[Senate Hearing 108-256]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 108-256
 
    HIPAA MEDICAL PRIVACY AND TRANSITION RULES: OVERKILL OR OVERDUE?

=======================================================================

                                HEARING

                               before the

                       SPECIAL COMMITTEE ON AGING
                          UNITED STATES SENATE

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                             WASHINGTON, DC

                               __________

                           SEPTEMBER 23, 2003

                               __________

                           Serial No. 108-23

         Printed for the use of the Special Committee on Aging



                      U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2004
91-119 PDF

For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001



                       SPECIAL COMMITTEE ON AGING

                      LARRY CRAIG, Idaho, Chairman
RICHARD SHELBY, Alabama              JOHN B. BREAUX, Louisiana, Ranking 
SUSAN COLLINS, Maine                     Member
MIKE ENZI, Wyoming                   HARRY REID, Nevada
GORDON SMITH, Oregon                 HERB KOHL, Wisconsin
JAMES M. TALENT, Missouri            JAMES M. JEFFORDS, Vermont
PETER G. FITZGERALD, Illinois        RUSSELL D. FEINGOLD, Wisconsin
ORRIN G. HATCH, Utah                 RON WYDEN, Oregon
ELIZABETH DOLE, North Carolina       BLANCHE L. LINCOLN, Arkansas
TED STEVENS, Alaska                  EVAN BAYH, Indiana
RICK SANTORUM, Pennsylvania          THOMAS R. CARPER, Delaware
                                     DEBBIE STABENOW, Michigan
                      Lupe Wissel, Staff Director
             Michelle Easton, Ranking Member Staff Director

                                  (ii)



                            C O N T E N T S

                              ----------                              
                                                                   Page
Statement of Senator Larry E. Craig..............................     1

                                Panel I

Richard Campanelli, Director, Office for Civil Rights, U.S. 
  Department of Health and Human Services........................     3
Jared Adair, Director, Office of HIPAA Standards, Centers for 
  Medicare and Medicaid Services.................................    22

                                Panel II

Cathy Treadway, Medical Practice Administrator, The Woman's 
  Clinic, Boise, ID..............................................    53
Mary R. Grealy, President, The Healthcare Leadership Council.....    65
Alissa Fox, Executive Director of Policy, Blue Cross Blue Shield 
  Association....................................................    76
Janlori Goldman, Director, the Health Privacy Project............    95

                                APPENDIX

Questions from Senator Lincoln to HHS............................   127
Statement of the American Psychiatric Association................   129
The Center for Medicare and Medicaid Frequently Asked Questions..   132
Additional information submitted by the American Psychiatric 
  Association....................................................   134
Statement of the American Clinical Laboratory Association........   168

                                 (iii)




    HIPAA MEDICAL PRIVACY AND TRANSITION RULES: OVERKILL OR OVERDUE?

                              ----------                             



                      TUESDAY, SEPTEMBER 23, 2003

                                       U.S. Senate,
                                Special Committee on Aging,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 9:34 a.m., in 
room SD-628, Dirksen Senate Office Building, Hon. Larry Craig 
(chairman of the committee) presiding.
    Present: Senators Craig and Fitzgerald.

       OPENING STATEMENT OF SENATOR LARRY CRAIG, CHAIRMAN

    The Chairman. Good morning everyone. Thank you all for 
being here. I think some of our witnesses, and probably some 
who would wish to attend, are still struggling in the aftermath 
of Isabel. With the transportation and traffic lights and, of 
course, last night's heavy rainstorm, it has slowed everything 
down a bit. Some of my colleagues will be joining me this 
morning. It is a busy morning here on the Hill.
    We want to thank you all for joining us today. Today's 
hearing will examine an issue of critical importance to the 
U.S. health care system and to the 40 million seniors who 
depend upon it.
    Seven years ago, Congress enacted the Health Insurance 
Portability and Accountability Act, otherwise known as HIPAA. 
At that time, HIPAA's insurance coverage provisions were the 
pieces that received the lion's share of the attention, and few 
paid much attention to other but equally significant health 
care changes buried within the bill.
    Today, 7 years later, two such provisions are at long last 
emerging from a long and tortuous regulatory process. One of 
these, a new set of requirements governing medical information 
privacy, went into effect in April. The other is a bundle of 
new regulations for standardizing medical claims and 
transactions which is scheduled to go into effect just three 
short weeks from now.
    Few can argue with the underlying intent of these 
regulations, namely, the streamlining of health care 
transactions and the protection of medical privacy. However, as 
is often the case with Federal rulemaking, a kernel of 
congressional intent has grown into a towering tree of 
regulatory complexity that I don't think even Isabel could have 
blown over this past week.
    But even with the Federal bureaucracy standards, HIPAA is 
extraordinary. The privacy provisions in the original law, for 
example, numbered just 337 words, whereas the final HHS 
regulation now runs up to 101,000 words. I have heard from many 
Idaho doctors, patients and others, who are deeply troubled by 
the confusion, disruption and uncertainty these new rules are 
creating in the health care system.
    During the month of August, and for the last couple of 
years, at the town meetings that I regularly hold in my State, 
doctors and providers attended expressing great frustration 
over what is anticipated. More onerously, the looming HIPAA 
transaction rules, if they are not reasonably implemented by 
CMS, threaten to trigger what some say may be a train wreck of 
stopping payments, cash-flow disruptions, denied care, or even 
a widespread revision from electronic back to paper claims, 
precisely the opposite effect Congress intended.
    Legislation I sponsored in the last Congress postponed the 
implementation of the transaction rules by one year, but it is 
clear that grave problems remain. Meanwhile, the new HIPAA 
Privacy Rules are continuing to cause confusion among patients, 
providers and insurers. Stories of hospitals turning away 
family members seeking information about their loved ones, as 
well as ideological and disruptive effects, are common among 
the letters I receive from my constituents.
    Also disheartening is the fact that these new regulations 
are costing doctors, hospitals, health plans and, inevitably, 
patients, millions if not billions in compliance costs. We 
would be remiss if we failed to ask: are the benefits from 
these new regulations worth the heavy bite they are taking out 
of our country's already squeezed health care budgets? Are 
needed resources being diverted from the quality of patient 
care, and equally important, is HHS doing everything it can to 
implement a smooth and reasonable process?
    Here today are senior officials from HHS to answer some of 
these questions, as are representatives of providers, insurers, 
and patients respectively. So I look forward to their 
testimony.
    On our first panel today we will hear from the officials at 
HHS most directly responsible for overseeing both the new 
transaction regulations and the recent medical privacy rules.
    Jared Adair is Director of HIPAA Standards for the Center 
for Medicare and Medicaid Services, the agency charged with 
implementation and enforcement of the codes and transactions.
    Also with us is Rick Campanelli, Director of the Office of 
Civil Rights at HHS, the office charged with a similar role, 
managing HIPAA's medical information privacy requirements.
    Miss Adair, we are eagerly interested in hearing from you 
about CMS's plans for the looming October 16 implementation 
deadline. As you know, with only weeks to spare, providers, 
payers and others are waiting with baited breath for the 
directions from CMS, and I'm hopeful that you can clarify for 
us today your agency's intentions as specifically and clearly 
as possible.
    Also, Director Campanelli, we are looking to you to provide 
us with a much-needed clarification about what the new Privacy 
Rules or do not do, or do not require, in common practice 
situations and about what your agency is doing to make 
continuing implementation as smooth as possible. Confusion, as 
you know, runs very, very high amongst all those that I have 
mentioned.
    So, with that, Director Campanelli, why don't we start with 
your testimony this morning, and then we will turn to Miss 
Adair. Thank you both for being with us.

  STATEMENT OF RICHARD CAMPANELLI, DIRECTOR, OFFICE FOR CIVIL 
      RIGHTS, U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES

