[Senate Hearing 108-256] [From the U.S. Government Publishing Office] S. Hrg. 108-256 HIPAA MEDICAL PRIVACY AND TRANSITION RULES: OVERKILL OR OVERDUE? ======================================================================= HEARING before the SPECIAL COMMITTEE ON AGING UNITED STATES SENATE ONE HUNDRED EIGHTH CONGRESS FIRST SESSION __________ WASHINGTON, DC __________ SEPTEMBER 23, 2003 __________ Serial No. 108-23 Printed for the use of the Special Committee on Aging U.S. GOVERNMENT PRINTING OFFICE WASHINGTON : 2004 91-119 PDF For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 SPECIAL COMMITTEE ON AGING LARRY CRAIG, Idaho, Chairman RICHARD SHELBY, Alabama JOHN B. BREAUX, Louisiana, Ranking SUSAN COLLINS, Maine Member MIKE ENZI, Wyoming HARRY REID, Nevada GORDON SMITH, Oregon HERB KOHL, Wisconsin JAMES M. TALENT, Missouri JAMES M. JEFFORDS, Vermont PETER G. FITZGERALD, Illinois RUSSELL D. FEINGOLD, Wisconsin ORRIN G. HATCH, Utah RON WYDEN, Oregon ELIZABETH DOLE, North Carolina BLANCHE L. LINCOLN, Arkansas TED STEVENS, Alaska EVAN BAYH, Indiana RICK SANTORUM, Pennsylvania THOMAS R. CARPER, Delaware DEBBIE STABENOW, Michigan Lupe Wissel, Staff Director Michelle Easton, Ranking Member Staff Director (ii) C O N T E N T S ---------- Page Statement of Senator Larry E. Craig.............................. 1 Panel I Richard Campanelli, Director, Office for Civil Rights, U.S. Department of Health and Human Services........................ 3 Jared Adair, Director, Office of HIPAA Standards, Centers for Medicare and Medicaid Services................................. 22 Panel II Cathy Treadway, Medical Practice Administrator, The Woman's Clinic, Boise, ID.............................................. 53 Mary R. Grealy, President, The Healthcare Leadership Council..... 65 Alissa Fox, Executive Director of Policy, Blue Cross Blue Shield Association.................................................... 76 Janlori Goldman, Director, the Health Privacy Project............ 95 APPENDIX Questions from Senator Lincoln to HHS............................ 127 Statement of the American Psychiatric Association................ 129 The Center for Medicare and Medicaid Frequently Asked Questions.. 132 Additional information submitted by the American Psychiatric Association.................................................... 134 Statement of the American Clinical Laboratory Association........ 168 (iii) HIPAA MEDICAL PRIVACY AND TRANSITION RULES: OVERKILL OR OVERDUE? ---------- TUESDAY, SEPTEMBER 23, 2003 U.S. Senate, Special Committee on Aging, Washington, DC. The committee met, pursuant to notice, at 9:34 a.m., in room SD-628, Dirksen Senate Office Building, Hon. Larry Craig (chairman of the committee) presiding. Present: Senators Craig and Fitzgerald. OPENING STATEMENT OF SENATOR LARRY CRAIG, CHAIRMAN The Chairman. Good morning everyone. Thank you all for being here. I think some of our witnesses, and probably some who would wish to attend, are still struggling in the aftermath of Isabel. With the transportation and traffic lights and, of course, last night's heavy rainstorm, it has slowed everything down a bit. Some of my colleagues will be joining me this morning. It is a busy morning here on the Hill. We want to thank you all for joining us today. Today's hearing will examine an issue of critical importance to the U.S. health care system and to the 40 million seniors who depend upon it. Seven years ago, Congress enacted the Health Insurance Portability and Accountability Act, otherwise known as HIPAA. At that time, HIPAA's insurance coverage provisions were the pieces that received the lion's share of the attention, and few paid much attention to other but equally significant health care changes buried within the bill. Today, 7 years later, two such provisions are at long last emerging from a long and tortuous regulatory process. One of these, a new set of requirements governing medical information privacy, went into effect in April. The other is a bundle of new regulations for standardizing medical claims and transactions which is scheduled to go into effect just three short weeks from now. Few can argue with the underlying intent of these regulations, namely, the streamlining of health care transactions and the protection of medical privacy. However, as is often the case with Federal rulemaking, a kernel of congressional intent has grown into a towering tree of regulatory complexity that I don't think even Isabel could have blown over this past week. But even with the Federal bureaucracy standards, HIPAA is extraordinary. The privacy provisions in the original law, for example, numbered just 337 words, whereas the final HHS regulation now runs up to 101,000 words. I have heard from many Idaho doctors, patients and others, who are deeply troubled by the confusion, disruption and uncertainty these new rules are creating in the health care system. During the month of August, and for the last couple of years, at the town meetings that I regularly hold in my State, doctors and providers attended expressing great frustration over what is anticipated. More onerously, the looming HIPAA transaction rules, if they are not reasonably implemented by CMS, threaten to trigger what some say may be a train wreck of stopping payments, cash-flow disruptions, denied care, or even a widespread revision from electronic back to paper claims, precisely the opposite effect Congress intended. Legislation I sponsored in the last Congress postponed the implementation of the transaction rules by one year, but it is clear that grave problems remain. Meanwhile, the new HIPAA Privacy Rules are continuing to cause confusion among patients, providers and insurers. Stories of hospitals turning away family members seeking information about their loved ones, as well as ideological and disruptive effects, are common among the letters I receive from my constituents. Also disheartening is the fact that these new regulations are costing doctors, hospitals, health plans and, inevitably, patients, millions if not billions in compliance costs. We would be remiss if we failed to ask: are the benefits from these new regulations worth the heavy bite they are taking out of our country's already squeezed health care budgets? Are needed resources being diverted from the quality of patient care, and equally important, is HHS doing everything it can to implement a smooth and reasonable process? Here today are senior officials from HHS to answer some of these questions, as are representatives of providers, insurers, and patients respectively. So I look forward to their testimony. On our first panel today we will hear from the officials at HHS most directly responsible for overseeing both the new transaction regulations and the recent medical privacy rules. Jared Adair is Director of HIPAA Standards for the Center for Medicare and Medicaid Services, the agency charged with implementation and enforcement of the codes and transactions. Also with us is Rick Campanelli, Director of the Office of Civil Rights at HHS, the office charged with a similar role, managing HIPAA's medical information privacy requirements. Miss Adair, we are eagerly interested in hearing from you about CMS's plans for the looming October 16 implementation deadline. As you know, with only weeks to spare, providers, payers and others are waiting with baited breath for the directions from CMS, and I'm hopeful that you can clarify for us today your agency's intentions as specifically and clearly as possible. Also, Director Campanelli, we are looking to you to provide us with a much-needed clarification about what the new Privacy Rules or do not do, or do not require, in common practice situations and about what your agency is doing to make continuing implementation as smooth as possible. Confusion, as you know, runs very, very high amongst all those that I have mentioned. So, with that, Director Campanelli, why don't we start with your testimony this morning, and then we will turn to Miss Adair. Thank you both for being with us. STATEMENT OF RICHARD CAMPANELLI, DIRECTOR, OFFICE FOR CIVIL RIGHTS, U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Mr. Campanelli. Thank you, Chairman Craig. I appreciate the opportunity to appear before you today to discuss the HIPAA Privacy Rule. As Director of the HHS Office for Civil Rights, I oversee, as you said, ``The office that has responsibility for implementing, enforcing and aiding covered entities to come into compliance with the rule.'' Just over a year ago, on August 14, 2002, Secretary Thompson finalized modifications to the Privacy Rule that strengthened its privacy protections and improved workability. With the rule's effective date last April, patients now have critical Federal protections over the privacy of their medical records, rights to access and to correct errors in their medical records, rights to control how their protected health information is used and disclosed, and a clear avenue of recourse if the rights afforded by the rule are violated. I know that some 5 months now after the compliance date has passed that the committee is interested in hearing how compliance is proceeding and what the Department is doing to promote compliance and to address areas of confusion that may have arisen with respect to the rule. A number of the concerns that have come to our attention actually are not a problem with the rule itself but, rather, misconceptions about the rule, and we are working hard to correct those misconceptions, as you will hear. For instance, along the lines of some of those misconceptions, we have seen reports that doctors may not share patient information with other providers unless they first have a patient's expressed written consent to do so. That's not true, or perhaps it's more accurate to say that we fixed that a year ago. The August, 2002 Privacy Rule modifications specifically allowed doctors and other providers to share this information for treatment purposes, to obtain payment, or to carry out their day-to-day operations without first having to obtain a patient's written approval. Along with having made that and other essential modifications before the rule went into effect, we have worked hard to provide extensive technical assistance to covered entities to help them comply with the rule and to minimize the cost and administrative burden of compliance. For example, we issued extensive guidance and answers to frequently asked questions so that entities have ready and free access to correct information. We must be doing something right, because our data base, with some 200 frequently asked questions that are searchable, has been accessed over 1.2 million times since the beginning of the year, most of that just in the last few months. If you look at Exhibit 2 in your materials and also up here, the second chart on the wall, the sample that you will see shows just the first opening page of those FAQs, and it shows that these FAQs set the record straight and clarify misconceptions on a wide range of issues. While it is still early to assess compliance with the rule overall, we believe that, as a result of our modifications and technical assistance, covered entities are widely complying with the rule, individuals are widely benefiting from the important privacy protections they received, and misconceptions are being resolved and eliminated. We recognize and are sensitive to the costs necessarily associated with the implementation of the rule. That concern was behind the modifications which improved workability and reduced compliance costs. In December, 2000, we estimated costs associated with the rule, as restated in my testimony, and have seen cost estimates from time to time from various industry sectors, but we can't evaluate how credible those industry reports are. We note that most of the industry estimates we saw arose prior to the rule's implementation, and many times were associated with dire predictions of collapse of the entire health care system, which obviously wasn't correct. Nevertheless, we remain attuned to the wide range of industry and consumer groups who inform us about their perspectives on the impact of the rule, often within particular industry segments. In addition, we are continuing to develop and publish guidance to assist covered entities in complying with the rule. Let me highlight some particular elements of that guidance. We have reached tens of thousands of people through our presentations on the Privacy Rule over the last couple of years. With a toll-free line we sponsor together with CMS, we received 14,000 phone calls just since April 1, and we responded to those calls. It's an indication, we hope and expect, of success in this regard, in that the volume of calls we are receiving now is about a third of what it was when the rule first went into effect in April. It is gratifying that many of the questions we get on those calls and otherwise can be readily answered from the material on our website. I won't go through all of them, but if you look at Exhibit 1 there, that is the opening page of our website. There are some important documents there that are helpful to doctors and small providers like the ones you have reflected on. For example, there is a summary of the Privacy Rule, which is a clear summary, you can click through to particular documents that give you FAQs on particular topics, a covered entity decision tool, and sample business associate contract provisions. We even have a segment of the website that is focused on small providers where we have information that we think is relevant to folks that you mentioned you are concerned about. Finally, two other points. We also appreciate the assistance of other groups, including members of your second panel today, such as the Healthcare Leadership Council and the Health Privacy Project, which have produced important information about the rule. We have met with each of those groups and many others. Our commitment to help covered entities comply with the rule continues even as we are now pursuing our enforcement responsibilities, and in that process, Congress mandated in HIPAA that the Department resolve complaints through informal resolution with covered entities. The Privacy Rule similarly calls upon OCR to provide technical assistance to covered entities in appropriate circumstances, even in the context of resolving a complaint. Our approach to compliance and enforcement is to employ a variety of enforcement options available to us, as needed, to ensure that individuals receive the privacy protections afforded by the rule. At the same time, our experience to date is consistent with our expectation, that we will be able to resolve most complaints through voluntary compliance and informal resolution, the most expeditious way of effectuating the rights to the privacy of protected health information. Thank you for the opportunity to make this presentation. I look forward to your questions. [The prepared statement of Mr. Campanelli follows:] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] The Chairman. Thank you very much for that presentation. Now, Miss Adair, we will turn to you. Please proceed. STATEMENT OF JARED ADAIR, DIRECTOR, OFFICE OF HIPAA STANDARDS, CENTERS FOR MEDICARE AND MEDICAID SERVICES Ms. Adair. Thank you, Chairman Craig, and thank you for inviting me here to discuss the progress that has been made in moving toward compliance with the electronic transaction and code set provisions of HIPAA. CMS has a dual role in implementing HIPAA. The first is as a regulator and enforcer, and the second is as a covered entity, including Medicare, which is the largest covered entity. CMS also works closely with the State Medicaid programs that are, collectively, the second largest covered entity. From that dual vantage point, I can tell you that substantial progress has been made towards the October 16, 2002 