accountability
Act of 1996 (HIPAA) mandated that regulations governing the privacy of
health information be promulgated by February 2000. These privacy
standards are long overdue, already have been thoroughly debated, and
should be put into effect promptly.
For well over a decade, policy makers have recognized that there is
a need for a federal law protecting the privacy of health information.
Federal protections for health information were included in every
proposal on health care reform in the early 1990's.
The rule-making procedure up to this point has been a lengthy and
thorough, yet orderly, process. HHS employees spent almost a year
reviewing, analyzing, and crafting responses to the comments that the
agency received on this rule. The thoroughness with which HHS
considered these comments is reflected by the fact that almost 200
pages of the preamble to the final regulation are devoted to
summarizing and responding to these comments.
As to assertions that the Privacy Rule should be delayed because
some of its provisions are ``ambiguous,'' AAOHN understands that there
are always interpretative issues when any major rule is adopted. These
issues properly are resolved by the agency's issuing guidance on the
regulation after it has taken effect. The Privacy Rule is no exception
to this general procedure. The purported ambiguity of isolated
provisions does not Justify delaying the effective date of the entire
Privacy Rule.
To the extent there are legitimate implementation issues that
cannot be remedied through the issuance of guidance, HIPAA expressly
provides a mechanism for resolving these difficulties after the Privacy
Rule becomes effective. Under Section 262 of HIPAA (adding Section 1174
to the Social Security Act), the Secretary has the authority to modify
the privacy standards during the first 12 months after the standard is
adopted (i.e., becomes effective) when such modification ``is necessary
in order to permit compliance with the standard.'' Thus, HIPAA
anticipates and provides a statutory mechanism for resolving
implementation problems after the regulation becomes effective.
Sec. 164.502 and Sec. 164.504
We strongly support the requirement that covered entities receive
satisfactory assurance that their business associates will properly
safeguard protected health information before either disclosing this
information or allowing a business associate to receive protected
health information on their behalf Absent such a requirement, covered
entities could easily circumvent the Privacy Rule merely by contracting
out their business functions. Furthermore, these restrictions properly
expand, albeit in an indirect fashion, the protections of the Privacy
Rule.
Ideally, a health privacy law or regulation would impose
restrictions directly on all health care providers, regardless of their
involvement in HIPAA standard transactions, and to those who receives
protected health information, including the agents and contractors of
health care providers and health plans. Unlike health care providers,
these downstream users and processors often do not have an ethical
obligation to maintain patient confidentiality. AAOHN recognizes,
however, that the proposed regulations were unable to directly cover
all health care providers and these organizations due to the
Secretary's limited authority under HIPAA. Regulating the agents and
contractors of covered entities indirectly, through the covered
entities, makes sense in these circumstances. This is particularly true
since many covered entities already enter some form of contract with
their business partners.
Other organizations have complained that business associate
contracts would be complex and result in significant time and resource
burdens, and would require the writing or rewriting of many new
contracts. Having contracts in place specifying what agents are
permitted to do with sensitive health information just makes good
business sense. Additionally, the implementation specifications for
business associate contracts are clear and straightforward and should
not result in complex contracts. In order to reduce any administrative
burden, covered entities are free to develop standard contracts or
standard addenda to existing contracts.
Sec. 164.504
Most people get their health insurance through employer-sponsored
health plans governed by ERISA (the Employee Retirement Income Security
Act). Many fear that employers know more than they should about
employees' (and dependents') private medical information and may use
that information inappropriately to make employment decisions. The
final regulation goes as far as it can to protect workers and their
dependents from inappropriate disclosures of information generated
through health plan operations. However, a great deal of individually
identifiable health information available through occupational health
programs can still be accessed by employers and human resource
departments and used to make decisions relating to hiring, firing and
promotional opportunities.
Statutory limitations inherent in HIPAA prevent this rulemaking
from fully protecting all health records held by employers. It is
imperative that both HHS and Congress recognize that a great deal of
health information collected and maintained by employers does not flow
from their operation of an employee health plan. Because these gaps in
protection exist, employers will continue to have relatively free
access to personal health information obtained through fitness-to-work
examinations, occupational safety and health initiatives, and workers'
compensation programs. The only remedy for this problem is additional
federal legislation to cover all health care providers.
For example, many health care providers who are in workplace
settings are not considered ``covered entities'' under the new rules
since they do not engage in any of the ``standard HIPAA transactions''
(submitting claims, billing or transmitting information). Therefore,
the employee health information collected by them in the course of
their duties is not protected under the final rule. Despite having
ethical principles to maintain confidentiality, these providers can be
forced to turn over personal health information to management and human
resources personnel who have hiring, firing and promotion capacity.
Additionally, information sent from an employee's primary care
provider to a health care provider in a workplace setting may also be
unprotected. If an employee is being treated by her primary care
provider for breast cancer, a release and consent is legally required
for her provider to send health information to the employer about the
employee's ``return to work'' restrictions. Information released for
payment of health claims for treatment or surgery would be protected
under the HHS rules. However, once received by the health care provider
responsible for the employer's productivity management and return to
work programs, that information loses its protection if the receiving
health care provider does not engage in ``standard HIPAA
transactions.''
Again, legislation establishing a comprehensive federal health
information privacy law is necessary to be able to reach all medical
records regardless of the medium in which they are created and/or
maintained and regardless of who holds the records. AAOHN also believes
the comprehensive health privacy legislation should provide protections
against inappropriate uses and re-disclosures after an authorized
release.
In light of the limitations which flow from the narrow scope of the
HIPAA statute, AAOHN very much supports provisions that require the
erection of firewalls to separate the group health plan functions of
the employer/plan sponsor from the rest of the employer/plan sponsor.
Firewalls are essential whether employees of the plan sponsor perform
only functions related to the administration of the group health plan
or combine those responsibilities with other job functions. These
safeguards are essential to protect privacy given HIPAA's failure to
allow HHS to reach employers/plan sponsors directly and the genuine
concerns of the public about access to personal health information by
employers. AAOHN only wishes that Congress would expand the authorizing
legislation to permit the creation of similar firewalls around records
held in occupational health departments manned by health care providers
who do not engage in HIPAA standard electronic transactions.
Sec. 164.512 and Sec. 164.514
AAOHN believes there are a number of other weaknesses in the final
regulation, most especially the regulation's treatment of law
enforcement access and marketing and fundraising by covered entities,
but even these serious weaknesses do not warrant further delay in the
effective date. Nor, despite the importance of these issues to
consumers, do we seek to reopen the rule-making process in the hope of
achieving changes in these areas.