    Mr. Campanelli. Thank you, Chairman Craig. I appreciate the 
opportunity to appear before you today to discuss the HIPAA 
Privacy Rule. As Director of the HHS Office for Civil Rights, I 
oversee, as you said, ``The office that has responsibility for 
implementing, enforcing and aiding covered entities to come 
into compliance with the rule.''
    Just over a year ago, on August 14, 2002, Secretary 
Thompson finalized modifications to the Privacy Rule that 
strengthened its privacy protections and improved workability. 
With the rule's effective date last April, patients now have 
critical Federal protections over the privacy of their medical 
records, rights to access and to correct errors in their 
medical records, rights to control how their protected health 
information is used and disclosed, and a clear avenue of 
recourse if the rights afforded by the rule are violated.
    I know that some 5 months now after the compliance date has 
passed that the committee is interested in hearing how 
compliance is proceeding and what the Department is doing to 
promote compliance and to address areas of confusion that may 
have arisen with respect to the rule. A number of the concerns 
that have come to our attention actually are not a problem with 
the rule itself but, rather, misconceptions about the rule, and 
we are working hard to correct those misconceptions, as you 
will hear.
    For instance, along the lines of some of those 
misconceptions, we have seen reports that doctors may not share 
patient information with other providers unless they first have 
a patient's expressed written consent to do so. That's not 
true, or perhaps it's more accurate to say that we fixed that a 
year ago. The August, 2002 Privacy Rule modifications 
specifically allowed doctors and other providers to share this 
information for treatment purposes, to obtain payment, or to 
carry out their day-to-day operations without first having to 
obtain a patient's written approval.
    Along with having made that and other essential 
modifications before the rule went into effect, we have worked 
hard to provide extensive technical assistance to covered 
entities to help them comply with the rule and to minimize the 
cost and administrative burden of compliance. For example, we 
issued extensive guidance and answers to frequently asked 
questions so that entities have ready and free access to 
correct information. We must be doing something right, because 
our data base, with some 200 frequently asked questions that 
are searchable, has been accessed over 1.2 million times since 
the beginning of the year, most of that just in the last few 
months.
    If you look at Exhibit 2 in your materials and also up 
here, the second chart on the wall, the sample that you will 
see shows just the first opening page of those FAQs, and it 
shows that these FAQs set the record straight and clarify 
misconceptions on a wide range of issues.
    While it is still early to assess compliance with the rule 
overall, we believe that, as a result of our modifications and 
technical assistance, covered entities are widely complying 
with the rule, individuals are widely benefiting from the 
important privacy protections they received, and misconceptions 
are being resolved and eliminated.
    We recognize and are sensitive to the costs necessarily 
associated with the implementation of the rule. That concern 
was behind the modifications which improved workability and 
reduced compliance costs. In December, 2000, we estimated costs 
associated with the rule, as restated in my testimony, and have 
seen cost estimates from time to time from various industry 
sectors, but we can't evaluate how credible those industry 
reports are. We note that most of the industry estimates we saw 
arose prior to the rule's implementation, and many times were 
associated with dire predictions of collapse of the entire 
health care system, which obviously wasn't correct.
    Nevertheless, we remain attuned to the wide range of 
industry and consumer groups who inform us about their 
perspectives on the impact of the rule, often within particular 
industry segments. In addition, we are continuing to develop 
and publish guidance to assist covered entities in complying 
with the rule. Let me highlight some particular elements of 
that guidance.
    We have reached tens of thousands of people through our 
presentations on the Privacy Rule over the last couple of 
years. With a toll-free line we sponsor together with CMS, we 
received 14,000 phone calls just since April 1, and we 
responded to those calls. It's an indication, we hope and 
expect, of success in this regard, in that the volume of calls 
we are receiving now is about a third of what it was when the 
rule first went into effect in April.
    It is gratifying that many of the questions we get on those 
calls and otherwise can be readily answered from the material 
on our website. I won't go through all of them, but if you look 
at Exhibit 1 there, that is the opening page of our website. 
There are some important documents there that are helpful to 
doctors and small providers like the ones you have reflected 
on. For example, there is a summary of the Privacy Rule, which 
is a clear summary, you can click through to particular 
documents that give you FAQs on particular topics, a covered 
entity decision tool, and sample business associate contract 
provisions. We even have a segment of the website that is 
focused on small providers where we have information that we 
think is relevant to folks that you mentioned you are concerned 
about.
    Finally, two other points. We also appreciate the 
assistance of other groups, including members of your second 
panel today, such as the Healthcare Leadership Council and the 
Health Privacy Project, which have produced important 
information about the rule. We have met with each of those 
groups and many others.
    Our commitment to help covered entities comply with the 
rule continues even as we are now pursuing our enforcement 
responsibilities, and in that process, Congress mandated in 
HIPAA that the Department resolve complaints through informal 
resolution with covered entities. The Privacy Rule similarly 
calls upon OCR to provide technical assistance to covered 
entities in appropriate circumstances, even in the context of 
resolving a complaint. Our approach to compliance and 
enforcement is to employ a variety of enforcement options 
available to us, as needed, to ensure that individuals receive 
the privacy protections afforded by the rule.
    At the same time, our experience to date is consistent with 
our expectation, that we will be able to resolve most 
complaints through voluntary compliance and informal 
resolution, the most expeditious way of effectuating the rights 
to the privacy of protected health information.
    Thank you for the opportunity to make this presentation. I 
look forward to your questions.
    [The prepared statement of Mr. Campanelli follows:]

    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    The Chairman. Thank you very much for that presentation.
    Now, Miss Adair, we will turn to you. Please proceed.

STATEMENT OF JARED ADAIR, DIRECTOR, OFFICE OF HIPAA STANDARDS, 
           CENTERS FOR MEDICARE AND MEDICAID SERVICES

    Ms. Adair. Thank you, Chairman Craig, and thank you for 
inviting me here to discuss the progress that has been made in 
moving toward compliance with the electronic transaction and 
code set provisions of HIPAA.
    CMS has a dual role in implementing HIPAA. The first is as 
a regulator and enforcer, and the second is as a covered 
entity, including Medicare, which is the largest covered 
entity. CMS also works closely with the State Medicaid programs 
that are, collectively, the second largest covered entity. From 
that dual vantage point, I can tell you that substantial 
progress has been made towards the October 16, 2002 compliance. 
However, I can also tell you that many entities still have a 
long way to go until they achieve compliance.
    Before I tell you what we have done to avoid unintended 
consequences on the compliance data, I would like to say that 
the health care industry continues to believe that the goal of 
HIPAA standardization is the right goal. What they have found 
out is that the ``devil is in the details'' and that 
accomplishing the goal is harder than originally thought. This 
is characteristic of many large systems development efforts.
    Another characteristic of large systems development efforts 
is the need for contingency planning. It is critical to 
acknowledge that things can go wrong and to have contingency 
plans to mitigate those risks. CMS published enforcement 
guidance that preserved October 16, 2003 as the compliance 
date, but also allowed for those working toward compliance to 
adopt contingency plans. If they make reasonable and diligent 
efforts to become compliant, CMS will not impose penalties on 
covered entities that deploy contingencies to ensure the smooth 
flow of payments.
    Specifically, as long as a health plan demonstrates its 
active outreach and testing efforts, it can continue processing 
payments to providers, even if providers cannot submit a 
compliant claim.
    While the industry welcomed our guidance, there were many 
who would have liked us to go farther. They wanted a legal safe 
harbor, but we went as far as the law permitted us. 
Accordingly, some health plans and payers are still reticent to 
announce or deploy contingency plans because of the potential 
of being viewed as legally noncompliant. To alleviate these 
concerns, CMS has been urging plans and payers to review the 
guidance, to assess their training partners' readiness, to 
consider their good faith efforts, and, as appropriate, to 
deploy a contingency plan.
    For example, Medicare is able to accept and process 
compliant transactions, but on September 4, CMS announced its 
contingency plan would be to accept and process transactions 
that are submitted in a legacy format, while continuing to work 
with their trading partners toward compliance. Just today, 
Administrator Tom Scully and Tom Grissom, Director of the CMS's 
Center for Medicare Management, announced the deployment of the 
Medicare contingency plan after reviewing statistics showing 
unacceptably low numbers of compliant claims being submitted. 
This will ensure the cash-flow to Medicare fee-for-service 
providers will not be disrupted.
    Another factor for consideration is the cost of 
implementation. The rule's impact analysis estimated a new 
savings to the health care industry, as a whole, of $30 billion 
over a 10-year period. The estimates were difficult to make. 
For example, there was no existing comprehensive base line 
showing the extent of electronic interchange in the industry, 
nor which transactions and code sets were in use. Many covered 
entities have revised upward their cost estimates because they 
have encountered unexpected complications.
    Aware that such a change to industry business processes 
would be a coster, we looked for ways to minimize the cost. 
First, we adopted standards that were developed by the industry 
and already in widespread use. Second, we provided support and 
education to facilitate implementation. Third, when 
implementation efforts highlighted potential portions of the 
standards that would have increased cost, CMS proposed and 
adopted modifications.
    While difficulties exist in achieving compliance, this is 
not the time to waver in our commitment to offer order and 
consistency in health care administrative transactions. Rather, 
this is the time to work with covered entities as they strive 
for the finish line.
    CMS has provided the potential for a smooth transition 
through our enforcement guidance for those still working to 
achieve compliance. We expect that plans and payers will 
favorably consider deploying contingencies to mitigate 
unintended adverse effects on covered entities' cash-flow and 
business operations. CMS expects that these contingencies will 
mitigate unintended consequences of the transition.
    We are often asked what will happen on October 16, 2003. 
Certainly, there will be problems, but plans and payers' 
willingness to appropriately deploy contingency plans will 
facilitate a smooth transition. The health care industry's 
combined emphasis on HIPAA compliance will allow us to make the 
promises of HIPAA a reality.
    Thank you. I look forward to answering your questions.
    [The prepared statement of Ms. Adair follows:]