compliance. However, I can also tell you that many entities still have a long way to go until they achieve compliance. Before I tell you what we have done to avoid unintended consequences on the compliance data, I would like to say that the health care industry continues to believe that the goal of HIPAA standardization is the right goal. What they have found out is that the ``devil is in the details'' and that accomplishing the goal is harder than originally thought. This is characteristic of many large systems development efforts. Another characteristic of large systems development efforts is the need for contingency planning. It is critical to acknowledge that things can go wrong and to have contingency plans to mitigate those risks. CMS published enforcement guidance that preserved October 16, 2003 as the compliance date, but also allowed for those working toward compliance to adopt contingency plans. If they make reasonable and diligent efforts to become compliant, CMS will not impose penalties on covered entities that deploy contingencies to ensure the smooth flow of payments. Specifically, as long as a health plan demonstrates its active outreach and testing efforts, it can continue processing payments to providers, even if providers cannot submit a compliant claim. While the industry welcomed our guidance, there were many who would have liked us to go farther. They wanted a legal safe harbor, but we went as far as the law permitted us. Accordingly, some health plans and payers are still reticent to announce or deploy contingency plans because of the potential of being viewed as legally noncompliant. To alleviate these concerns, CMS has been urging plans and payers to review the guidance, to assess their training partners' readiness, to consider their good faith efforts, and, as appropriate, to deploy a contingency plan. For example, Medicare is able to accept and process compliant transactions, but on September 4, CMS announced its contingency plan would be to accept and process transactions that are submitted in a legacy format, while continuing to work with their trading partners toward compliance. Just today, Administrator Tom Scully and Tom Grissom, Director of the CMS's Center for Medicare Management, announced the deployment of the Medicare contingency plan after reviewing statistics showing unacceptably low numbers of compliant claims being submitted. This will ensure the cash-flow to Medicare fee-for-service providers will not be disrupted. Another factor for consideration is the cost of implementation. The rule's impact analysis estimated a new savings to the health care industry, as a whole, of $30 billion over a 10-year period. The estimates were difficult to make. For example, there was no existing comprehensive base line showing the extent of electronic interchange in the industry, nor which transactions and code sets were in use. Many covered entities have revised upward their cost estimates because they have encountered unexpected complications. Aware that such a change to industry business processes would be a coster, we looked for ways to minimize the cost. First, we adopted standards that were developed by the industry and already in widespread use. Second, we provided support and education to facilitate implementation. Third, when implementation efforts highlighted potential portions of the standards that would have increased cost, CMS proposed and adopted modifications. While difficulties exist in achieving compliance, this is not the time to waver in our commitment to offer order and consistency in health care administrative transactions. Rather, this is the time to work with covered entities as they strive for the finish line. CMS has provided the potential for a smooth transition through our enforcement guidance for those still working to achieve compliance. We expect that plans and payers will favorably consider deploying contingencies to mitigate unintended adverse effects on covered entities' cash-flow and business operations. CMS expects that these contingencies will mitigate unintended consequences of the transition. We are often asked what will happen on October 16, 2003. Certainly, there will be problems, but plans and payers' willingness to appropriately deploy contingency plans will facilitate a smooth transition. The health care industry's combined emphasis on HIPAA compliance will allow us to make the promises of HIPAA a reality. Thank you. I look forward to answering your questions. [The prepared statement of Ms. Adair follows:] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] The Chairman. Miss Adair, thank you very much for your testimony. Let me start with questions to you first this morning, because I think you made some very important comments about CMS' plans for implementation on October 16, comments that I expect will be viewed with tremendous interest by thousands of doctors and hospitals and health plans and patients. Because of what you have just said and its importance, let me press you for a few moments for some clarification. Are you saying that CMS is today announcing a decision to deploy a contingency plan under which Medicare will continue to accept and pay non-HIPAA compliant or so-called legacy claims past the October 16 deadline, at least for a limited period of time? Ms. Adair. Yes, sir. I am indicating that today Administrator Scully did announce that we were deploying the contingency that will allow us to accept, to continue to accept--which we do right now--compliant transactions as well as transactions as we took them prior to HIPAA. We will continue to monitor. We will continue our good faith efforts of outreach and testing to try to move the rest of the folks from noncompliance into compliance. We will evaluate their progress and then determine how long to keep this contingency in place. The Chairman. Well, that's obviously very significant. Will private, non-Medicare health plans also be directed by CMS to adopt similar contingency plans involving acceptance of legacy claims past the deadline? Ms. Adair. Since we put out our guidance on July 24, we have had meetings with private insurers and talked to them about and encouraged them to do that. Those decisions are their own business decisions to make. We are not in a position to mandate that they do it, but we have talked to them about the potentials and encouraged them to announce contingencies and, as necessary, to deploy those contingencies. The Chairman. Will there be any adverse enforcement consequences to a plan if a private health plan takes this route? Ms. Adair. Should we receive a complaint, sir, that somebody had done that, we would go back to that health insurer and ask them what their good faith effort had been; had they done outreach, had they done testing. If they have, in fact, exercised what we would call good faith effort, there would not be any penalty taken against them for having deployed that contingency. The Chairman. Would good faith effort be determined by that kind of analysis? Ms. Adair. Yes, sir. The Chairman. When exactly will the details and fine print of CMS' contingency plan be available? Ms. Adair. We will today be sending instructions to our Medicare contractors, so it would be available at that time, sir. The Chairman. OK. We're 3 weeks away. Ms. Adair. That is the exact reason, sir, that on September 4, we indicated to providers and to insurance companies, if we were going to deploy our contingency, what it would be, so that they would have an understanding and be able to get themselves ready for that. We feel like announcing it in advance helps people understand what we would be doing. The Chairman. How closely will the actual contingency plan resemble the draft contingency plan informally circulated by CMS in recent weeks? Ms. Adair. Since September 4, sir? The Chairman. Yes. Ms. Adair. It will be exactly the same. Our decision today was to deploy that plan. The Chairman. Under CMS' contingency plan, for how long past the deadline will Medicare continue to accept legacy claims? Ms. Adair. I cannot give you a specific date, sir. We will be monitoring the percentages of compliant claims in production as well as of our providers who are submitting, and make the decision based upon that as opposed to a date certain. The Chairman. Will the contingency plan include not only provisions for payment of noncompliant claims but also protection from adverse enforcement actions? Ms. Adair. Could you ask that one more time? I'm sorry. The Chairman. Yes. Will the contingency plan include not only provisions for payment of noncompliant claims but also protection from adverse protection actions? Ms. Adair. I believe--I want to make sure I'm answering the correct question, sir. So the question is, not only are you concerned that not a negative action be taken against the plan, but about providers submitting those claims---- The Chairman. Yes. Ms. Adair. Should we receive a complaint about one of those providers, we would, in fact, ask them if they had made themselves good faith efforts to try to become complaint. If they had not, we would ask them for a corrective action plan to indicate how they would be moving forward. If they did either of those, either the good faith or corrective action, we would not have any conversations with them about enforcement action. The Chairman. OK. Ms. Adair. We would not ourselves--I'm sorry. The Chairman. Go ahead. Ms. Adair. We would not ourselves file a complaint against them. The Chairman. What is the HIPAA readiness of State Medicaid programs? Ms. Adair. The Medicaid programs, sir, run the gamut. There are, in fact, programs that are notably already compliant and have been taking compliant transactions for a while. For example, I believe Idaho has been taking compliant transactions since January. But there are others that are struggling right now. The good news is that all plans, all State Medicaid agencies, have already instituted contingencies. So even though they are still working toward compliance, they have plans to continue payment. The Chairman. Will Medicaid programs also be covered under CMS' contingency plan? Ms. Adair. No. Each State would themselves deploy the contingency. The Chairman. OK. Ms. Adair. What I mentioned today was specific to Medicare. Each Medicaid State agency, is responsible for deciding what their contingency is, as well as for deploying the contingency. The Chairman. Do you anticipate much of a revision by doctors to paper claims? Ms. Adair. I want to separate the conversation here of Medicare to all others. The Chairman. Yes. Ms. Adair. I will deal with the Medicare one first, if I might. The Chairman. Please. Ms. Adair. As you would certainly know, the ASCA legislation had a provision in there specifically on Medicare that said that, effective October 16, all claims should be submitted to Medicare electronically. There were two exemptions, notably for physicians' offices that are less than ten FTEs, as well as facilities with less than 25 FTEs, and would be allowed to continue to submit paper claims. But everybody else was required to submit electronically. So the answer to the question for Medicare is that we do not foresee much of a revision to paper. The Chairman. How will the contingency plans impact this? Ms. Adair. As you know, sir, Medicare has a very high percentage of claims coming in electronically, and since people would be allowed to continue in the legacy formats, it should have no impact there. For the rest of the industry, going back to paper will be driven by two things. No. 1, going back to paper would be very difficult for some providers if they were already submitting electronically. Reverting to paper would have them change many of their business practices, which I don't think they would want to be doing. Second is that providers may have contract arrangements with the plans that may not allow them to go back to paper. The Chairman. Let me switch now, because I think we're building an important record here that a few folks are going to be reading in the next few hours as we move toward these deadlines. This goes beyond that now to a statement you made about a $30 billion savings. What are CMS' current projections, if any, of the overall cost of system-wide compliance with the HIPAA transaction requirements to hospitals and doctors, et cetera? Ms. Adair. Well, the $30 billion was an estimate that was done back in the impact analysis with the August 2000 rule, which promulgated the standards themselves. What you're asking me, sir, is our experience in implementation---- The Chairman. That, because there's so many dollars out there for health care, and when we start diverting them to this kind of process and procedure, the natural reaction is they get diverted away from the patient and the care itself. I think that's going to be a growing concern here as we look at the overall cost of compliance. Ms. Adair. In our impact analysis we acknowledged, and I think continue to acknowledge, sir, that in the first couple of years we would experience the cost of change, change to these electronic formats, to these standards, to these new code sets, and that we would be experiencing a cost, and I think we have brought that to bear. The anticipation--and I think we still believe it--is that once we have, in fact, overcome the cost of change, the benefits will, in fact, be there. The Chairman. Well, that is the flip side and that's obviously fair to reflect on. That was going to be my next question. Have you looked forward, beyond the bubble of cost, if you will, to the effect and the savings that the system might benefit from? Ms. Adair. I think that every day, in conversations that we have with industry we assure ourselves that the benefits are, in fact, there. As I mentioned in my written testimony, when you take a look at what has happened in other industries, be it banking, be it the shipping industries, that the benefits of standardization, the benefits of inner-operability are there. It is the cost of change and the pain of change that is difficult to get through. So I believe we still do believe that the benefits are there. When you take a look right now, where there are over 400 proprietary formats that insurance claims can be submitted in, getting down to the HIPAA standards, the benefits that that will bring to the back offices of a physician or a hospital are, in fact, very large and very significant for the health care industry. So as you point out, it does take money, precious money, to do it right now, but the long-term benefits and the ability not to be expending those things in the future, certainly I think the balance says that standardization is the way to go. The Chairman. Well, we hope that is the case. A couple of last questions to you, Miss Adair. CMS announced recently that it would pursue a relatively relaxed complaint-driven approach to enforcing the new transaction rules. Now, I say that because I think doctors and hospitals have labored for years under a very aggressive CMS and OIG enforcement of Medicare fraud and abuse rules. What assurance should they have that CMS' approach to HIPAA will be different in the long run? Ms. Adair. We have been hopefully very clear, sir, that the most important thing for us when we talk about enforcement of HIPAA is compliance, that that is the goal we are working toward. We have been clear that we're going to be working on a complaint basis. Our hope is that the industry begins to work out the issues of noncompliance, but that if somebody wants to come to us and file a complaint, we will, in fact, work with them to become compliant. We will talk to them about where the aberrancies are. The legislation provided us the opportunity to work through corrective action issues before we ever got to a place where we would want to consider moving toward penalties, civil monetary penalties. So