    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    The Chairman. Miss Adair, thank you very much for your 
testimony.
    Let me start with questions to you first this morning, 
because I think you made some very important comments about 
CMS' plans for implementation on October 16, comments that I 
expect will be viewed with tremendous interest by thousands of 
doctors and hospitals and health plans and patients. Because of 
what you have just said and its importance, let me press you 
for a few moments for some clarification.
    Are you saying that CMS is today announcing a decision to 
deploy a contingency plan under which Medicare will continue to 
accept and pay non-HIPAA compliant or so-called legacy claims 
past the October 16 deadline, at least for a limited period of 
time?
    Ms. Adair. Yes, sir. I am indicating that today 
Administrator Scully did announce that we were deploying the 
contingency that will allow us to accept, to continue to 
accept--which we do right now--compliant transactions as well 
as transactions as we took them prior to HIPAA.
    We will continue to monitor. We will continue our good 
faith efforts of outreach and testing to try to move the rest 
of the folks from noncompliance into compliance. We will 
evaluate their progress and then determine how long to keep 
this contingency in place.
    The Chairman. Well, that's obviously very significant.
    Will private, non-Medicare health plans also be directed by 
CMS to adopt similar contingency plans involving acceptance of 
legacy claims past the deadline?
    Ms. Adair. Since we put out our guidance on July 24, we 
have had meetings with private insurers and talked to them 
about and encouraged them to do that.
    Those decisions are their own business decisions to make. 
We are not in a position to mandate that they do it, but we 
have talked to them about the potentials and encouraged them to 
announce contingencies and, as necessary, to deploy those 
contingencies.
    The Chairman. Will there be any adverse enforcement 
consequences to a plan if a private health plan takes this 
route?
    Ms. Adair. Should we receive a complaint, sir, that 
somebody had done that, we would go back to that health insurer 
and ask them what their good faith effort had been; had they 
done outreach, had they done testing. If they have, in fact, 
exercised what we would call good faith effort, there would not 
be any penalty taken against them for having deployed that 
contingency.
    The Chairman. Would good faith effort be determined by that 
kind of analysis?
    Ms. Adair. Yes, sir.
    The Chairman. When exactly will the details and fine print 
of CMS' contingency plan be available?
    Ms. Adair. We will today be sending instructions to our 
Medicare contractors, so it would be available at that time, 
sir.
    The Chairman. OK. We're 3 weeks away.
    Ms. Adair. That is the exact reason, sir, that on September 
4, we indicated to providers and to insurance companies, if we 
were going to deploy our contingency, what it would be, so that 
they would have an understanding and be able to get themselves 
ready for that. We feel like announcing it in advance helps 
people understand what we would be doing.
    The Chairman. How closely will the actual contingency plan 
resemble the draft contingency plan informally circulated by 
CMS in recent weeks?
    Ms. Adair. Since September 4, sir?
    The Chairman. Yes.
    Ms. Adair. It will be exactly the same. Our decision today 
was to deploy that plan.
    The Chairman. Under CMS' contingency plan, for how long 
past the deadline will Medicare continue to accept legacy 
claims?
    Ms. Adair. I cannot give you a specific date, sir. We will 
be monitoring the percentages of compliant claims in production 
as well as of our providers who are submitting, and make the 
decision based upon that as opposed to a date certain.
    The Chairman. Will the contingency plan include not only 
provisions for payment of noncompliant claims but also 
protection from adverse enforcement actions?
    Ms. Adair. Could you ask that one more time? I'm sorry.
    The Chairman. Yes. Will the contingency plan include not 
only provisions for payment of noncompliant claims but also 
protection from adverse protection actions?
    Ms. Adair. I believe--I want to make sure I'm answering the 
correct question, sir. So the question is, not only are you 
concerned that not a negative action be taken against the plan, 
but about providers submitting those claims----
    The Chairman. Yes.
    Ms. Adair. Should we receive a complaint about one of those 
providers, we would, in fact, ask them if they had made 
themselves good faith efforts to try to become complaint. If 
they had not, we would ask them for a corrective action plan to 
indicate how they would be moving forward. If they did either 
of those, either the good faith or corrective action, we would 
not have any conversations with them about enforcement action.
    The Chairman. OK.
    Ms. Adair. We would not ourselves--I'm sorry.
    The Chairman. Go ahead.
    Ms. Adair. We would not ourselves file a complaint against 
them.
    The Chairman. What is the HIPAA readiness of State Medicaid 
programs?
    Ms. Adair. The Medicaid programs, sir, run the gamut. There 
are, in fact, programs that are notably already compliant and 
have been taking compliant transactions for a while. For 
example, I believe Idaho has been taking compliant transactions 
since January. But there are others that are struggling right 
now.
    The good news is that all plans, all State Medicaid 
agencies, have already instituted contingencies. So even though 
they are still working toward compliance, they have plans to 
continue payment.
    The Chairman. Will Medicaid programs also be covered under 
CMS' contingency plan?
    Ms. Adair. No. Each State would themselves deploy the 
contingency.
    The Chairman. OK.
    Ms. Adair. What I mentioned today was specific to Medicare. 
Each Medicaid State agency, is responsible for deciding what 
their contingency is, as well as for deploying the contingency.
    The Chairman. Do you anticipate much of a revision by 
doctors to paper claims?
    Ms. Adair. I want to separate the conversation here of 
Medicare to all others.
    The Chairman. Yes.
    Ms. Adair. I will deal with the Medicare one first, if I 
might.
    The Chairman. Please.
    Ms. Adair. As you would certainly know, the ASCA 
legislation had a provision in there specifically on Medicare 
that said that, effective October 16, all claims should be 
submitted to Medicare electronically. There were two 
exemptions, notably for physicians' offices that are less than 
ten FTEs, as well as facilities with less than 25 FTEs, and 
would be allowed to continue to submit paper claims. But 
everybody else was required to submit electronically.
    So the answer to the question for Medicare is that we do 
not foresee much of a revision to paper.
    The Chairman. How will the contingency plans impact this?
    Ms. Adair. As you know, sir, Medicare has a very high 
percentage of claims coming in electronically, and since people 
would be allowed to continue in the legacy formats, it should 
have no impact there.
    For the rest of the industry, going back to paper will be 
driven by two things. No. 1, going back to paper would be very 
difficult for some providers if they were already submitting 
electronically. Reverting to paper would have them change many 
of their business practices, which I don't think they would 
want to be doing. Second is that providers may have contract 
arrangements with the plans that may not allow them to go back 
to paper.
    The Chairman. Let me switch now, because I think we're 
building an important record here that a few folks are going to 
be reading in the next few hours as we move toward these 
deadlines. This goes beyond that now to a statement you made 
about a $30 billion savings.
    What are CMS' current projections, if any, of the overall 
cost of system-wide compliance with the HIPAA transaction 
requirements to hospitals and doctors, et cetera?
    Ms. Adair. Well, the $30 billion was an estimate that was 
done back in the impact analysis with the August 2000 rule, 
which promulgated the standards themselves. What you're asking 
me, sir, is our experience in implementation----
    The Chairman. That, because there's so many dollars out 
there for health care, and when we start diverting them to this 
kind of process and procedure, the natural reaction is they get 
diverted away from the patient and the care itself. I think 
that's going to be a growing concern here as we look at the 
overall cost of compliance.
    Ms. Adair. In our impact analysis we acknowledged, and I 
think continue to acknowledge, sir, that in the first couple of 
years we would experience the cost of change, change to these 
electronic formats, to these standards, to these new code sets, 
and that we would be experiencing a cost, and I think we have 
brought that to bear.
    The anticipation--and I think we still believe it--is that 
once we have, in fact, overcome the cost of change, the 
benefits will, in fact, be there.
    The Chairman. Well, that is the flip side and that's 
obviously fair to reflect on. That was going to be my next 
question.
    Have you looked forward, beyond the bubble of cost, if you 
will, to the effect and the savings that the system might 
benefit from?
    Ms. Adair. I think that every day, in conversations that we 
have with industry we assure ourselves that the benefits are, 
in fact, there. As I mentioned in my written testimony, when 
you take a look at what has happened in other industries, be it 
banking, be it the shipping industries, that the benefits of 
standardization, the benefits of inner-operability are there. 
It is the cost of change and the pain of change that is 
difficult to get through. So I believe we still do believe that 
the benefits are there.
    When you take a look right now, where there are over 400 
proprietary formats that insurance claims can be submitted in, 
getting down to the HIPAA standards, the benefits that that 
will bring to the back offices of a physician or a hospital 
are, in fact, very large and very significant for the health 
care industry. So as you point out, it does take money, 
precious money, to do it right now, but the long-term benefits 
and the ability not to be expending those things in the future, 
certainly I think the balance says that standardization is the 
way to go.
    The Chairman. Well, we hope that is the case.
    A couple of last questions to you, Miss Adair. CMS 
announced recently that it would pursue a relatively relaxed 
complaint-driven approach to enforcing the new transaction 
rules. Now, I say that because I think doctors and hospitals 
have labored for years under a very aggressive CMS and OIG 
enforcement of Medicare fraud and abuse rules.
    What assurance should they have that CMS' approach to HIPAA 
will be different in the long run?
    Ms. Adair. We have been hopefully very clear, sir, that the 
most important thing for us when we talk about enforcement of 
HIPAA is compliance, that that is the goal we are working 
toward. We have been clear that we're going to be working on a 
complaint basis. Our hope is that the industry begins to work 
out the issues of noncompliance, but that if somebody wants to 
come to us and file a complaint, we will, in fact, work with 
them to become compliant. We will talk to them about where the 
aberrancies are.
    The legislation provided us the opportunity to work through 
corrective action issues before we ever got to a place where we 
would want to consider moving toward penalties, civil monetary 
penalties. So that our goal really is to exercise what was 
provided to us in the legislation, taking a look at corrective 
action measures before we move to any kind of negative 
activity.
    The Chairman. I think a friendly CMS in that area of 
compliance will be well-received.
    Even CMS itself concedes that only about 14 percent of its 
own Medicare transactions are currently HIPAA compliant. That 
is a disturbingly low number, considering we're just weeks 
away. Even assuming that implementation of contingency plans 
provide for temporary acceptance of non-compliant claims, do 
you believe it is possible for the U.S. health system to be 
ready for full conversion to HIPAA compliance any time in the 
foreseeable future?
    Ms. Adair. I think we are all responsible, sir, for 
continuing to do our best in outreach, getting people into 
testing, so that we dramatically improve what you point out is 
a very low number of claims in production. We are hopeful. It 
is true the number you cite, 14 percent of claims in production 
right now.
    The number of providers is somewhat higher, and the number 
of providers in testing is also somewhat higher. We believe 
that on October 16 the number will shoot up a little bit, but 
obviously, our opinion was certainly not enough to not deploy 
the contingency. But we will continue to work with folks and we 
do believe that, in our history, with changes of formats, that 
we see a steep curve at the very last moment, but we did not 
believe that it was adequate to not deploy our contingency, not 
putting those payments at risk.
    The Chairman. My last question of you--and obviously, we're 
seeing the scope of this regulatory process and moving toward 
compliance. How long do you think it will take for the full 
system to achieve HIPAA readiness, and what additional steps 
will CMS and the industry need to achieve to gain this goal?
    Ms. Adair. I believe that we have formed very good working 
relationships, sir, with the industry. We have been working 
with the associations, both for payers, plans, as well as 
provider organizations, associations. We will continue to be 
working with them to stress the importance of compliance, and 
we will be working with them, sharing with them the statistics 
that we have on both Medicare, and hoping they share their 
statistics with us, of those people that are testing, the 
issues that they are having in testing, and those as they move 
toward compliance.
    It is not until we see the results of those efforts that we 
could make a projection as to what is the date that we thought 
we believed we should drop our contingency.
    The Chairman. Director Adair, let me thank you for your 
thoroughness today and your openness to obviously these very 
real concerns that are out there across the industry at this 
moment.
    Ms. Adair. Thank you for the opportunity.
    The Chairman. I think your announcement today and the 
announcement of Director Scully come as a degree of relief, but 
a clear recognition that, because of the character of the law 
and its intent for implementation, there's going to have to be 
a push forward. I think that cooperative working relationship, 
helping systems through this, is a good deal better and a way 
for our government to approach this problem than to immediately 
start actions and compliance enforcement that recognizes fines 
and penalties. That is not the way to go here as we nudge this 
process along and bring it into compliance.
    We still have small practitioners out there that serve our 
communities and our citizens extremely well. Driving their 
costs up and the complexity of their operations up is not 
necessarily a way to achieve success and/or quality health 
care. So we thank you very much.
    Ms. Adair. Thank you.
    The Chairman. Rick, thank you for your patience. Let me 
follow up with a similar line of questioning to you, because 
your testimony touches on some areas where the new Privacy 
Rules have triggered confusion or disruption amongst patients 
and providers. Clearly, what you have outlined this morning and 
the response to your web page and the clarifications appear to 
be working, or at least certainly being reacted to. Whether 
they're working out there or not, or whether they're clarifying 
action within the waiting room, if you will, is yet to be seen.
    Nevertheless, because I and my colleagues continue to 
receive numerous complaints, I would like you to clarify, as 
specifically as you can, what the new rule does or does not 
require in a few key areas.
    These are, to what extent are providers free to share 
patient information with other providers?
    Mr. Campanelli. Well, that first one, Senator, is the one I 
alluded to in my opening remarks. We have a good treatment of 
it in the testimony and in the FAQs, which I recommend that 
everybody visit.
    The answer is that providers are quite free to share 
patient information with other providers for treatment and that 
means doctors can share freely with other providers without 
having to get advance written consent from any person. I think 
that's the area where you may have heard reports of confusion 
on that.
    The Chairman. Yes.
    Mr. Campanelli. I will say that the anecdotal reports we 
were getting of this early on, after April 14, we heard more of 
that initially than we're hearing now. I think there's a couple 
of reasons for that.
    First of all, we went out of our way to make it clear in 
the modifications that providers can share this information 
freely with other providers for treatment purposes. There are 
specific elements of the rule that provide this ability to 
freely share x rays or other diagnostic information with other 
providers.
    Second, we have guidance and FAQs specifically on this 
topic up there. The word we're getting is that when a provider 
is told by another provider that he can't have that 
information, he tells them ``yes, I can'', and this is why.
    The Chairman. Then this question. Are doctors at risk if 
they use informal or unsecured methods of communicating with 
each other, such as phone calls, e-mails and faxes?
    Mr. Campanelli. Well, the Privacy Rule requires that 
reasonable safeguards be adopted in transmitting information. 
But in most of those cases that you just described--faxes to a 
number that is routinely being used, phone calls to talk to a 
doctor, to another provider--certainly in all those cases that, 
of itself, would be permitted under the rule. It requires 
reasonable safeguards which the fax case, would likely be that 
you confirmed the correct fax number. So on our guidance on the 
web, we particularly talk about the ability of doctors to fax 
information to others for treatment purposes. We make that 
quite clear.
    The Chairman. Where, if at all, is it required under the 
rules for hospitals or other entities to deny information about 
patients to families or friends, to clergy, and what about law 
enforcement?
    Mr. Campanelli. Well, taking them in order, the rule 
certainly does not prohibit the sharing of that information. 
Now, the rule does, as you recognize, adopt provisions which 
protect the privacy of health information. That means that in 
many of those cases what we do is we start out with a 
requirement that the information be protected, unless there are 
provisions in the rule that allow it to be disclosed. But we 
have particular provisions in the rule that permit information 
to be shared with friends and family members, or even anyone 
who the individual patient identifies as being involved in 
their care.
    So in those cases where the patient does not object, the 