that our goal really is to exercise what was provided to us in the legislation, taking a look at corrective action measures before we move to any kind of negative activity. The Chairman. I think a friendly CMS in that area of compliance will be well-received. Even CMS itself concedes that only about 14 percent of its own Medicare transactions are currently HIPAA compliant. That is a disturbingly low number, considering we're just weeks away. Even assuming that implementation of contingency plans provide for temporary acceptance of non-compliant claims, do you believe it is possible for the U.S. health system to be ready for full conversion to HIPAA compliance any time in the foreseeable future? Ms. Adair. I think we are all responsible, sir, for continuing to do our best in outreach, getting people into testing, so that we dramatically improve what you point out is a very low number of claims in production. We are hopeful. It is true the number you cite, 14 percent of claims in production right now. The number of providers is somewhat higher, and the number of providers in testing is also somewhat higher. We believe that on October 16 the number will shoot up a little bit, but obviously, our opinion was certainly not enough to not deploy the contingency. But we will continue to work with folks and we do believe that, in our history, with changes of formats, that we see a steep curve at the very last moment, but we did not believe that it was adequate to not deploy our contingency, not putting those payments at risk. The Chairman. My last question of you--and obviously, we're seeing the scope of this regulatory process and moving toward compliance. How long do you think it will take for the full system to achieve HIPAA readiness, and what additional steps will CMS and the industry need to achieve to gain this goal? Ms. Adair. I believe that we have formed very good working relationships, sir, with the industry. We have been working with the associations, both for payers, plans, as well as provider organizations, associations. We will continue to be working with them to stress the importance of compliance, and we will be working with them, sharing with them the statistics that we have on both Medicare, and hoping they share their statistics with us, of those people that are testing, the issues that they are having in testing, and those as they move toward compliance. It is not until we see the results of those efforts that we could make a projection as to what is the date that we thought we believed we should drop our contingency. The Chairman. Director Adair, let me thank you for your thoroughness today and your openness to obviously these very real concerns that are out there across the industry at this moment. Ms. Adair. Thank you for the opportunity. The Chairman. I think your announcement today and the announcement of Director Scully come as a degree of relief, but a clear recognition that, because of the character of the law and its intent for implementation, there's going to have to be a push forward. I think that cooperative working relationship, helping systems through this, is a good deal better and a way for our government to approach this problem than to immediately start actions and compliance enforcement that recognizes fines and penalties. That is not the way to go here as we nudge this process along and bring it into compliance. We still have small practitioners out there that serve our communities and our citizens extremely well. Driving their costs up and the complexity of their operations up is not necessarily a way to achieve success and/or quality health care. So we thank you very much. Ms. Adair. Thank you. The Chairman. Rick, thank you for your patience. Let me follow up with a similar line of questioning to you, because your testimony touches on some areas where the new Privacy Rules have triggered confusion or disruption amongst patients and providers. Clearly, what you have outlined this morning and the response to your web page and the clarifications appear to be working, or at least certainly being reacted to. Whether they're working out there or not, or whether they're clarifying action within the waiting room, if you will, is yet to be seen. Nevertheless, because I and my colleagues continue to receive numerous complaints, I would like you to clarify, as specifically as you can, what the new rule does or does not require in a few key areas. These are, to what extent are providers free to share patient information with other providers? Mr. Campanelli. Well, that first one, Senator, is the one I alluded to in my opening remarks. We have a good treatment of it in the testimony and in the FAQs, which I recommend that everybody visit. The answer is that providers are quite free to share patient information with other providers for treatment and that means doctors can share freely with other providers without having to get advance written consent from any person. I think that's the area where you may have heard reports of confusion on that. The Chairman. Yes. Mr. Campanelli. I will say that the anecdotal reports we were getting of this early on, after April 14, we heard more of that initially than we're hearing now. I think there's a couple of reasons for that. First of all, we went out of our way to make it clear in the modifications that providers can share this information freely with other providers for treatment purposes. There are specific elements of the rule that provide this ability to freely share x rays or other diagnostic information with other providers. Second, we have guidance and FAQs specifically on this topic up there. The word we're getting is that when a provider is told by another provider that he can't have that information, he tells them ``yes, I can'', and this is why. The Chairman. Then this question. Are doctors at risk if they use informal or unsecured methods of communicating with each other, such as phone calls, e-mails and faxes? Mr. Campanelli. Well, the Privacy Rule requires that reasonable safeguards be adopted in transmitting information. But in most of those cases that you just described--faxes to a number that is routinely being used, phone calls to talk to a doctor, to another provider--certainly in all those cases that, of itself, would be permitted under the rule. It requires reasonable safeguards which the fax case, would likely be that you confirmed the correct fax number. So on our guidance on the web, we particularly talk about the ability of doctors to fax information to others for treatment purposes. We make that quite clear. The Chairman. Where, if at all, is it required under the rules for hospitals or other entities to deny information about patients to families or friends, to clergy, and what about law enforcement? Mr. Campanelli. Well, taking them in order, the rule certainly does not prohibit the sharing of that information. Now, the rule does, as you recognize, adopt provisions which protect the privacy of health information. That means that in many of those cases what we do is we start out with a requirement that the information be protected, unless there are provisions in the rule that allow it to be disclosed. But we have particular provisions in the rule that permit information to be shared with friends and family members, or even anyone who the individual patient identifies as being involved in their care. So in those cases where the patient does not object, the rule makes it clear that a doctor can share that information with friends, family members, others identified as involved in the care relevant to the treatment or even to payment, to helping the person obtain payment. Let me give a little bit more information about that, if I can, because there has been some confusion, where people have asked, ``well, what if the patient is not conscious or not present?'' In that case, the rule permits unless the patient has opted out, has expressed some indication before that they don't want the information to be shared--the treatment provider or the other covered entity to make that decision in the best interest of the patient. So whether the patient is there and conscious, or the patient is not there, the information can be shared when appropriate. The Chairman. Are patients required to accept the new privacy disclosures that doctors are giving out at doctor's visits before care can be provided? Mr. Campanelli. I'm sorry. Say that again, Senator. The Chairman. Are patients required to accept the new privacy disclosures that doctors are giving out at doctor's visits before care can be provided? Mr. Campanelli. I think what you're referring to is the Notice of Privacy Practices that the rule has. If you've been to the doctor, I know you have received one, and you've gotten one from your health plan as well. The answer is that patients are not required to accept them as a condition of treatment. In fact, all that's required is for the doctor or the other provider to provide the notice and make a good faith attempt to obtain the patient's acknowledgement of having received the notice. If the patient doesn't want to sign that acknowledgement, the doctor or other provider can merely note that they've made an attempt to obtain the notice acknowledgement from the individual. It is certainly not a condition of treatment to the individual. The Chairman. But that kind of information must be within the file to hold the doctor harmless? Mr. Campanelli. Well, the requirement is that the doctor or other provider make a good faith attempt to obtain a written acknowledgement or document why it was not obtained, so it would be prudent to just note that ``I attempted to get the person's acknowledgement--'' you know, someone in the office, not necessarily the doctor, but someone in the office to note that the attempt was made to get it from the individual. We've seen this happen in a wide variety of ways. The rule is quite flexible and scalable, as we say, about how this can happen. Sometimes there's a form that a person signs when they get the notice initially. They can sign it, and that is either handed back in, or if the patient declines to do it, then the appropriate person there at the office can just note that the patient declined to acknowledge receipt of the notice. You know, I realize I didn't answer one of your questions before that you asked. You asked me about clergy. The Chairman. Yes. Mr. Campanelli. Would you care for me to go back to that? The Chairman. Please, and law enforcement. Mr. Campanelli. Law enforcement. First, clergy. I was talking earlier about the opportunity in the rule, permission in the rule, for providers to share information with friends, families, or individuals. Well, clergy, similarly, of course, can receive information. But there has been some confusion in the clergy arena with the issue of hospital or facility directories, as they're referred to in the rule. Can a hospital have a directory of patient information? The answer is the rule envisions and anticipates that hospitals or other providers will have this directory of patient information, where the patient has the opportunity to be included or to opt out of having their information included in a directory, and the patient can also include, for instance, religious affiliation. So any member of the public--not just clergy, but any member of the public--can come in, ask about the patient, and if the patient has opted to be included in the directory, just like now, just like we're all used to, receive information about the patients location in the hospital, and general condition. In addition, clergy can view the directory without having to have the name of the person. They don't have to ask for the person by name, and they also can get the religious affiliation information. So we are very solicitous of and very careful to emphasize that individuals, friends, family, loved ones, others involved in care or clergy, can get the information. Let me mention that very early on, shortly after the compliance date, we got a call from a reporter actually that said a woman in one State had gone to a hospital to see her husband and was told that she was not allowed to see her husband because of HIPAA. I said, well, I don't think there's anything in HIPAA that prevents this. So I asked the reporter to go back and get a little information. Well, it wasn't HIPAA, it wasn't the hospital, so we wondered if the husband had actually declined to see the wife. It is not HIPAA. HIPAA permits opportunities to share information with spouses with families, and with clergy. Now, law enforcement. Let me go to that. The Chairman. Yes. Mr. Campanelli. There are a variety of circumstances under which law enforcement can have access to information. Again, this is an example where the Privacy Rule balances two key interests. A very important interest, which I know you recognize, is the privacy of personal health information, and also in this case the interest of law enforcement to carry out their important responsibilities. There are a variety of ways that law enforcement can have access to the information. For instance, information that is required by law to be disclosed may be disclosed to law enforcement. Reporting of gunshot wounds which, State law typically requires is permitted. Also, of course, where there's a court order or a warrant, the Privacy Rule permits that disclosure to occur. In addition, there are a variety of circumstances outlined in the rule that allow law enforcement to have access to this information. For instance, for the purpose of identifying or locating a suspect, a fugitive, a material witness or a missing person, that information is permitted to be shared with law enforcement. PHI, Protected Health Information about victims of a crime in response to law enforcement's request can be shared with law enforcement if the individual agrees. Protected Health Information about a decedent can be shared with law enforcement if there's a suspicion that death resulted from criminal conduct. Evidence of a crime that occurred on the covered entity's premises can be shared with law enforcement. So if there's an investigation going on right there about a crime, that can occur. If there is a provider on the scene of a medical emergency--for instance, let's say there's a covered entity that's an ambulance driver or company that is on the scene responding to a medical emergency, they can share information with law enforcement about the criminal activity, such as the nature and location of the crime, the location of victims, identity description, location of the perpetrator of the crime. So we have really tried to make it clear. We have heard of some areas where there's a misconception about this. But there's an array of particular balances in the rule where law enforcement is permitted to get this information, to permit law enforcement to continue. Our effort is to try to get the word out about this to law enforcement. A lot of law enforcement jurisdictions understand this. We have seen some areas where there's confusion on this and we've tried to be in touch with them. The Chairman. Are doctors subject to lawsuits if they inadvertently disclose protected information? Mr. Campanelli. There is no private right of action in HIPAA against doctors for violation of the rule. The Chairman. In your testimony you cite CMS estimates projecting the cost of compliance by the Privacy Rule in the neighborhood of $12-$17 billion over 10 years, and I'm sure you are aware that some private estimates put the cost quite a bit higher than that. Recognizing that, even before the new Privacy Rule, providers were already bound by the requirements of patient confidentiality, how much of a significant improvement are the new rules, and are they worth the upwards of $17 billion of the already scarce dollars we have discussed throughout this hearing? Mr. Campanelli. Let