rule makes it clear that a doctor can share that information 
with friends, family members, others identified as involved in 
the care relevant to the treatment or even to payment, to 
helping the person obtain payment.
    Let me give a little bit more information about that, if I 
can, because there has been some confusion, where people have 
asked, ``well, what if the patient is not conscious or not 
present?'' In that case, the rule permits unless the patient 
has opted out, has expressed some indication before that they 
don't want the information to be shared--the treatment provider 
or the other covered entity to make that decision in the best 
interest of the patient. So whether the patient is there and 
conscious, or the patient is not there, the information can be 
shared when appropriate.
    The Chairman. Are patients required to accept the new 
privacy disclosures that doctors are giving out at doctor's 
visits before care can be provided?
    Mr. Campanelli. I'm sorry. Say that again, Senator.
    The Chairman. Are patients required to accept the new 
privacy disclosures that doctors are giving out at doctor's 
visits before care can be provided?
    Mr. Campanelli. I think what you're referring to is the 
Notice of Privacy Practices that the rule has. If you've been 
to the doctor, I know you have received one, and you've gotten 
one from your health plan as well.
    The answer is that patients are not required to accept them 
as a condition of treatment. In fact, all that's required is 
for the doctor or the other provider to provide the notice and 
make a good faith attempt to obtain the patient's 
acknowledgement of having received the notice. If the patient 
doesn't want to sign that acknowledgement, the doctor or other 
provider can merely note that they've made an attempt to obtain 
the notice acknowledgement from the individual. It is certainly 
not a condition of treatment to the individual.
    The Chairman. But that kind of information must be within 
the file to hold the doctor harmless?
    Mr. Campanelli. Well, the requirement is that the doctor or 
other provider make a good faith attempt to obtain a written 
acknowledgement or document why it was not obtained, so it 
would be prudent to just note that ``I attempted to get the 
person's acknowledgement--'' you know, someone in the office, 
not necessarily the doctor, but someone in the office to note 
that the attempt was made to get it from the individual.
    We've seen this happen in a wide variety of ways. The rule 
is quite flexible and scalable, as we say, about how this can 
happen. Sometimes there's a form that a person signs when they 
get the notice initially. They can sign it, and that is either 
handed back in, or if the patient declines to do it, then the 
appropriate person there at the office can just note that the 
patient declined to acknowledge receipt of the notice.
    You know, I realize I didn't answer one of your questions 
before that you asked. You asked me about clergy.
    The Chairman. Yes.
    Mr. Campanelli. Would you care for me to go back to that?
    The Chairman. Please, and law enforcement.
    Mr. Campanelli. Law enforcement.
    First, clergy. I was talking earlier about the opportunity 
in the rule, permission in the rule, for providers to share 
information with friends, families, or individuals. Well, 
clergy, similarly, of course, can receive information. But 
there has been some confusion in the clergy arena with the 
issue of hospital or facility directories, as they're referred 
to in the rule.
    Can a hospital have a directory of patient information?
    The answer is the rule envisions and anticipates that 
hospitals or other providers will have this directory of 
patient information, where the patient has the opportunity to 
be included or to opt out of having their information included 
in a directory, and the patient can also include, for instance, 
religious affiliation. So any member of the public--not just 
clergy, but any member of the public--can come in, ask about 
the patient, and if the patient has opted to be included in the 
directory, just like now, just like we're all used to, receive 
information about the patients location in the hospital, and 
general condition.
    In addition, clergy can view the directory without having 
to have the name of the person. They don't have to ask for the 
person by name, and they also can get the religious affiliation 
information. So we are very solicitous of and very careful to 
emphasize that individuals, friends, family, loved ones, others 
involved in care or clergy, can get the information.
    Let me mention that very early on, shortly after the 
compliance date, we got a call from a reporter actually that 
said a woman in one State had gone to a hospital to see her 
husband and was told that she was not allowed to see her 
husband because of HIPAA. I said, well, I don't think there's 
anything in HIPAA that prevents this. So I asked the reporter 
to go back and get a little information.
    Well, it wasn't HIPAA, it wasn't the hospital, so we 
wondered if the husband had actually declined to see the wife. 
It is not HIPAA. HIPAA permits opportunities to share 
information with spouses with families, and with clergy.
    Now, law enforcement. Let me go to that.
    The Chairman. Yes.
    Mr. Campanelli. There are a variety of circumstances under 
which law enforcement can have access to information. Again, 
this is an example where the Privacy Rule balances two key 
interests. A very important interest, which I know you 
recognize, is the privacy of personal health information, and 
also in this case the interest of law enforcement to carry out 
their important responsibilities.
    There are a variety of ways that law enforcement can have 
access to the information. For instance, information that is 
required by law to be disclosed may be disclosed to law 
enforcement. Reporting of gunshot wounds which, State law 
typically requires is permitted. Also, of course, where there's 
a court order or a warrant, the Privacy Rule permits that 
disclosure to occur.
    In addition, there are a variety of circumstances outlined 
in the rule that allow law enforcement to have access to this 
information. For instance, for the purpose of identifying or 
locating a suspect, a fugitive, a material witness or a missing 
person, that information is permitted to be shared with law 
enforcement.
    PHI, Protected Health Information about victims of a crime 
in response to law enforcement's request can be shared with law 
enforcement if the individual agrees. Protected Health 
Information about a decedent can be shared with law enforcement 
if there's a suspicion that death resulted from criminal 
conduct. Evidence of a crime that occurred on the covered 
entity's premises can be shared with law enforcement. So if 
there's an investigation going on right there about a crime, 
that can occur.
    If there is a provider on the scene of a medical 
emergency--for instance, let's say there's a covered entity 
that's an ambulance driver or company that is on the scene 
responding to a medical emergency, they can share information 
with law enforcement about the criminal activity, such as the 
nature and location of the crime, the location of victims, 
identity description, location of the perpetrator of the crime. 
So we have really tried to make it clear.
    We have heard of some areas where there's a misconception 
about this. But there's an array of particular balances in the 
rule where law enforcement is permitted to get this 
information, to permit law enforcement to continue. Our effort 
is to try to get the word out about this to law enforcement.
    A lot of law enforcement jurisdictions understand this. We 
have seen some areas where there's confusion on this and we've 
tried to be in touch with them.
    The Chairman. Are doctors subject to lawsuits if they 
inadvertently disclose protected information?
    Mr. Campanelli. There is no private right of action in 
HIPAA against doctors for violation of the rule.
    The Chairman. In your testimony you cite CMS estimates 
projecting the cost of compliance by the Privacy Rule in the 
neighborhood of $12-$17 billion over 10 years, and I'm sure you 
are aware that some private estimates put the cost quite a bit 
higher than that.
    Recognizing that, even before the new Privacy Rule, 
providers were already bound by the requirements of patient 
confidentiality, how much of a significant improvement are the 
new rules, and are they worth the upwards of $17 billion of the 
already scarce dollars we have discussed throughout this 
hearing?
    Mr. Campanelli. Let me say, Senator, that we are certainly 
sensitive to the cost issues about this. I think there was an 
understanding when Congress mandated or created the process by 
which the Privacy Rule would be created that there would be 
significant costs associated with it, and that they would be 
outweighed, it was thought, and we still believe, in the 
context of the cost savings from administrative simplification.
    One thing I would say. It's true that there are protections 
of privacy, laws to protect the privacy of medical information, 
that exist in various jurisdictions throughout the country. But 
they are really a patchwork of laws, and in many jurisdictions 
there is no protection at all. So certainly one of the key 
benefits of the Privacy Rule is to establish a Federal 
foundation of protection for those rights, and to make clear 
what those rights are.
    Like I mentioned before, the rights of access, the right to 
request an accounting of how disclosures are made and the right 
even to make a correction to the record, to name just a few; 
the right to make sure the information isn't disclosed for 
marketing purposes, or to employers, in violation of the rule. 
All of those are very important rights.
    I think our citizens are well-served by knowing that they 
have those rights, and many, I think when they're reading the 
notices of privacy practices that they receive, really have 
realized for the first time what is at stake here and what 
rights they have available. So we are convinced that the rights 
that are afforded now under the Privacy Rule are significant 
and essential to the protection of privacy of our citizens.
    We recognize there are costs, as Jared said, with respect 
to the CMS circumstance. There are significant startup costs 
associated with this and we recognize this. But we think, over 
time, and we expect--and we are working toward this end--that 
the protections of the rule and the requirements of the rule 
will really become understood as part of the fabric of how 
health care and payment are done and people will understand 
them better.
    The Chairman. Your testimony stresses that HHS is trying a 
primarily compliant-driven approach to enforcement, with an 
emphasis on informal resolution. Yet, recent reports indicate 
that HHS has begun forwarding HIPAA privacy complaints to the 
Department of Justice for criminal prosecution.
    How much of this is going on, and how does this fit with 
the policy of informal resolution?
    Mr. Campanelli. Well, I think it's completely consistent 
with it, Senator. You know, as I'm sure you recognize, some of 
the provisions of the rule, a subset of provisions of the rule, 
are subject to criminal penalties. HHS has responsibility for 
enforcement of violations of the rule that are subject to civil 
penalties, and the Department of Justice is responsible for 
violation of the rules that are subject to criminal penalties. 
So our referral of these cases to Justice reflects the fact 
that these are really within the purview of the Department of 
Justice to pursue them.
    The Chairman. The process for referral is that you have 
already made a determination that you believe these could be 
criminal in nature, not civil?
    Mr. Campanelli. That's correct, to this extent. There are 
elements of the rule--for instance, disclosures that are a 
knowing disclosure of protected health information in violation 
of the rule, those are potentially subject to criminal 
penalties. It is the Department of Justice that imposes those. 
So in terms of our review, we intake cases and sometimes it 
takes a little bit more information for us to determine what is 
really the nature of this complaint.
    But where a matter has arisen and it is apparent that it is 
subject to criminal violations, then those are appropriately 
dealt with by the Department of Justice and we refer them to 
the Department of Justice.
    The Chairman. Despite its huge size and complexity, the 
Privacy Rule nevertheless relies heavily on some very general 
standards, such as what a doctor may reasonably infer or 
requirements to provide only minimum amounts of information 
necessary.
    What steps can HHS take to give providers and patients the 
guidance they need to understand what these broad terms 
actually mean in real world resolution?
    Mr. Campanelli. Yes, Senator. We are sensitive to that. You 
know, I just want to step back a bit for a minute and say why 
is it like that.
    I think one of the reasons is that the rule, as I said 
before, attempted to be flexible and scalable. We recognize 
that the covered entities who are subject to the rule run 
everywhere from the small provider that you talked about in a 
rural office, in a remote location, to major institutions. What 
is appropriate and reasonable in the context of one would not 
be appropriate and reasonable in the context of others. So 
that's why the rule necessarily, and I think appropriately, 
includes references to reasonable safeguards, because we 
recognize that many of these things are not only relevant to 
the size of the provider but to the particular context. Really, 
you have to look at the circumstances to see what's 
appropriate.
    Now, how can we help with that? Well, I think that's where 
our guidance has really come in and been welcome. In fact, the 
rule in some cases makes it clear. For instance, I mentioned 
with respect to providers' sharing x rays and other diagnostic 
information for treatment. It is in the Privacy Rule where it 
says that this information can be shared with reasonable 
safeguards.
    But in our guidance we try to give examples, helpful 
examples, as much as possible, where we have been able to 
identify, for instance, in a semi-private room, that a doctor 
who is talking in a semi-private room should adopt reasonable 
safeguards. That may mean lowering his voice in the room. You 
know, we have offered that kind of information.
    Or about medical charts. We have seen some confusion about 
medical charts. People have said you can no longer have medical 
charts on the wall on a patient floor. Well, it depends on what 
other safeguards you can bring to bear on the case. Many times 
a completely reasonable circumstance will be just to make sure 
that any identifying information is facing the wall.
    So in answer to your question, with the particular FAQ 
guidance or our extensive guidance that's on the web right now, 
where we have narratives and examples, that's what we're trying 
to do. When we hear from folks that they need more assistance, 
we have tried to be responsive to that.
    I might just add that we are also in the process of 
developing targeted information or guidance to particular 
segments of the industry. For instance, small providers are 
likely to be one of those groups.
    The Chairman. You mentioned earlier, in response to a 
question, the hodgepodge, if you will, of States and the 
creation of uniformity that this provides. In some instances 
State laws are more stringent than HIPAA.
    Mr. Campanelli. Yes.
    The Chairman. They argue that it's very difficult to assess 
in practice.
    Do you see this as a serious problem? What steps is HHS 
taking to provide guidance regarding State preemption?
    Mr. Campanelli. First, I confirm that the Privacy Rule 
defers to more stringent State standards for the protection of 
privacy. So that's correct. That means if a particular State 
has a more stringent standard----
    The Chairman. Equal to or greater than.
    Mr. Campanelli. That's right, sir. In that State then, if 
there is a higher standard for the protection of privacy with 
respect to a disclosure or the use of personal health 
information, that higher standard would apply. Obviously, that 
will vary from jurisdiction to jurisdiction.
    The Privacy Rule defers to States where they have opted to 
take a higher or a more stringent position as to the protection 
of health information.
    Also, though, I want to say that in some circumstances we 
are able to help covered entities comply where they have to 
look to both State and local law. In fact, just recently, I 
think just at the beginning of this month, in September, we put 
up on the website a frequently asked question that helped 
organizations and covered entities understand how they can more 
easily and readily incorporate the State law into their Notice 
of Privacy Practices, so that if they are a multijurisdiction 
covered entity, they don't have to completely redo the entire 
Notice of Privacy Practices every time a State law changes. We 
tried to come up with a reasonable way where covered entities 
could reflect the more stringent State standards and just 
change that appropriately in a more narrow way, rather than 
having to change everything. We are sensitive to that issue.
    The Chairman. To both of you, thank you very much, Dr. 
Campanelli, Director Adair. Thank you for your presence here 
today and your forthrightness and testimony. I think we have 
built a valuable record here and some extremely valuable 
information has flowed this morning.
    As you know, that is part of the responsibility of this 
committee. We are a nonauthorizing committee, but we do work to 
build a record for the other committees to use, and finance is 
certainly one of those who uses us very readily, as 
informational sources in looking at compliance or in looking 
any adjustments or changes within current law. Again, we thank 
you very much for your time here this morning, and we will 
excuse you.
    Ms. Adair. Thank you.
    Mr. Campanelli. Thank you, Senator.
    The Chairman. I will now ask the second panel to come 
forward, please. Next let me welcome our second panel.
    Cathy Treadway is a Medical Practice Administrator from 
Boise, ID. She has been very active in helping coordinate HIPAA 
preparation efforts statewide and is, I am told, one of Idaho's 
best experts on this extremely difficult subject.
    Mary Grealy is President of the Healthcare Leadership 
Council, which is, as its name suggests, a leading voice for 
America's health care industry, including providers, payers, 
and health care entities and companies.
    Alissa Fox is Executive Director for Policy for the Blue 
Cross/Blue Shield Association of America, and will talk with us 
about how the health plan community is responding to HIPAA, in 
particular the new transaction standards.
    Finally, Janlori Goldman is Director of the Health Privacy 
Project, perhaps the country's most prominent non-profit 
advocacy organization, focusing on patient privacy issues.
    We welcome you all. Cathy, you came the furthest, I think, 
so we will allow you to go first. We do appreciate you coming 
out from Idaho to be a part of this record. Please proceed.