me say, Senator, that we are certainly sensitive to the cost issues about this. I think there was an understanding when Congress mandated or created the process by which the Privacy Rule would be created that there would be significant costs associated with it, and that they would be outweighed, it was thought, and we still believe, in the context of the cost savings from administrative simplification. One thing I would say. It's true that there are protections of privacy, laws to protect the privacy of medical information, that exist in various jurisdictions throughout the country. But they are really a patchwork of laws, and in many jurisdictions there is no protection at all. So certainly one of the key benefits of the Privacy Rule is to establish a Federal foundation of protection for those rights, and to make clear what those rights are. Like I mentioned before, the rights of access, the right to request an accounting of how disclosures are made and the right even to make a correction to the record, to name just a few; the right to make sure the information isn't disclosed for marketing purposes, or to employers, in violation of the rule. All of those are very important rights. I think our citizens are well-served by knowing that they have those rights, and many, I think when they're reading the notices of privacy practices that they receive, really have realized for the first time what is at stake here and what rights they have available. So we are convinced that the rights that are afforded now under the Privacy Rule are significant and essential to the protection of privacy of our citizens. We recognize there are costs, as Jared said, with respect to the CMS circumstance. There are significant startup costs associated with this and we recognize this. But we think, over time, and we expect--and we are working toward this end--that the protections of the rule and the requirements of the rule will really become understood as part of the fabric of how health care and payment are done and people will understand them better. The Chairman. Your testimony stresses that HHS is trying a primarily compliant-driven approach to enforcement, with an emphasis on informal resolution. Yet, recent reports indicate that HHS has begun forwarding HIPAA privacy complaints to the Department of Justice for criminal prosecution. How much of this is going on, and how does this fit with the policy of informal resolution? Mr. Campanelli. Well, I think it's completely consistent with it, Senator. You know, as I'm sure you recognize, some of the provisions of the rule, a subset of provisions of the rule, are subject to criminal penalties. HHS has responsibility for enforcement of violations of the rule that are subject to civil penalties, and the Department of Justice is responsible for violation of the rules that are subject to criminal penalties. So our referral of these cases to Justice reflects the fact that these are really within the purview of the Department of Justice to pursue them. The Chairman. The process for referral is that you have already made a determination that you believe these could be criminal in nature, not civil? Mr. Campanelli. That's correct, to this extent. There are elements of the rule--for instance, disclosures that are a knowing disclosure of protected health information in violation of the rule, those are potentially subject to criminal penalties. It is the Department of Justice that imposes those. So in terms of our review, we intake cases and sometimes it takes a little bit more information for us to determine what is really the nature of this complaint. But where a matter has arisen and it is apparent that it is subject to criminal violations, then those are appropriately dealt with by the Department of Justice and we refer them to the Department of Justice. The Chairman. Despite its huge size and complexity, the Privacy Rule nevertheless relies heavily on some very general standards, such as what a doctor may reasonably infer or requirements to provide only minimum amounts of information necessary. What steps can HHS take to give providers and patients the guidance they need to understand what these broad terms actually mean in real world resolution? Mr. Campanelli. Yes, Senator. We are sensitive to that. You know, I just want to step back a bit for a minute and say why is it like that. I think one of the reasons is that the rule, as I said before, attempted to be flexible and scalable. We recognize that the covered entities who are subject to the rule run everywhere from the small provider that you talked about in a rural office, in a remote location, to major institutions. What is appropriate and reasonable in the context of one would not be appropriate and reasonable in the context of others. So that's why the rule necessarily, and I think appropriately, includes references to reasonable safeguards, because we recognize that many of these things are not only relevant to the size of the provider but to the particular context. Really, you have to look at the circumstances to see what's appropriate. Now, how can we help with that? Well, I think that's where our guidance has really come in and been welcome. In fact, the rule in some cases makes it clear. For instance, I mentioned with respect to providers' sharing x rays and other diagnostic information for treatment. It is in the Privacy Rule where it says that this information can be shared with reasonable safeguards. But in our guidance we try to give examples, helpful examples, as much as possible, where we have been able to identify, for instance, in a semi-private room, that a doctor who is talking in a semi-private room should adopt reasonable safeguards. That may mean lowering his voice in the room. You know, we have offered that kind of information. Or about medical charts. We have seen some confusion about medical charts. People have said you can no longer have medical charts on the wall on a patient floor. Well, it depends on what other safeguards you can bring to bear on the case. Many times a completely reasonable circumstance will be just to make sure that any identifying information is facing the wall. So in answer to your question, with the particular FAQ guidance or our extensive guidance that's on the web right now, where we have narratives and examples, that's what we're trying to do. When we hear from folks that they need more assistance, we have tried to be responsive to that. I might just add that we are also in the process of developing targeted information or guidance to particular segments of the industry. For instance, small providers are likely to be one of those groups. The Chairman. You mentioned earlier, in response to a question, the hodgepodge, if you will, of States and the creation of uniformity that this provides. In some instances State laws are more stringent than HIPAA. Mr. Campanelli. Yes. The Chairman. They argue that it's very difficult to assess in practice. Do you see this as a serious problem? What steps is HHS taking to provide guidance regarding State preemption? Mr. Campanelli. First, I confirm that the Privacy Rule defers to more stringent State standards for the protection of privacy. So that's correct. That means if a particular State has a more stringent standard---- The Chairman. Equal to or greater than. Mr. Campanelli. That's right, sir. In that State then, if there is a higher standard for the protection of privacy with respect to a disclosure or the use of personal health information, that higher standard would apply. Obviously, that will vary from jurisdiction to jurisdiction. The Privacy Rule defers to States where they have opted to take a higher or a more stringent position as to the protection of health information. Also, though, I want to say that in some circumstances we are able to help covered entities comply where they have to look to both State and local law. In fact, just recently, I think just at the beginning of this month, in September, we put up on the website a frequently asked question that helped organizations and covered entities understand how they can more easily and readily incorporate the State law into their Notice of Privacy Practices, so that if they are a multijurisdiction covered entity, they don't have to completely redo the entire Notice of Privacy Practices every time a State law changes. We tried to come up with a reasonable way where covered entities could reflect the more stringent State standards and just change that appropriately in a more narrow way, rather than having to change everything. We are sensitive to that issue. The Chairman. To both of you, thank you very much, Dr. Campanelli, Director Adair. Thank you for your presence here today and your forthrightness and testimony. I think we have built a valuable record here and some extremely valuable information has flowed this morning. As you know, that is part of the responsibility of this committee. We are a nonauthorizing committee, but we do work to build a record for the other committees to use, and finance is certainly one of those who uses us very readily, as informational sources in looking at compliance or in looking any adjustments or changes within current law. Again, we thank you very much for your time here this morning, and we will excuse you. Ms. Adair. Thank you. Mr. Campanelli. Thank you, Senator. The Chairman. I will now ask the second panel to come forward, please. Next let me welcome our second panel. Cathy Treadway is a Medical Practice Administrator from Boise, ID. She has been very active in helping coordinate HIPAA preparation efforts statewide and is, I am told, one of Idaho's best experts on this extremely difficult subject. Mary Grealy is President of the Healthcare Leadership Council, which is, as its name suggests, a leading voice for America's health care industry, including providers, payers, and health care entities and companies. Alissa Fox is Executive Director for Policy for the Blue Cross/Blue Shield Association of America, and will talk with us about how the health plan community is responding to HIPAA, in particular the new transaction standards. Finally, Janlori Goldman is Director of the Health Privacy Project, perhaps the country's most prominent non-profit advocacy organization, focusing on patient privacy issues. We welcome you all. Cathy, you came the furthest, I think, so we will allow you to go first. We do appreciate you coming out from Idaho to be a part of this record. Please proceed. STATEMENT OF CATHY TREADWAY, MEDICAL PRACTICE ADMINISTRATOR, THE WOMAN'S CLINIC, BOISE, ID; APPEARING ON BEHALF OF THE MEDICAL GROUP MANAGEMENT ASSOCIATION Ms. Treadway. Good morning. I am Cathy Treadway, the Administrator of the Woman's Clinic, a nine-physician, 65 employee specialty OB/GYN practice in Boise, ID. I am a member of the Medical Group Management Association and have held several leadership positions in the Idaho MGMA. MGMA is the Nation's oldest and largest medical group practice organization, representing more than 19,000 members who manage and lead 11,000 organizations, in which approximately 220,000 physicians practice. I would like to thank Chairman Craig and the committee for convening today's hearing on HIPAA implementation. Over the past 2\1/2\ years, I have dedicated considerable energy to increasing my knowledge of the HIPAA regulations and helping to educate providers throughout Idaho as a member of the Idaho HIPAA Coordinating Council. While I will be commenting briefly on the HIPAA Privacy Rule, I will focus particular attention on the electronic transactions and code sets, the TCS Rule. I would like to begin by discussing the implementation costs which practices already have incurred and will continue to incur in the future. Examining just our small practice, the Privacy Rule implementation costs total in excess of $10,000. Like practices throughout the country, we struggle with limited resources to deal with the magnitude, complexity and costs of HIPAA implementation. I must emphasize that these are just the initial Privacy Rule implementation costs. There are significant ongoing privacy costs for each practice, including continuing education, training of staff and physicians, printing and facility modifications. Practice costs for TCS implementation typically include new HIPAA compliance software, computer hardware, staff training, education materials, and for my practice, additional claim costs averaging $500-$600 per month. In addition, there are numerous future HIPAA standards scheduled for implementation. These include national identifiers, electronic claim attachments, and security. Each of these standards will demand additional implementation costs. These expenses must be considered in conjunction with the many unfunded mandates group practices face: projections of decreasing physician reimbursement and sky-rocketing medical liability premiums. It is imperative that both Congress and the Administration not examine the effect of any one regulation in a vacuum, but consider the cumulative effect that government decisions have on patient access to quality care. Let me briefly discuss the privacy regulations. While some uncertainty regarding particular aspects of the rule remains, it is important to note that we have not encountered any significant problems from patients. Rather, the continuing challenges stem from provider misunderstanding, misinterpretation, and uncertainty in complying with the rule's requirements. I have outlined these lingering issues in my written statement. I now wish to discuss the migration to the HIPAA standards for TCS. Along with providers around the Nation, I am fearful that cash-flow will be disrupted following the mandated compliance date of October 16. I have highlighted in my written statement my concern regarding the current readiness level of most group practices throughout the country. I would like to note, however, that many of the members of this committee represent States with large rural populations and, as such, I believe providers in those jurisdictions share many if not all of my concerns. According to an informal survey that I conducted, many Idaho health plans are just beginning to test claims with their provider customers. As a result, the vast majority of Idaho health practices do not feel that they will be ready to submit HIPAA compliant claims by October 16. In addition, some software vendors are requiring providers to process their claims through a proprietary commercial clearinghouse, thus incurring a per-transaction charge. The result is yet another unanticipated and ongoing cost for providers. In my own practice, we have experienced significant claims testing challenges. During our initial round of testing, the rejected claims contained no specific error information. Thus, we had no idea if the error was with our own software, our clearinghouse, or potentially non-compliance on the part of our health plans. As of September 19, last Friday, our vendor- designated clearinghouse has yet to schedule testing with some of the largest health plans in the State, including Blue Cross of Idaho, Regence Blue Shield, and Idaho Medicaid. How can we even hope to be paid by our payers after October 16 when we cannot even test our claims? Fears of payment delays are exacerbated by the fact that in States without prompt payment laws, such as Idaho, there is no incentive for health plans to pay claims expeditiously. In addition, Idaho Medicaid cannot accept both legacy claims and HIPAA compliant claims. It is HIPAA compliant or their software or paper claims. Our continuing concern with the lack of industry readiness led MGMA and almost 40 other provider organizations to request the government issue a definitive statement to the industry regarding enforcement of the TCS standard. On July 24, HHS responded with guidance regarding the enforcements of