 STATEMENT OF CATHY TREADWAY, MEDICAL PRACTICE ADMINISTRATOR, 
   THE WOMAN'S CLINIC, BOISE, ID; APPEARING ON BEHALF OF THE 
              MEDICAL GROUP MANAGEMENT ASSOCIATION

    Ms. Treadway. Good morning. I am Cathy Treadway, the 
Administrator of the Woman's Clinic, a nine-physician, 65 
employee specialty OB/GYN practice in Boise, ID. I am a member 
of the Medical Group Management Association and have held 
several leadership positions in the Idaho MGMA. MGMA is the 
Nation's oldest and largest medical group practice 
organization, representing more than 19,000 members who manage 
and lead 11,000 organizations, in which approximately 220,000 
physicians practice.
    I would like to thank Chairman Craig and the committee for 
convening today's hearing on HIPAA implementation. Over the 
past 2\1/2\ years, I have dedicated considerable energy to 
increasing my knowledge of the HIPAA regulations and helping to 
educate providers throughout Idaho as a member of the Idaho 
HIPAA Coordinating Council. While I will be commenting briefly 
on the HIPAA Privacy Rule, I will focus particular attention on 
the electronic transactions and code sets, the TCS Rule.
    I would like to begin by discussing the implementation 
costs which practices already have incurred and will continue 
to incur in the future.
    Examining just our small practice, the Privacy Rule 
implementation costs total in excess of $10,000. Like practices 
throughout the country, we struggle with limited resources to 
deal with the magnitude, complexity and costs of HIPAA 
implementation. I must emphasize that these are just the 
initial Privacy Rule implementation costs. There are 
significant ongoing privacy costs for each practice, including 
continuing education, training of staff and physicians, 
printing and facility modifications.
    Practice costs for TCS implementation typically include new 
HIPAA compliance software, computer hardware, staff training, 
education materials, and for my practice, additional claim 
costs averaging $500-$600 per month. In addition, there are 
numerous future HIPAA standards scheduled for implementation. 
These include national identifiers, electronic claim 
attachments, and security. Each of these standards will demand 
additional implementation costs. These expenses must be 
considered in conjunction with the many unfunded mandates group 
practices face: projections of decreasing physician 
reimbursement and sky-rocketing medical liability premiums.
    It is imperative that both Congress and the Administration 
not examine the effect of any one regulation in a vacuum, but 
consider the cumulative effect that government decisions have 
on patient access to quality care.
    Let me briefly discuss the privacy regulations. While some 
uncertainty regarding particular aspects of the rule remains, 
it is important to note that we have not encountered any 
significant problems from patients. Rather, the continuing 
challenges stem from provider misunderstanding, 
misinterpretation, and uncertainty in complying with the rule's 
requirements. I have outlined these lingering issues in my 
written statement.
    I now wish to discuss the migration to the HIPAA standards 
for TCS. Along with providers around the Nation, I am fearful 
that cash-flow will be disrupted following the mandated 
compliance date of October 16.
    I have highlighted in my written statement my concern 
regarding the current readiness level of most group practices 
throughout the country. I would like to note, however, that 
many of the members of this committee represent States with 
large rural populations and, as such, I believe providers in 
those jurisdictions share many if not all of my concerns.
    According to an informal survey that I conducted, many 
Idaho health plans are just beginning to test claims with their 
provider customers. As a result, the vast majority of Idaho 
health practices do not feel that they will be ready to submit 
HIPAA compliant claims by October 16. In addition, some 
software vendors are requiring providers to process their 
claims through a proprietary commercial clearinghouse, thus 
incurring a per-transaction charge. The result is yet another 
unanticipated and ongoing cost for providers.
    In my own practice, we have experienced significant claims 
testing challenges. During our initial round of testing, the 
rejected claims contained no specific error information. Thus, 
we had no idea if the error was with our own software, our 
clearinghouse, or potentially non-compliance on the part of our 
health plans. As of September 19, last Friday, our vendor-
designated clearinghouse has yet to schedule testing with some 
of the largest health plans in the State, including Blue Cross 
of Idaho, Regence Blue Shield, and Idaho Medicaid. How can we 
even hope to be paid by our payers after October 16 when we 
cannot even test our claims? Fears of payment delays are 
exacerbated by the fact that in States without prompt payment 
laws, such as Idaho, there is no incentive for health plans to 
pay claims expeditiously. In addition, Idaho Medicaid cannot 
accept both legacy claims and HIPAA compliant claims. It is 
HIPAA compliant or their software or paper claims.
    Our continuing concern with the lack of industry readiness 
led MGMA and almost 40 other provider organizations to request 
the government issue a definitive statement to the industry 
regarding enforcement of the TCS standard. On July 24, HHS 
responded with guidance regarding the enforcements of the HIPAA 
TCS standards after October 16. The HIPAA statute requires 
covered entities to comply with TCS by October 16. By restating 
that fact while also outlining some conditions under which CMS 
will not impose penalties, the agency sent health plans 
conflicting messages in the July 24 guidance. Consequently, 
some health plans believe that they are legally compelled to 
reject noncompliant transactions. This quandary is particularly 
problematic for those health plans that will not be compliant 
until shortly before the deadline and, therefore, are not in a 
position to engage in provider testing until that point. 
However, the guidance did send a signal to health plans that 
they should make every effort to continue the cash-flow for 
their provider customers.
    CMS bolstered this enforcement flexibility position with 
the publication of a set of Frequently Asked Questions on 
September 8. In them, CMS states that a contingency plan for a 
payer could include not only the acceptance of legacy claims, 
but also flexibility in terms of data content and the offering 
of interim payments.
    Legacy claims are those that CMS and private plans 
currently accept. Exercising data claim flexibility would allow 
the government and private sector plans to process and pay 
claims that do not include all the required data elements. 
While MGMA was pleased to see this turn around, we believe CMS 
must explicitly tell noncompliant health plans that failure to 
develop appropriate contingencies to prevent cash-flow 
disruptions is unacceptable and is grounds for immediate 
enforcement action.
    Regarding TCS, CMS should first instruct its intermediaries 
to continue processing noncompliant claims after the October 16 
deadline. We are pleased to hear this morning the announcement 
regarding CMS contingency plans. However, CMS needs to clarify 
that all public and private health plans are permitted to 
accept, process and pay HIPAA compliant claims with fewer data 
elements than required.
    Second, CMS should strongly encourage health plans to 
return claims to providers with an explanation of any data 
content deficiencies in a timely manner. This will permit the 
entry of missing data and prompt resubmission of claims.
    Mr. Chairman, while MGMA is confident that complete HIPAA 
implementation will eventually ease some administrative burdens 
and facilitate improved data inter-change within the health 
care community, significant roadblocks continue to exist. MGMA, 
along with Idaho MGMA and IHCC, believe our recommendations 
will help providers manage this difficult transition.
    We urge Congress to play an active role in ensuring that 
the administration takes the necessary steps to avoid 
interruptions in the delivery of care.
    I appreciate the committee's interest in this important 
topic and thank the committee for inviting me to present my 
views on this issue.
    [The prepared statement of Ms. Treadway follows:]
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    The Chairman. Cathy, thank you very much.
    Now let me turn to Mary Grealy.