the HIPAA TCS standards after October 16. The HIPAA statute requires covered entities to comply with TCS by October 16. By restating that fact while also outlining some conditions under which CMS will not impose penalties, the agency sent health plans conflicting messages in the July 24 guidance. Consequently, some health plans believe that they are legally compelled to reject noncompliant transactions. This quandary is particularly problematic for those health plans that will not be compliant until shortly before the deadline and, therefore, are not in a position to engage in provider testing until that point. However, the guidance did send a signal to health plans that they should make every effort to continue the cash-flow for their provider customers. CMS bolstered this enforcement flexibility position with the publication of a set of Frequently Asked Questions on September 8. In them, CMS states that a contingency plan for a payer could include not only the acceptance of legacy claims, but also flexibility in terms of data content and the offering of interim payments. Legacy claims are those that CMS and private plans currently accept. Exercising data claim flexibility would allow the government and private sector plans to process and pay claims that do not include all the required data elements. While MGMA was pleased to see this turn around, we believe CMS must explicitly tell noncompliant health plans that failure to develop appropriate contingencies to prevent cash-flow disruptions is unacceptable and is grounds for immediate enforcement action. Regarding TCS, CMS should first instruct its intermediaries to continue processing noncompliant claims after the October 16 deadline. We are pleased to hear this morning the announcement regarding CMS contingency plans. However, CMS needs to clarify that all public and private health plans are permitted to accept, process and pay HIPAA compliant claims with fewer data elements than required. Second, CMS should strongly encourage health plans to return claims to providers with an explanation of any data content deficiencies in a timely manner. This will permit the entry of missing data and prompt resubmission of claims. Mr. Chairman, while MGMA is confident that complete HIPAA implementation will eventually ease some administrative burdens and facilitate improved data inter-change within the health care community, significant roadblocks continue to exist. MGMA, along with Idaho MGMA and IHCC, believe our recommendations will help providers manage this difficult transition. We urge Congress to play an active role in ensuring that the administration takes the necessary steps to avoid interruptions in the delivery of care. I appreciate the committee's interest in this important topic and thank the committee for inviting me to present my views on this issue. [The prepared statement of Ms. Treadway follows:] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] The Chairman. Cathy, thank you very much. Now let me turn to Mary Grealy. STATEMENT OF MARY R. GREALY, PRESIDENT, HEALTHCARE LEADERSHIP COUNCIL Ms. Grealy. Thank you, Mr. Chairman. Thank you very much for this opportunity to testify on the medical privacy rules that are part of the Health Insurance Portability and Accountability Act, HIPAA. This is a matter of considerable importance to America's patients, health care consumers and health care providers, and I commend you for the attention that you are bringing to this important issue. I am here today on behalf of the members of the Healthcare Leadership Council, a coalition of the Nation's leading health care companies and institutions. Our membership embodies all sectors of health care, and every one of our members is directly affected by the HIPAA Privacy Rules. HLC also leads a coalition of over 100 organizations that strongly supports effective patient privacy protections. Mr. Chairman, you called this hearing in part because of information you are receiving from health care providers about the cost and confusion associated with the HIPAA privacy regulations. Let me say at the outset that we believe many of these difficulties could be avoided if Congress enacted a single national uniform standard for medical record confidentiality. What we have instead is a new Federal privacy regulation that does not replace the existing patchwork quilt of various State privacy laws but, rather, coexists with those laws. So no matter how well regulators write these rules, additional cost and lack of clarity is inevitable because doctors, hospitals and others are trying to navigate through a maze of Federal and State laws and regulations. Having said that, let me specifically address the impact of the HIPAA Privacy Rules. To say these regulations are complex is an understatement, but that is, in part, because they are attempting to fulfill a difficult objective. How do we protect the sanctity of a patient's medical information privacy while at the same time ensuring that necessary information is available for providing quality health care and conducting vital medical research? The HIPAA regulations as revised by the current administration, while not perfect, do attempt to strike this necessary balance. In terms of the value of these regulations, one point needs to be made. They do exactly what they are intended to do. Disclosing identifiable health information for purposes other than carefully defined, appropriate health care activities is strictly prohibited, unless the patient grants specific prior written authorization. If you disclose an individual's medical information to their bank, their neighbors, their employer, or their local newspaper, without their permission, you are going to be hit with Federal civil and criminal penalties. These regulations, as I said, are not perfect, but they are an improvement over what they might have been. Under the original proposed regulations developed by the previous administration, patients would have had to give their written consent before they could receive treatment, receive a reminder to make an appointment, have a doctor schedule their surgery, or even have a relative pick up a prescription. These rules would have generated treatment delays and volumes of unnecessary paperwork. There are more improvements, though, that need to be made. As we revisit these rules--and there is a provision to have them reviewed and modified annually--we need to ask a critical question: do these regulations sap resources for unnecessary compliance activities, resources that could otherwise be devoted to patient care? The answer to that question is clearly yes. HHS has estimated that the Privacy Rule will cost the private sector $17.5 billion over 10 years. Compared to other studies, including one by Blue Cross/Blue Shield, this is a very conservative estimate. Regardless of the actual total, it is clear that we're seeing billions of dollars funneled toward regulatory compliance at a time when health care providers are coping with dire fiscal austerity. The Inova Health System in Virginia, with five hospitals and 1,400 beds, told a congressional staff briefing that their implementation costs had thus far totaled about $1.5 million. Concentra, a network of 244 occupational health care centers, has already spent $3 million on initial implementation of the Privacy Rule. A single small hospital, Emerson Hospital of Concord, MA, has had to devote two full-time employees whose sole jobs will consist of HIPAA related paperwork. They will be compiling detailed information disclosure records that few if any patients will ever request. There is a need to undertake a comprehensive review of these regulations to determine how to best achieve their intent, without forcing the expenditure of precious resources for nonessential compliance activities. Mr. Chairman, health care companies and institutions want to act as working partners with the public and with the government to ensure that we achieve strong patient privacy protections without impeding treatment and medical research. While we still believe that the best course of action is a single, uniform Federal privacy standard, we look forward to working with this committee and with the Administration to ensure that Federal patient privacy protections serve the national interest as efficiently and effectively as possible. Thank you. [The prepared statement of Ms. Grealy follows:] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] The Chairman. Thank you, Miss Grealy. We will next hear from Miss Fox. STATEMENT OF ALISSA FOX, EXECUTIVE DIRECTOR OF POLICY, BLUE CROSS AND BLUE SHIELD ASSOCIATION Ms. Fox. Thank you, Mr. Chairman. I appreciate the opportunity to testify this morning on HIPAA's administrative simplification rules. Blue Cross Blue Shield plans across the country are very committed to the goals of administrative simplification to reduce the costs, hassles, and paperwork of our health care system. However, we are concerned that these goals will not be realized unless we change the entire process for establishing and implementing the many administrative simplification standards that lie ahead of us. I would like to make three points. First, despite a 3-year implementation period, with an extra year that we got, thanks to your leadership, Mr. Chairman, we still have many providers who are not ready for the October 16 HIPAA transaction and code set regulation, just 3 weeks away. As a result, payers are planning to deploy expensive backup contingency arrangements to minimize disruptions and prevent unintended consequences, such as providers returning to paper in order to get paid. There are several reasons for our unreadiness: general lack of awareness about the regulation, especially among small and rural providers; lack of understanding about the cost and complexity of what it takes to become HIPAA compliant; and the late revisions made to the rule just last February that resulted in delayed vendor software needed by the industry. Second, important lessons can and should be learned from the first phase of HIPAA administrative simplification which should be considered before additional standards are adopted. It is important to realize there are numerous additional standards on the horizon. They fall into three categories. There are additional HIPAA rules that HHS is expected to release in the next year that Cathy Treadway talked about a little bit earlier. Second, there are modifications to the standards that we are just now implementing, some of which call for wholesale, very expensive changes, such as ICD-10, and new information technology initiatives by Congress and the administration to develop uniform standards for clinical information and the interoperability of information systems so that patients' medical records can move from doctor to doctor across the country electronically. We believe the lessons learned include, first, a credible cost-benefit analysis, which is a must before any future standards are adopted. When HHS adopted the transaction and code set rule, the projected costs were greatly underestimated. HHS estimated the cost at $5 billion for the entire industry. Two years ago, we commissioned the Nolan Company who found the HHS estimate to be understated by a factor of 10 for health plans and a factor of 3 for providers, thereby underestimating total industry cost by $11 billion. Now that the compliance date is here, it appears the Nolan estimate is on the low side and that the actual industry costs just to implement the HIPAA administrative simplification transaction and code set rule are likely to be significantly higher than the earlier $16 billion we originally estimated. A second lesson learned is that the industry must involve all aspects of their operation in developing the standard, not just the IT shop. A key mistake all stakeholders made is treating administrative simplification as a systems issue, just like Y2K. We have found, however, that these standards have a ripple effect throughout the entire health care operation, whether it's a payer, a health care clinic, or a hospital. A change in one simple code can affect medical policy, quality improvement programs, how much you get paid for the service, as well as fraud and abuse detection efforts, just to name a few. The third lesson is standards must be pilot-tested before we adopt them. It is only when a standard is actually pilot- tested that we can identify the issues and any unintended consequences that should be addressed before we ask the entire industry to go ahead and adopt them. Finally, we urge Congress to create a high level stakeholder commission to develop a national health care information technology strategy based on industry consensus. The current piecemeal approach to information standards is akin to building a house room by room without an overall blueprint. While the standards now being contemplated have great potential to improve quality and cut costs, this goal will not be realized under the current process. The industry needs a blueprint to know where we are headed, with a prioritization and timeline to provide order and predictability to all of us, and importantly, to ensure that the standards are implemented in the most cost-effective and efficient manner. Mr. Chairman, as you have highlighted this morning, with so many demands on the industry, health care premiums rising at double digit rates, and with over 40 million Americans uninsured, it is critical that we spend our resources wisely. Thank you. [The prepared statement of Ms. Fox follows:] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] The Chairman. Miss Fox, thank you very much. Now, the last person on this panel, Janlori Goldman, Director of the Health Privacy Project. Welcome. We look forward to your testimony. STATEMENT OF JANLORI GOLDMAN, DIRECTOR, THE HEALTH PRIVACY PROJECT Ms. Goldman. Thank you. Thanks very much for inviting me to testify. As you probably know, the Health Privacy Project not only develops expertise and analysis on a range of health privacy issues, we also coordinate a consumer coalition for health privacy. It is made up of provider groups and disability rights groups, labor organizations and consumer groups so that we can better represent the interests of patients, since we all are patients. We can better represent the interests of patients who both want research to go forward, and want to improve health care, but also want to make sure they're not putting themselves at risk for discrimination and privacy violations. The Privacy Rule, as you have heard already today, is the first Federal law that provides a minimum set of privacy and security rules for Medical information. It allows both provider groups and health plans to build privacy into the practice of delivering health care. One of the things that has not been discussed this morning that I want to talk about for a moment is why we needed this health privacy law. We needed it because we had documented evidence that, without privacy, people had barriers to care, quality of care was at stake, and some people were afraid to get health care because they didn't want to subject themselves to potential discrimination. They were afraid their employers would get access to information, they were afraid that friends and family members, coworkers, might learn about sensitive conditions. Where they were not able to be honest with their doctors, they put themselves at risk for untreated and undiagnosed conditions. We believe very strongly that there is a high cost that has been paid by the public because of the lack of privacy, and a cost that has not been assessed either by this Administration or by any of the industries who talk to you about the cost of putting privacy in place. We believe there will be substantial cost savings, not just the offset from the transaction and code set rules, but also because people will be