 STATEMENT OF MARY R. GREALY, PRESIDENT, HEALTHCARE LEADERSHIP 
                            COUNCIL

    Ms. Grealy. Thank you, Mr. Chairman. Thank you very much 
for this opportunity to testify on the medical privacy rules 
that are part of the Health Insurance Portability and 
Accountability Act, HIPAA.
    This is a matter of considerable importance to America's 
patients, health care consumers and health care providers, and 
I commend you for the attention that you are bringing to this 
important issue.
    I am here today on behalf of the members of the Healthcare 
Leadership Council, a coalition of the Nation's leading health 
care companies and institutions. Our membership embodies all 
sectors of health care, and every one of our members is 
directly affected by the HIPAA Privacy Rules.
    HLC also leads a coalition of over 100 organizations that 
strongly supports effective patient privacy protections.
    Mr. Chairman, you called this hearing in part because of 
information you are receiving from health care providers about 
the cost and confusion associated with the HIPAA privacy 
regulations.
    Let me say at the outset that we believe many of these 
difficulties could be avoided if Congress enacted a single 
national uniform standard for medical record confidentiality. 
What we have instead is a new Federal privacy regulation that 
does not replace the existing patchwork quilt of various State 
privacy laws but, rather, coexists with those laws. So no 
matter how well regulators write these rules, additional cost 
and lack of clarity is inevitable because doctors, hospitals 
and others are trying to navigate through a maze of Federal and 
State laws and regulations.
    Having said that, let me specifically address the impact of 
the HIPAA Privacy Rules. To say these regulations are complex 
is an understatement, but that is, in part, because they are 
attempting to fulfill a difficult objective. How do we protect 
the sanctity of a patient's medical information privacy while 
at the same time ensuring that necessary information is 
available for providing quality health care and conducting 
vital medical research? The HIPAA regulations as revised by the 
current administration, while not perfect, do attempt to strike 
this necessary balance.
    In terms of the value of these regulations, one point needs 
to be made. They do exactly what they are intended to do. 
Disclosing identifiable health information for purposes other 
than carefully defined, appropriate health care activities is 
strictly prohibited, unless the patient grants specific prior 
written authorization. If you disclose an individual's medical 
information to their bank, their neighbors, their employer, or 
their local newspaper, without their permission, you are going 
to be hit with Federal civil and criminal penalties.
    These regulations, as I said, are not perfect, but they are 
an improvement over what they might have been. Under the 
original proposed regulations developed by the previous 
administration, patients would have had to give their written 
consent before they could receive treatment, receive a reminder 
to make an appointment, have a doctor schedule their surgery, 
or even have a relative pick up a prescription. These rules 
would have generated treatment delays and volumes of 
unnecessary paperwork.
    There are more improvements, though, that need to be made. 
As we revisit these rules--and there is a provision to have 
them reviewed and modified annually--we need to ask a critical 
question: do these regulations sap resources for unnecessary 
compliance activities, resources that could otherwise be 
devoted to patient care? The answer to that question is clearly 
yes.
    HHS has estimated that the Privacy Rule will cost the 
private sector $17.5 billion over 10 years. Compared to other 
studies, including one by Blue Cross/Blue Shield, this is a 
very conservative estimate. Regardless of the actual total, it 
is clear that we're seeing billions of dollars funneled toward 
regulatory compliance at a time when health care providers are 
coping with dire fiscal austerity.
    The Inova Health System in Virginia, with five hospitals 
and 1,400 beds, told a congressional staff briefing that their 
implementation costs had thus far totaled about $1.5 million. 
Concentra, a network of 244 occupational health care centers, 
has already spent $3 million on initial implementation of the 
Privacy Rule.
    A single small hospital, Emerson Hospital of Concord, MA, 
has had to devote two full-time employees whose sole jobs will 
consist of HIPAA related paperwork. They will be compiling 
detailed information disclosure records that few if any 
patients will ever request.
    There is a need to undertake a comprehensive review of 
these regulations to determine how to best achieve their 
intent, without forcing the expenditure of precious resources 
for nonessential compliance activities.
    Mr. Chairman, health care companies and institutions want 
to act as working partners with the public and with the 
government to ensure that we achieve strong patient privacy 
protections without impeding treatment and medical research. 
While we still believe that the best course of action is a 
single, uniform Federal privacy standard, we look forward to 
working with this committee and with the Administration to 
ensure that Federal patient privacy protections serve the 
national interest as efficiently and effectively as possible.
    Thank you.
    [The prepared statement of Ms. Grealy follows:]
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    The Chairman. Thank you, Miss Grealy.
    We will next hear from Miss Fox.