more encouraged to fully participate in their own care and, again, not put themselves at risk. We also know not just the empirical data in terms of this 20 percent who have withdrawn from care, but we also know individual stories that have been very compelling, people who have lost their jobs because information was misused, people whose information was sold without their permission, people whose information was put on the Internet, and most recently, even in the Kobe Bryant case, the accuser there had her medical records released by a hospital in Colorado without her knowledge, without her permission, and against both Colorado law and the privacy regulation. The Privacy Rule, as you heard, was a long time in the making. It went through an extensive rulemaking process. The Bush Administration did make substantial modifications to ease industry concerns. But we do have limits on access and disclosure outside of health care. People can now get their own records, and the notice is very substantial in telling people how their information is used. Despite a 2\1/2\ year implementation process and compliance period, myths do persist. I think that Director Campanelli testified very eloquently about how most of those myths have been dispelled. Most of the initial myths and misperceptions and confusion about the privacy regulation was in some ways kind of a blip. There was a lot of early misunderstanding, most of which was put to rest by OCR, and by the industry. The Health Privacy Project put out a Know Your Rights. We have done some substantial public education. But some of the myths do persist, and I think they're very troubling. For instance, the myth that doctors can't share information with each other or other health care providers-- absolutely wrong. Relatives can visit their family members in the hospital and pick up prescriptions and other kinds of medical information unless, of course, the patient has taken a step to opt out. The notice is not a consent form. The Bush Administration was clear that consent is not required for treatment and payment. The notice tells people how their information is used and what their rights are. It does not have to be signed. We just encourage people to do it to acknowledge that they received it. There is no private right of action, so under the Federal law people don't have a right to sue. The cost issue I think I have addressed already. State law, which some people have addressed, is really important. Prior to promulgation of the privacy law, the Health Privacy Project compiled and summarized State Medicaid privacy laws. They are available on our website for free. We found that the Privacy Rule will bring substantial uniformity. Yes, there will still be 50 different State laws, but for the most part, most of them will be preempted because the Federal rule is more stringent or more comprehensive. Where the State laws will still continue to exist is usually in a condition-specific area. There are specific laws related to HIV/AIDS or mental health, or abuse and neglect. Those laws were carefully crafted at the State level and they will continue to stand. The Privacy Rule doesn't address medical privacy on a condition-specific basis. Let me just conclude with three quick points. We believe the privacy regulation is absolutely important in encouraging people to get care, in improving quality of care, so the information we have for research and public health is reliable. We believe that it allows information to flow freely within the health care context without barriers, but it puts limits and safeguards in place so the information will not go to employers, will not go to law enforcement without some court order, that there are some limits in place. We think that's critical. The temporary confusion, as I have said, I think has been addressed by OCR, by the Health Privacy Project, and others. But I want to urge the professional and trade associations, many of whom are in this room today, to step up their technical assistance and their guidance. Some of the confusion that occurred early on I think was inexcusable, involving some very fundamental, basic misunderstandings and confusion. So I think we know what those areas are and to step up technical assistance is key. Again, I don't think it is fair to ask people to sacrifice their own health care and their own ability to get care in order to protect their privacy. We know a substantial portion of this population has done that so far. My hope is that, over the next few years, we will be able to go back into the public and do another survey following up on our 1999 survey, to measure if the privacy regulation encouraged people to get care. Has it encouraged doctors and patients to communicate more freely with each other? Have we seen that the cost issues in some ways are outweighed and maybe even offset by increased participation and by the transaction and code sets? So I look forward to that continuing dialog with you and the rest of the committee. Thank you. [The prepared statement of Ms. Goldman follows:] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] The Chairman. Ms. Goldman, thank you very much. I don't think there's anyone on this committee, certainly not the Chairman, who doubts the value of and the importance of why Congress moved in the direction it did, not only for the very reasons you talked about--individuals denying themselves care for fear of a disclosure--but also the reality of the march of medical science. We all understand a doctor and medical professional's relationship to a patient and what that professional may know simply by medical science's ability today to determine certain kinds of things we didn't know that might determine future decisionmaking for the part of the patient that we as a society ought not be disclosed beyond that is critically important. I hope that we work our way through it. My intent is not to cast a shadow over the importance of the privacy, but to make sure that we do it right, that we streamline it as best we can, that we get the informational flow out so that it doesn't become an impediment. It was not intended to be. So I thank you for that testimony. I'm going to have to leave, but I must tell you, I am pleased to be joined by my colleague, Senator Peter Fitzgerald, who is going to carry on with the questioning. The first question he's going to ask, I do believe--I'm going to set him up for it--is a question that you, Cathy, alluded to, and some of you did, and I would like for the record for you to assess the announcement that you heard this morning from CMS as it relates to style of implementation, method, process to the legacy clause and all of that, and what that's going to mean in the short term as we work our way through this very complicated bureaucracy or regulatory process that we have set ourselves into with HIPAA. Last, let me thank you all for being here, and especially let me thank the Senator for joining us this morning as a member of this committee to ask some very important questions for the record. Thank you. Senator Fitzgerald. [Presiding.] Senator Craig, thank you very much. I did want to ask you your thoughts on CMS' announcement this morning. Do you believe their willingness to extend the time past October 16 for filing claims under the old system will have a positive effect, and do you think any additional steps are needed? Anybody on the panel, I would encourage you to respond. Ms. Treadway. Mr. Chairman, I would say that it is much appreciated that CMS has recognized that we will not be ready October 16, and taking the opportunity to extend that so that the health plans can accept both legacy claims and the HIPAA compliant claims. However, as I mentioned in my statement, as we look at Idaho, not all systems can take both HIPAA compliant claims and legacy. It's one or the other. The State of Idaho Medicaid is in that exact situation. So even though it will help, it still has a long ways to go before we will not be experiencing delays of payment. In addition, I also mentioned that we need guidance on whether they can accept and process and pay HIPAA compliant claims that don't have all the data elements that are required. All the new elements that are required are not necessarily needed to process payment. We do not want to see health plans being able to deny claims that they could process and pay. In Idaho, we do not have prompt payment legislation. That means there is no incentive for health plans to make that extra effort to get those claims paid. We are very fearful there will be significant delays in payment, which are going to affect our clinic's ability to provide care for our patients. Senator Fitzgerald. Miss Fox. Ms. Fox. Yes, I would like to comment. Thank you. I would like to comment both with respect to Medicare and as a private payer. Many of our plans contract with CMS and are actually the day-to-day processors of the Medicare claims. So we believe that their announcement today is very good news. Both our Medicare contractors and private payers are very concerned that the low level of provider readiness could, if you don't have an announcement like this, result in providers returning to paper claims. Paper claims are expensive, both on the part of the provider and the payer, and could involve significant delays in payment because you would have to hire so many more people to process those paper claims. Under CMS' announcement, Medicare has announced that they will process the old electronic formats so that providers won't have to revert to paper if they're not ready for October 16. On our private side, we are now polling our plans. Our plans are prepared. They do have contingency plans that would also allow existing legacy claims to be submitted and processed after October 16, and we are now polling our plans to see to what extent they are going to deploy them consistent with CMS' guidance. I would add, however, that one of the recommendations made by MGMA is just not doable. What they are asking is that CMS tell payers that they must process a partially complete HIPAA claim. The whole purpose of standardizing these HIPAA electronic claims is so that a provider, when they submit a claim to Aetna, Cigna, Blue Cross or Medicare, knew that once they filled out the claim, that was an acceptable claim for all payers. If you start saying you're only going to fill out 60 percent for one payer, 70 percent for another payer, you basically return to what we're trying to get away from, which is a lot of variation by payers instead of standardization. So we are very committed to the standardization and we're very committed to smoothing transition to HIPAA and assuring cash- flow to providers. We believe by plans continuing to process existing legacy claims after October 16 for some period of time the objective of smoothing the transition will be met. Senator Fitzgerald. Any other comments on that? Ms. Grealy. Senator, I think, whether we're talking about the transaction code sets or we're talking about the Privacy Rule, the CMS approach really represents something that I think is very important, that the government, whether we're dealing with CMS or the Office of Civil Rights, act as a working partner and collaborate with the health care industry as they're trying to implement these very complex rules. So I think, symbolically, it's very important that they're taking that approach, they're listening to what health care providers and plans are saying, and trying to work through these issues with them. Senator Fitzgerald. I would think you would all agree that to have uniform transaction rules will really be a good thing and will take some costs out of the health care system ultimately, after the initial transition phase. Ms. Fox. I think we need to look at that carefully. I think there are a lot of benefits, but I think it's important to note that these HIPAA transaction code sets is phase one. There are lots of phases on the horizon, so it's not like you do this and you're done. Really what's envisioned is constant change for the next several years. So I think we---- Senator Fitzgerald. How many phases does HIPAA bring us through? Ms. Fox. We don't know the answer to that question, actually. There is lots of different phases on the horizon. There are three standards that are due out within the next year, and CMS is already looking at modifications to the ones we're just now struggling to implement. So we are recommending that we get a stakeholder commission to really look at that, how many phases are we talking about, where are we headed, how are we getting there, are we getting there in the most cost- effective and efficient manner, and make sure that everybody has a consensus on how we're proceeding. Senator Fitzgerald. Along those same lines, I wonder if each of you could summarize briefly the best dollar estimates that you are aware of regarding the costs incurred by the entities you represent in complying with the new HIPAA transaction rules, and with the privacy regulations. Ms. Grealy. Well, we represent the entire health care industry, and we're focusing just on the Privacy Rule. That's what we have worked on. As I said in my statement, HHS put out an estimate of $17.5 billion over 10 years. Blue Cross Blue Shield had an estimate of, I believe it was $45 billion---- Ms. Fox. Forty-two. Ms. Grealy [continuing.] Of $42 billion. As you can see, it's a rather disparate range. I don't think we'll really know. We know that it is in the tens of billions of dollars, and that $17.5 billion is quite a low estimate. Yes, it's an important issue, but I think we need to look at how else could those resources be used. How else could the funds for those personnel that are being hired, been used. What other hires could have been done--more nurses at bedside probably would be a preference. So we hope we can strike a balance. As Senator Craig said, let's see if we can streamline this process, make it as cost efficient as possible, while we're trying to meet the real concerns of the patients. Senator Fitzgerald. Do you think the costs are appropriate to the benefits that are likely to be achieved? Ms. Grealy. Do I think we could have done it in a less prescriptive, less regulatory way? Yes, I think we could have done it more efficiently and cheaper. Senator Fitzgerald. Achieve the same benefits? Ms. Grealy. Achieve the same benefits. Senator Fitzgerald. Is that HHS' fault or is that Congress' fault because Congress mandated HHS to promulgate regulations if we didn't act. Ms. Grealy. I think the regulations could have been much more streamlined. We have made progress and we have made improvements, and we will have the opportunity to do that from year to year. But the initial regulation that we were dealing with was voluminous and way too detailed and way too prescriptive. So I think we have made improvements in it and hope to continue to do that. Ms. Goldman. I think it's really important when we're talking about cost to factor in both what the White House has estimated the cost to be which some of the testimony presented here does not acknowledge. The White House estimated that the cost associated with putting the Privacy Rule in place would be offset many billions of dollars by putting the transaction and code set regulations in place. In fact, when Congress put the mandate in HIPAA back in 1996, many of us were involved in that process, and the reason the privacy regulation went into HIPAA is because the industry was pushing very hard to create that uniformity in the transaction and code sets, to create a common language for how health information would be coded and shared. There was an acknowledgement that putting privacy in place at the same time was a prudent measure, that we would be increasing risk obviously to privacy and discrimination by creating a national health information infrastructure, but that that was critical to moving forward with health care. So we could build privacy and security in at the outset, there was an acknowledgement by Congress and by most of us sitting here in this room that we had to do that together and that it would save money to do it together and it was the right thing to do. The White House estimates I think have been quite clear, that there will be a substantial cost savings ultimately, and we need to think about that. As I said earlier, it's very important to also factor in saving money from improving quality of care and broadening access to care and having more reliable data for research. Most of the estimates don't include that because I think it's a tough thing to measure. Ms. Treadway. Mr. Chairman, I would just like to bring this back down to the provider level. This is an unfunded mandate. These costs are creating additional costs for us to provide care for our patients, and skyrocketing the costs for health care. If you compound that by malpractice insurance and all of the other government regulations that we're facing, it is a struggle for physicians. As I talk to the different small groups in our State, they are very worried about their ability to keep up with the government regulations. As we've mentioned, it's volumes and volumes of information, trying to read it, trying to understand it. They don't have the staff to do that. They are there to take care of patients. There may be additional savings down the road, but at this point in time we are worried about how to keep our doors open and to take care of patients in light of not knowing if we're going to be paid for our service and trying our best to work within the system to comply with all of the government regulations that are there. We are very concerned, and the costs are nationwide, when you come down to an individual provider, the dollars are not there to comply and it's unfunded. So we are being forced to attempt to comply and it just skyrockets our costs of providing health care. Ms. Grealy. Mr. Chairman, we also were looking for national uniformity with the Federal Privacy Rule. We did not get that. The Healthcare Leadership Council has had to fund a one million dollar study so that we could provide information to all of our members, members of the confidentiality coalition, as to what is the interplay between the Federal law and regulations and the various State regulations. So this Federal regulation is merely a floor. It's not a ceiling. That is something that every provider is going to have to be aware of. I think perhaps you are seeing a bit of hyper-compliance. I think that has a lot to do with hospitals that have been involved in various investigations for what were billing errors, and yet having that characterized as fraud. I think everyone has taken compliance extremely seriously, and perhaps to the extreme, but feel that they've got to make this investment to make sure they're doing it the right way so that they are not subject to an investigation or a civil or criminal complaint. Senator Fitzgerald. Why do you believe so many parts of the health care system are having such continuing difficulty complying with the new transaction rules? What is it about the new rules that makes them so difficult to comply with? Ms. Fox. We think there's three reasons why it's so difficult. One is there is just a general lack of awareness about the regulation itself. Second, there is a lack of understanding about the cost and the scope of the regulation. I think a mistake that all of us made, quite frankly, Mr. Chairman, is that we had representatives working to develop these standards at the front end, but the people we had sitting around the table were our information technology staff, who while they are quite capable, they look at things from a systems only standpoint. What we realized in looking backwards is that when you change a code and you change these formats, and you now say, ``I'm only going to have this data or that data, it has a ripple effect on the entire operation--whether you're a payer, whether you're a hospital or a clinic--that we, quite frankly, just didn't understand.'' When you change that code, it can change your provider payment, it can change how you detect fraud and abuse, it could change your quality improvement programs. The way that our systems work is we piggyback everything on a single code. So once you change that--and the information technology staff just really didn't identify those issues. So I think we just didn't realize how expensive and big this regulation was to begin with. Senator Fitzgerald. What does that mean in concrete terms? How can we improve things for you? If you had two or three changes that you could make to the regulations, what would they be? Ms. Fox. It's not the regulation itself. It's really the process we would like to see changed. At the front end we would like to see--all of the stakeholders, involving our whole operation, not just our information systems people. Second, we think it's critical that we get a true cost-benefit analysis done collectively. Let's really look hard at what those costs and benefits are so we all agree on that. Third, it's critical to pilot test it. I think it's a big mistake that we didn't pilot test this. When you pilot test it, then you identify what the issues could be, what are the possible unintended consequences. Once you pilot test it, you can make sure that, before you tell the whole country to do something, you have identified the wrinkles. Senator Fitzgerald. Well, it's not being pilot tested. Ms. Fox. I'm sorry? Senator Fitzgerald. It's not being pilot tested, right? The whole country is doing it. Ms. Fox. I'm saying going forward, and when we do the next stages of these regulations, we need to learn from the mistakes we made this time. I think now what we need to do is--I think we're getting there. I think we need to employ contingency plans, make sure that providers get over this hump, but I think we really need to learn lessons from this experiment. Ms. Treadway. Mr. Chairman, I would like to comment on that, also. Part of the issue that we dealt with is that we didn't get final information from CMS until February of this year. Many of the vendors were waiting for that direction before they finalized their programs. This is an extremely complex process. We are dependent on the health plans, the clearinghouses and our software vendors, to all have their ducks in a row before we can begin testing. So as we work on it, we have been attempting to test for over a year now, and finally became a beta test site to begin testing, and felt that we were starting to move forward. It took two solid months before we got anything that ever went through. It just said beta file error. You have to be able to test real data. Then we found out they're not even testing with Idaho payers. It's very, very complicated. If there had been staggered implementation dates so that health plans and clearinghouses and vendors had different staggered dates for implementation, it would have made it easier from the providers' standpoint to go with. The other thing we're dealing with is they do not have to give us the missing data elements when we have a claim that's denied. All of this is just very, very complicated. I think the complexity is really a struggle for all of our small providers because we don't have experts helping us through this. Senator Fitzgerald. I have a question for Miss Fox. In your testimony you point out that HIPAA's efforts to achieve electronic claims standardization are going on, even as other uncoordinated efforts are being launched elsewhere in the government to promote greater use of electronic systems in health care, such as electronic medical records. How can we in government better go about advancing the goal of bringing new e-technology to health care without breeding even more confusion? Ms. Fox. We are recommending that Congress set up a stakeholder commission that would really look at where is the vision, where do we all want to go. A lot of people have a vision that we want to have electronic medical records that can move from doctor to doctor across the country. To get there, you really need to take these new standards we're doing today as a continuum to get there. If that is the vision, what is the smartest way of getting there? Is that the vision everybody agrees to? What should come next? What codes should we change? People are talking about going from ICD-9 to ICD-10. That's the coding system for diagnosis that hospitals and other providers use. People are talking about that as the next step. We have a consultant that's looking at it and saying that might not be the next step. You might want to actually describe the services, for example, like how you set an arm, and maybe you don't even--He was raising yesterday with us that maybe you don't even need going to a replacement for ICD-9 if you describe your services in a standard way. These are the kinds of issues that I think we all need to discuss around the table, and walk through what are the steps to get you to the end result, how much money is it going to cost, what's the most efficient way to get there, what's the priority, and then let's go forward in a smart way so that we're not wasting resources. Senator Fitzgerald. So you would like to see Congress set up a commission that could hash this out. Ms. Fox. Yes. Senator Fitzgerald. Has anybody introduced a resolution in either the House or the Senate? Ms. Fox. No. We are talking to people now about such a proposal. Senator Fitzgerald. OK. So you might be working on that. Ms. Fox. Yes. Senator Fitzgerald. I guess I would ask all of you this, but especially Miss Goldman and Miss Grealy. In your estimation, what are the most troublesome areas in the new privacy regulations when it comes to patient or provider confusion? Ms. Goldman. I think that what we saw initially we are now seeing die down. As Director Campanelli testified earlier this morning, he's only getting about a third of the questions now a few months into the implementation phase. But I think the things that continue to trouble me are, one, the misunderstanding that doctors can't share information to treat patients. You see reports in the newspaper all the time, and I talk to doctors who say, if I refer a patient to another doctor, they won't then talk to me about the patient or information can't be shared back to me to treat the patient. That's just wrong. It's not even a question of interpretation. It's just wrong. I think it needs to be absolutely clear from the professional and trade associations, from OCR, from the State regulators, that doctors and other health care providers can share information to treat patients without having to get consent. Picking up prescriptions, visiting relatives in the hospital, again the status quo in some ways, the presumption that most of us share, that information should flow freely to treat people, to pay for their care, and to allow us, as family and friends, to be able to take care of those we love. So those are the things that I think we absolutely have to address. Of course, somewhere down the road, once there is a clear understanding and we do clarify the myths and facts about the privacy regulation, we would like Congress to take up what we consider to be some of the regulation's weaknesses, some of the gaps in the law, some of the areas where the law doesn't go far enough. I realize this may not be the best time to bring that up, but it is part of our long-term agenda, to make sure the law is more enforceable, to make sure it does cover employers directly when they do collect information themselves. Senator Fitzgerald. When was your group formed, Miss Goldman? Ms. Goldman. When? Senator Fitzgerald. Yes. Ms. Goldman. The Health Privacy Project was created at the end of 1997. Senator Fitzgerald. Where does it get its funding? Ms. Goldman. We get funding from foundations primarily. Senator Fitzgerald. OK. Ms. Goldman. Anybody who would like to contribute to the Health Privacy Project can see me after the hearing. [Laughter.] Senator Fitzgerald. Miss Grealy, would you have a response about what areas are the most troublesome in the privacy regulations? Ms. Grealy. Mr. Chairman, I participated in a town hall meeting in Baltimore on behalf of Congressman Cardin recently. As Miss Goldman has pointed out, there is a lot of confusion as to what information can be shared between health care providers. We heard quite a bit from social workers, who had the responsibility of monitoring mentally disabled adults in group homes and whether they could get information from physicians to make sure those adults are being treated appropriately. As I said earlier, I think there is a real sense of hypercompliance. Everyone was told you could only share the minimum amount of information necessary, or that you have to have the patient's prior written consent before you can do certain things. There is a lot of confusion. We have to do a lot of education. I think the Office of Civil Rights is doing a good job, but I'm not sure the general public and every provider thinks of going to the HHS website. So we are doing our best to try to get that information out there. As I said, we participate in town hall meetings in congressional districts; we do Hill staff briefings, again trying to tell people what this rule actually does. There are areas where we can reduce the regulatory burden. One in particular that I cite in my testimony is maintaining records of when you make disclosures. With the hundreds of millions of patients that are admitted to hospitals, that are treated by physicians, trying to track all of that is just overly burdensome and something we think can be streamlined. So we look forward to working with HHS and trying to refine this rule as we go forward. We think we can make it more simple. But we do have to do a lot more educating of the public and educating the providers. It isn't that clear. I think we who have been immersed in the rule understand it pretty well, but I think these questions still normally arise and we do have to do better on education. Senator Fitzgerald. Miss Treadway, I'm wondering if you could estimate for the panel what proportion of your time has been spent in the last couple of years working on or getting ready for HIPAA compliance. Ms. Treadway. I would estimate that of my time in my clinic, it has been in excess of 10 percent, 10 to 12 percent of my time that is spent on HIPAA privacy and on working within our group and within the State, trying to educate the providers and the administrators throughout the State on the regulations and what they need to do to prepare for that. I would say probably 10 to 12 percent of my time alone has been spent over the last couple of years doing that. Senator Fitzgerald. Do you feel your colleagues elsewhere in Idaho who are providers have become, as we've gotten closer to the implementation, better familiarized with the regulations? Ms. Treadway. I would say yes. Our Idaho HIPAA Compliance Coordinating Council has done a road show throughout Idaho on three separate occasions. The most recent one was this Friday. We had 121 participants in the morning and 121 in the afternoon, and a waiting list of people to get in on the HIPAA education. We had representatives from Medicare, Idaho Medicaid, Blue Cross of Idaho, Blue Shield of Idaho. They asked a question out there and asked in the morning session how many were ready for HIPAA codes and transactions, and three out of 120 raised their hand, that said they thought they were ready. Mostly that was because their vendors had assured them that they would be ready to submit and be able to process claims. A lot of them are hoping to begin testing. Some of them don't even have the software loaded on their computer systems yet. So yes, are we fearful in Idaho, and