  STATEMENT OF ALISSA FOX, EXECUTIVE DIRECTOR OF POLICY, BLUE 
               CROSS AND BLUE SHIELD ASSOCIATION

    Ms. Fox. Thank you, Mr. Chairman. I appreciate the 
opportunity to testify this morning on HIPAA's administrative 
simplification rules.
    Blue Cross Blue Shield plans across the country are very 
committed to the goals of administrative simplification to 
reduce the costs, hassles, and paperwork of our health care 
system. However, we are concerned that these goals will not be 
realized unless we change the entire process for establishing 
and implementing the many administrative simplification 
standards that lie ahead of us.
    I would like to make three points. First, despite a 3-year 
implementation period, with an extra year that we got, thanks 
to your leadership, Mr. Chairman, we still have many providers 
who are not ready for the October 16 HIPAA transaction and code 
set regulation, just 3 weeks away. As a result, payers are 
planning to deploy expensive backup contingency arrangements to 
minimize disruptions and prevent unintended consequences, such 
as providers returning to paper in order to get paid.
    There are several reasons for our unreadiness: general lack 
of awareness about the regulation, especially among small and 
rural providers; lack of understanding about the cost and 
complexity of what it takes to become HIPAA compliant; and the 
late revisions made to the rule just last February that 
resulted in delayed vendor software needed by the industry.
    Second, important lessons can and should be learned from 
the first phase of HIPAA administrative simplification which 
should be considered before additional standards are adopted.
    It is important to realize there are numerous additional 
standards on the horizon. They fall into three categories. 
There are additional HIPAA rules that HHS is expected to 
release in the next year that Cathy Treadway talked about a 
little bit earlier. Second, there are modifications to the 
standards that we are just now implementing, some of which call 
for wholesale, very expensive changes, such as ICD-10, and new 
information technology initiatives by Congress and the 
administration to develop uniform standards for clinical 
information and the interoperability of information systems so 
that patients' medical records can move from doctor to doctor 
across the country electronically.
    We believe the lessons learned include, first, a credible 
cost-benefit analysis, which is a must before any future 
standards are adopted. When HHS adopted the transaction and 
code set rule, the projected costs were greatly underestimated. 
HHS estimated the cost at $5 billion for the entire industry. 
Two years ago, we commissioned the Nolan Company who found the 
HHS estimate to be understated by a factor of 10 for health 
plans and a factor of 3 for providers, thereby underestimating 
total industry cost by $11 billion.
    Now that the compliance date is here, it appears the Nolan 
estimate is on the low side and that the actual industry costs 
just to implement the HIPAA administrative simplification 
transaction and code set rule are likely to be significantly 
higher than the earlier $16 billion we originally estimated.
    A second lesson learned is that the industry must involve 
all aspects of their operation in developing the standard, not 
just the IT shop. A key mistake all stakeholders made is 
treating administrative simplification as a systems issue, just 
like Y2K. We have found, however, that these standards have a 
ripple effect throughout the entire health care operation, 
whether it's a payer, a health care clinic, or a hospital. A 
change in one simple code can affect medical policy, quality 
improvement programs, how much you get paid for the service, as 
well as fraud and abuse detection efforts, just to name a few.
    The third lesson is standards must be pilot-tested before 
we adopt them. It is only when a standard is actually pilot-
tested that we can identify the issues and any unintended 
consequences that should be addressed before we ask the entire 
industry to go ahead and adopt them.
    Finally, we urge Congress to create a high level 
stakeholder commission to develop a national health care 
information technology strategy based on industry consensus. 
The current piecemeal approach to information standards is akin 
to building a house room by room without an overall blueprint. 
While the standards now being contemplated have great potential 
to improve quality and cut costs, this goal will not be 
realized under the current process. The industry needs a 
blueprint to know where we are headed, with a prioritization 
and timeline to provide order and predictability to all of us, 
and importantly, to ensure that the standards are implemented 
in the most cost-effective and efficient manner.
    Mr. Chairman, as you have highlighted this morning, with so 
many demands on the industry, health care premiums rising at 
double digit rates, and with over 40 million Americans 
uninsured, it is critical that we spend our resources wisely.
    Thank you.
    [The prepared statement of Ms. Fox follows:]
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    The Chairman. Miss Fox, thank you very much.
    Now, the last person on this panel, Janlori Goldman, 
Director of the Health Privacy Project. Welcome. We look 
forward to your testimony.

  STATEMENT OF JANLORI GOLDMAN, DIRECTOR, THE HEALTH PRIVACY 
                            PROJECT

    Ms. Goldman. Thank you. Thanks very much for inviting me to 
testify.
    As you probably know, the Health Privacy Project not only 
develops expertise and analysis on a range of health privacy 
issues, we also coordinate a consumer coalition for health 
privacy. It is made up of provider groups and disability rights 
groups, labor organizations and consumer groups so that we can 
better represent the interests of patients, since we all are 
patients. We can better represent the interests of patients who 
both want research to go forward, and want to improve health 
care, but also want to make sure they're not putting themselves 
at risk for discrimination and privacy violations.
    The Privacy Rule, as you have heard already today, is the 
first Federal law that provides a minimum set of privacy and 
security rules for Medical information. It allows both provider 
groups and health plans to build privacy into the practice of 
delivering health care.
    One of the things that has not been discussed this morning 
that I want to talk about for a moment is why we needed this 
health privacy law. We needed it because we had documented 
evidence that, without privacy, people had barriers to care, 
quality of care was at stake, and some people were afraid to 
get health care because they didn't want to subject themselves 
to potential discrimination. They were afraid their employers 
would get access to information, they were afraid that friends 
and family members, coworkers, might learn about sensitive 
conditions. Where they were not able to be honest with their 
doctors, they put themselves at risk for untreated and 
undiagnosed conditions.
    We believe very strongly that there is a high cost that has 
been paid by the public because of the lack of privacy, and a 
cost that has not been assessed either by this Administration 
or by any of the industries who talk to you about the cost of 
putting privacy in place. We believe there will be substantial 
cost savings, not just the offset from the transaction and code 
set rules, but also because people will be more encouraged to 
fully participate in their own care and, again, not put 
themselves at risk.
    We also know not just the empirical data in terms of this 
20 percent who have withdrawn from care, but we also know 
individual stories that have been very compelling, people who 
have lost their jobs because information was misused, people 
whose information was sold without their permission, people 
whose information was put on the Internet, and most recently, 
even in the Kobe Bryant case, the accuser there had her medical 
records released by a hospital in Colorado without her 
knowledge, without her permission, and against both Colorado 
law and the privacy regulation.
    The Privacy Rule, as you heard, was a long time in the 
making. It went through an extensive rulemaking process. The 
Bush Administration did make substantial modifications to ease 
industry concerns. But we do have limits on access and 
disclosure outside of health care. People can now get their own 
records, and the notice is very substantial in telling people 
how their information is used.
    Despite a 2\1/2\ year implementation process and compliance 
period, myths do persist. I think that Director Campanelli 
testified very eloquently about how most of those myths have 
been dispelled. Most of the initial myths and misperceptions 
and confusion about the privacy regulation was in some ways 
kind of a blip. There was a lot of early misunderstanding, most 
of which was put to rest by OCR, and by the industry. The 
Health Privacy Project put out a Know Your Rights. We have done 
some substantial public education.
    But some of the myths do persist, and I think they're very 
troubling. For instance, the myth that doctors can't share 
information with each other or other health care providers--
absolutely wrong. Relatives can visit their family members in 
the hospital and pick up prescriptions and other kinds of 
medical information unless, of course, the patient has taken a 
step to opt out.
    The notice is not a consent form. The Bush Administration 
was clear that consent is not required for treatment and 
payment. The notice tells people how their information is used 
and what their rights are. It does not have to be signed. We 
just encourage people to do it to acknowledge that they 
received it. There is no private right of action, so under the 
Federal law people don't have a right to sue.
    The cost issue I think I have addressed already.
    State law, which some people have addressed, is really 
important. Prior to promulgation of the privacy law, the Health 
Privacy Project compiled and summarized State Medicaid privacy 
laws. They are available on our website for free.
    We found that the Privacy Rule will bring substantial 
uniformity. Yes, there will still be 50 different State laws, 
but for the most part, most of them will be preempted because 
the Federal rule is more stringent or more comprehensive. Where 
the State laws will still continue to exist is usually in a 
condition-specific area. There are specific laws related to 
HIV/AIDS or mental health, or abuse and neglect. Those laws 
were carefully crafted at the State level and they will 
continue to stand. The Privacy Rule doesn't address medical 
privacy on a condition-specific basis.
    Let me just conclude with three quick points. We believe 
the privacy regulation is absolutely important in encouraging 
people to get care, in improving quality of care, so the 
information we have for research and public health is reliable. 
We believe that it allows information to flow freely within the 
health care context without barriers, but it puts limits and 
safeguards in place so the information will not go to 
employers, will not go to law enforcement without some court 
order, that there are some limits in place. We think that's 
critical.
    The temporary confusion, as I have said, I think has been 
addressed by OCR, by the Health Privacy Project, and others. 
But I want to urge the professional and trade associations, 
many of whom are in this room today, to step up their technical 
assistance and their guidance. Some of the confusion that 
occurred early on I think was inexcusable, involving some very 
fundamental, basic misunderstandings and confusion. So I think 
we know what those areas are and to step up technical 
assistance is key.
    Again, I don't think it is fair to ask people to sacrifice 
their own health care and their own ability to get care in 
order to protect their privacy. We know a substantial portion 
of this population has done that so far. My hope is that, over 
the next few years, we will be able to go back into the public 
and do another survey following up on our 1999 survey, to 
measure if the privacy regulation encouraged people to get 
care. Has it encouraged doctors and patients to communicate 
more freely with each other? Have we seen that the cost issues 
in some ways are outweighed and maybe even offset by increased 
participation and by the transaction and code sets? So I look 
forward to that continuing dialog with you and the rest of the 
committee.
    Thank you.
    [The prepared statement of Ms. Goldman follows:]
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    [GRAPHIC] [TIFF OMITTED] 
    