yes, they are trying to get information across the State. When they have done these meetings, we've had huge attendance at them. Senator Fitzgerald. I wonder what HHS or the major provider organizations could be doing better to alleviate the confusion that you describe. It sounds like there are a lot of seminars being conducted and people certainly have the opportunity to go to those seminars, although you said there was a waiting list and not everybody was able to get in to them. But it would seem to me there would be plenty of opportunities to familiarize yourself and your organization with the new regulations. What else could HHS being doing? Ms. Treadway. I think continual education, continually working on simplification, are two really important parts of it. I think the steps CMS took today to work toward allowing an extension of that deadline is helpful. Unfortunately, we are within 3 weeks of the implementation of this. As we found out from the privacy rules, when the original regulations come out, and then when they do the loosening or the changes in them, some people read the original and they don't get all the changes. So as we look at these constant changes, it is very, very difficult to say am I dealing with the current regulations, or which area of the regulations am I truly dealing with. If I went to a seminar 2 years ago on any of these regulations, and I felt I was up-to-date on them and I didn't go to the most current one, I would have missed the entire process because things have changed so drastically during that time. As Senator Craig mentioned, there were 102,000 words in this legislation. You look at that and it's massive for a small doctor's office. In Idaho, the average is two-and-a-half physicians per clinic. You have five or six staff that are trying to implement these regulations. How can they even hope to be able to comply with it? Senator Fitzgerald. We have just 6 minutes left before I have to go and make a vote, so I'm going to bring this meeting to an end. But I just want to ask one more question for Miss Grealy. Your organization, the Healthcare Leadership Council, has taken the lead in launching an industry-wide study examining differences between the Federal Privacy Rule and each State's privacy rule. Why is this study necessary, and approximately how many States have more stringent requirements than HIPAA? Ms. Grealy. Many States. I don't have the exact number. The reason we undertook this study was because Congress did not make this privacy rule or law preemptive of State law. Senator Fitzgerald. Except if it's a more lax privacy rule. Ms. Grealy. So it establishes the regulation as a floor as opposed to a ceiling. Senator Fitzgerald. Right. Ms. Grealy. So we don't have that single national uniform standard. Senator Fitzgerald. Would you like that? Ms. Grealy. Yes, we would. Senator Fitzgerald. Miss Goldman wouldn't, I guess. Ms. Grealy. We had asked also that, given that we didn't get that, that HHS provide guidance and interpret what is the difference between the Federal regulation and the State law. HHS has refused to do that. So that's why it fell to the industry---- Senator Fitzgerald. Well, they're not in the business of interpreting the States' laws. How many States have tougher privacy laws? Ms. Grealy. I'm sure Miss Goldman would know. I believe it's the majority. Ms. Goldman. We did a similar analysis in 1999. It's not as targeted to the industry as the Healthcare Leadership Council's analysis, which is being sold to some in the health care industry. Ours is, as I said, available for free. What we found was that most of the privacy regulation as it currently reads will preempt most State law, because most State law is less comprehensive and less specific. Senator Fitzgerald. How many States have tougher laws? Ms. Goldman. Well, where the States do have tougher laws, there are a couple of States where, even in some of the kind of broad areas, like access to records or limitation on disclosure that you might find in California, for instance, there are more stringent State laws in those broad areas. Senator Fitzgerald. Any State besides California? Ms. Goldman. California comes to my mind. Minnesota does as well. But most States have these condition-specific laws that the privacy regulation---- Senator Fitzgerald. Now, I have to ask you this. Do you think it's a good thing for companies to have to comply with different laws in all the different States? I mean, don't you think that adds a lot of cost to the health care system and cuts down on the affordability and availability of health care? Ms. Goldman. Well, I'm glad you asked that, because prior to the privacy regulation taking effect, every health care organization in the country had to comply with 50 different State laws, patchwork laws. Senator Fitzgerald. That's true. Ms. Goldman. The privacy regulation, in many ways, created substantial uniformity. In most of the Federal laws in this country, we don't preempt State law. We might preempt State law that's weaker---- Senator Fitzgerald. Isn't she right, Miss Grealy? Ms. Grealy. We lobbied strongly for Federal legislation that would establish that uniform standard, to avoid exactly what you're saying, the additional cost. So now, going forward, you will always have to check what's happening with the State law as it's updated, as it's changed. So is that really a cost we need to incur in the system? Senator Fitzgerald. I'm sorry, Miss Goldman, but we're running out of time here. Is your organization lobbying in certain States to make the privacy laws tougher than the Federal laws? Ms. Goldman. Well, let me first say that we don't lobby, but we---- Senator Fitzgerald. Advocate? Ms. Goldman. Well, we have not actually advocated that. What we're trying to do is work with a lot of the same issues that some of the industry people are. We are working with a lot of the safety net providers, the community clinics---- Senator Fitzgerald. Are you supporting tougher---- Ms. Goldman. Not necessarily. Senator Fitzgerald. So you're not supporting tougher privacy laws in any of the States? Ms. Goldman. We haven't gotten into that area at all. We're just trying to help folks sort out where the privacy laws in the States and the Federal laws come together. Senator Fitzgerald. OK. Miss Fox, you wanted to say something, and then I am going to have to adjourn the meeting. You have all been terrific witnesses and we appreciate it. Ms. Fox. Thank you so much for letting me just add my two cents. I think it's important to realize that we're not talking about here's the Federal privacy law and here's the State privacy law. The States have multitudes of privacy laws and they're buried in lots of little statutes. For example, there might be a privacy law that talks about AIDS patients, another privacy law that talks about maybe immunizations---- Senator Fitzgerald. But couldn't you argue that it's preempted by HIPAA? Ms. Fox. You have to look at each individual provision in each statute. One State might have ``x'' number that aren't preempted, but lots of ones that are. So it's not simply saying in California it is and in Nebraska it isn't. There are lots of different rules and you have to go provision by provision in lots of different State laws that are buried in lots of different statutes. So it's very complicated. I'll tell you our plans are working through privacy and are very committed to it, but of all the things that they find difficult, it is the conflict between State and Federal rules, and if you're a provider and you're in DC and you practice in Maryland and Virginia, what are your rules? It's very complicated. That's why we're supporting HLC on this position. Senator Fitzgerald. There is one conclusion I think I can safely draw--that HIPAA is probably very good for my profession, which is the legal profession. Ms. Fox. Full employment. Senator Fitzgerald. Full employment for lawyers, health care lawyers. All of you have been terrific witnesses. I wish we had more time. I want to thank you for making the trip here. We will leave the record open for any Senators for a period of 2 weeks. Thank you all very much. This meeting is adjourned. [Whereupon, at 11:43 a.m., the committee was adjourned.] A P P E N D I X ---------- Questions from Senator Lincoln to HHS Question. I am aware that CMS has a contingency plan ready to put into effect that would allow Medicare and Medicaid fiscal intermediaries to run dual systems to accept electronic billing submissions in either the current format or the HIPAA- compliant format. However, CMS hasn't made a decision to implement this plan yet. It seems reasonable to allow this considering the consequences to health care providers. When will you make this decision? Answer. CMS announced its decision to implement the contingency plan for Medicare on September 23, 2003. Each state will make its own decision regarding implementation of it contingency plan. Question. I have heard from providers in Arkansas that much of the privacy law is left up to interpretation. For example, the legal counsels advising the physicians and the legal counsels advising the hospitals often differ in their interpretation of the regulations, and thus many providers have questions. What services has the government provided in answering questions providers might have? Answer. The Office for Civil Rights (OCR) has conducted, and is continuing to conduct, and extensive public education effort to produce and disseminate a wide range of guidance about various aspects of the Privacy Rule that need clarification or are of concern to the public and to covered entities, including providers. We do this through a variety of ways, such as by making presentations to educate various groups, providing a toll-free call-in line for questions, and by publishing Frequently Asked Questions (FAQ) and other guidance and technical assistance materials on our website. The following provides additional detail on each of these activities: Presentations. OCR senior Privacy experts, from Washington DC and throughout our regions, have made well over a hundred presentations during 2003 alone. These include four national, all-day HIPAA Privacy Rule conferences, attended by some 6000 participants, sponsored in conjunction with universities and key industry groups, held earlier this year. In addition, OCR has conducted or participated in numerous telephone audio conferences. Toll-Free Call-In Line. In conjunction with the Centers for Medicare and Medicaid Services (CMS), OCR offers a free call-in line, 1-866-627-7728 for HIPAA questions. Since April 1, combined phone-line operators and OCR staff have received and responded to some 14,000 calls related to the Privacy Rule. Website at http://www.hhs.gov/ocr/hipaa/. Our website plays a key role in our outreach activities, and has enabled us to post and broadly disseminate information that provides additional clarification in helpful areas, and to clear up misconceptions when they arise. In turn, providers can use these posted materials to educate each other. From January through July 2003, OCR's Privacy Rule homepage received 847,800 visits. Some of the helpful materials on our website include: a comprehensive Summary of the HIPAA Privacy Rule, which is linked to more detailed guidance on particular aspects of the Privacy Rule; a Covered Entity Decision Tool, which interactively assists entities in determining whether they are covered by HIPAA; sample Business Associate Contract Provisions; targeted guidance materials explaining the research and public health provisions of the Privacy Rule; and fact sheets for consumers. In addition, a key feature of our website, accessed over 1.2 million times since January of this year, is our database with over 200 searchable FAQs. The database is simple to use, and provides clarifications on many different aspects of the Privacy Rule, including many areas that are of particular interest and relevance to the provider community. For instance, there are a number of questions that address permissible disclosures among health care providers for treatment. Our website is also organized to be as helpful as possible and includes a link focused on materials we believe are of particular interest to small providers and small businesses. We continue to develop guidance and other materials to educate covered health care providers and other covered entities about the Privacy Rule so that the Rule's implementation is effective and efficient, and does not impede a patient's access to quality health care. This includes continuing to develop FAQs as we become aware of misconceptions of other issues about the Privacy Rule that need clarification. We also are in the process of developing additional targeted technical assistance materials, focusing on explaining the Privacy Rule to consumers as well as specific industry groups, including smaller health care providers and institutional health care providers. Question. Health care providers in Arkansas, particularly rural hospitals, have told me that because their older information technology systems require so much updating to comply with HIPAA they may not be ready by October 16. They say even with the grant money available to them, it is still tough financially. What is scary to them is that hospitals won't receive Medicare and Medicaid payments if they are not in compliance by the deadline, or if the fiscal intermediary is not in compliance by that time. What steps has CMS taken to identify those hospitals and other providers who continue to struggle with this (despite the fact that we gave them an extra year to comply) so that they are not faced with a huge financial crisis? Rural hospitals in Arkansas depend heavily on revenue from Medicare to keep their doors open. Answer. CMS has taken a number of steps to ensure the smooth flow of payments after October 16, 2003. Fiscal intermediaries are in compliance; and, CMS has deployed its Medicare contingency plan to maintain provider cash flow and minimize operational disruption while trading partners work with Medicare to achieve full compliance. Furthermore, we understand that all States are prepared to adopt contingencies to keep Medicaid payments flowing. In Arkansas' case, CMS has been working closely with the State for the past three years to provide technical information and funding at 90 percent federal financial participation matching rate for its Medicaid claims processing system. Arakansas has said that the State's system will be able to accept HIPAA-compliant formats as early as October 13. Their backup strategy for providers whose systems are not yet HIPAA- compliant is for them to download from the website software developed by the State to enable all providers to submit HIPAA- compliant claims, together with code crosswalks which walk providers from the old codes to the new ones. As a fallback, providers also can use Direct Data Entry (DDE) to submit claims to the State. Claims would be rejected only if a provider does not utilize these various contingencies. The State is very sensitive to the cash flow requirements of small and rural providers and has made every effort to ensure payments will continue. Question. I have heard from providers that new HIPAA requirements are being added daily, making it impossible for them to keep up. One provider said that they've noted 100 new requirements in a two-month period, Is this true? Answer. No. The requirements have not changed since the Final Rule adopting changes to the HIPAA Electronic Transactions and Code Set Standards was published on February 20, 2003, which actually reduced the number of requirements. It is possible that as they have begun to test, providers are discovering that adjustments to their systems are needed in order to become compliant. [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED] [GRAPHIC] [TIFF OMITTED]