    The Chairman. Ms. Goldman, thank you very much.
    I don't think there's anyone on this committee, certainly 
not the Chairman, who doubts the value of and the importance of 
why Congress moved in the direction it did, not only for the 
very reasons you talked about--individuals denying themselves 
care for fear of a disclosure--but also the reality of the 
march of medical science. We all understand a doctor and 
medical professional's relationship to a patient and what that 
professional may know simply by medical science's ability today 
to determine certain kinds of things we didn't know that might 
determine future decisionmaking for the part of the patient 
that we as a society ought not be disclosed beyond that is 
critically important. I hope that we work our way through it.
    My intent is not to cast a shadow over the importance of 
the privacy, but to make sure that we do it right, that we 
streamline it as best we can, that we get the informational 
flow out so that it doesn't become an impediment. It was not 
intended to be. So I thank you for that testimony.
    I'm going to have to leave, but I must tell you, I am 
pleased to be joined by my colleague, Senator Peter Fitzgerald, 
who is going to carry on with the questioning. The first 
question he's going to ask, I do believe--I'm going to set him 
up for it--is a question that you, Cathy, alluded to, and some 
of you did, and I would like for the record for you to assess 
the announcement that you heard this morning from CMS as it 
relates to style of implementation, method, process to the 
legacy clause and all of that, and what that's going to mean in 
the short term as we work our way through this very complicated 
bureaucracy or regulatory process that we have set ourselves 
into with HIPAA.
    Last, let me thank you all for being here, and especially 
let me thank the Senator for joining us this morning as a 
member of this committee to ask some very important questions 
for the record. Thank you.
    Senator Fitzgerald. [Presiding.] Senator Craig, thank you 
very much.
    I did want to ask you your thoughts on CMS' announcement 
this morning. Do you believe their willingness to extend the 
time past October 16 for filing claims under the old system 
will have a positive effect, and do you think any additional 
steps are needed? Anybody on the panel, I would encourage you 
to respond.
    Ms. Treadway. Mr. Chairman, I would say that it is much 
appreciated that CMS has recognized that we will not be ready 
October 16, and taking the opportunity to extend that so that 
the health plans can accept both legacy claims and the HIPAA 
compliant claims.
    However, as I mentioned in my statement, as we look at 
Idaho, not all systems can take both HIPAA compliant claims and 
legacy. It's one or the other. The State of Idaho Medicaid is 
in that exact situation. So even though it will help, it still 
has a long ways to go before we will not be experiencing delays 
of payment.
    In addition, I also mentioned that we need guidance on 
whether they can accept and process and pay HIPAA compliant 
claims that don't have all the data elements that are required. 
All the new elements that are required are not necessarily 
needed to process payment. We do not want to see health plans 
being able to deny claims that they could process and pay. In 
Idaho, we do not have prompt payment legislation. That means 
there is no incentive for health plans to make that extra 
effort to get those claims paid. We are very fearful there will 
be significant delays in payment, which are going to affect our 
clinic's ability to provide care for our patients.
    Senator Fitzgerald. Miss Fox.
    Ms. Fox. Yes, I would like to comment. Thank you. I would 
like to comment both with respect to Medicare and as a private 
payer. Many of our plans contract with CMS and are actually the 
day-to-day processors of the Medicare claims. So we believe 
that their announcement today is very good news.
    Both our Medicare contractors and private payers are very 
concerned that the low level of provider readiness could, if 
you don't have an announcement like this, result in providers 
returning to paper claims. Paper claims are expensive, both on 
the part of the provider and the payer, and could involve 
significant delays in payment because you would have to hire so 
many more people to process those paper claims. Under CMS' 
announcement, Medicare has announced that they will process the 
old electronic formats so that providers won't have to revert 
to paper if they're not ready for October 16.
    On our private side, we are now polling our plans. Our 
plans are prepared. They do have contingency plans that would 
also allow existing legacy claims to be submitted and processed 
after October 16, and we are now polling our plans to see to 
what extent they are going to deploy them consistent with CMS' 
guidance.
    I would add, however, that one of the recommendations made 
by MGMA is just not doable. What they are asking is that CMS 
tell payers that they must process a partially complete HIPAA 
claim. The whole purpose of standardizing these HIPAA 
electronic claims is so that a provider, when they submit a 
claim to Aetna, Cigna, Blue Cross or Medicare, knew that once 
they filled out the claim, that was an acceptable claim for all 
payers.
    If you start saying you're only going to fill out 60 
percent for one payer, 70 percent for another payer, you 
basically return to what we're trying to get away from, which 
is a lot of variation by payers instead of standardization. So 
we are very committed to the standardization and we're very 
committed to smoothing transition to HIPAA and assuring cash-
flow to providers. We believe by plans continuing to process 
existing legacy claims after October 16 for some period of time 
the objective of smoothing the transition will be met.
    Senator Fitzgerald. Any other comments on that?
    Ms. Grealy. Senator, I think, whether we're talking about 
the transaction code sets or we're talking about the Privacy 
Rule, the CMS approach really represents something that I think 
is very important, that the government, whether we're dealing 
with CMS or the Office of Civil Rights, act as a working 
partner and collaborate with the health care industry as 
they're trying to implement these very complex rules. So I 
think, symbolically, it's very important that they're taking 
that approach, they're listening to what health care providers 
and plans are saying, and trying to work through these issues 
with them.
    Senator Fitzgerald. I would think you would all agree that 
to have uniform transaction rules will really be a good thing 
and will take some costs out of the health care system 
ultimately, after the initial transition phase.
    Ms. Fox. I think we need to look at that carefully. I think 
there are a lot of benefits, but I think it's important to note 
that these HIPAA transaction code sets is phase one. There are 
lots of phases on the horizon, so it's not like you do this and 
you're done. Really what's envisioned is constant change for 
the next several years. So I think we----
    Senator Fitzgerald. How many phases does HIPAA bring us 
through?
    Ms. Fox. We don't know the answer to that question, 
actually. There is lots of different phases on the horizon. 
There are three standards that are due out within the next 
year, and CMS is already looking at modifications to the ones 
we're just now struggling to implement. So we are recommending 
that we get a stakeholder commission to really look at that, 
how many phases are we talking about, where are we headed, how 
are we getting there, are we getting there in the most cost-
effective and efficient manner, and make sure that everybody 
has a consensus on how we're proceeding.
    Senator Fitzgerald. Along those same lines, I wonder if 
each of you could summarize briefly the best dollar estimates 
that you are aware of regarding the costs incurred by the 
entities you represent in complying with the new HIPAA 
transaction rules, and with the privacy regulations.
    Ms. Grealy. Well, we represent the entire health care 
industry, and we're focusing just on the Privacy Rule. That's 
what we have worked on.
    As I said in my statement, HHS put out an estimate of $17.5 
billion over 10 years. Blue Cross Blue Shield had an estimate 
of, I believe it was $45 billion----
    Ms. Fox. Forty-two.
    Ms. Grealy [continuing.] Of $42 billion. As you can see, 
it's a rather disparate range.
    I don't think we'll really know. We know that it is in the 
tens of billions of dollars, and that $17.5 billion is quite a 
low estimate. Yes, it's an important issue, but I think we need 
to look at how else could those resources be used. How else 
could the funds for those personnel that are being hired, been 
used. What other hires could have been done--more nurses at 
bedside probably would be a preference. So we hope we can 
strike a balance.
    As Senator Craig said, let's see if we can streamline this 
process, make it as cost efficient as possible, while we're 
trying to meet the real concerns of the patients.
    Senator Fitzgerald. Do you think the costs are appropriate 
to the benefits that are likely to be achieved?
    Ms. Grealy. Do I think we could have done it in a less 
prescriptive, less regulatory way? Yes, I think we could have 
done it more efficiently and cheaper.
    Senator Fitzgerald. Achieve the same benefits?
    Ms. Grealy. Achieve the same benefits.
    Senator Fitzgerald. Is that HHS' fault or is that Congress' 
fault because Congress mandated HHS to promulgate regulations 
if we didn't act.
    Ms. Grealy. I think the regulations could have been much 
more streamlined. We have made progress and we have made 
improvements, and we will have the opportunity to do that from 
year to year. But the initial regulation that we were dealing 
with was voluminous and way too detailed and way too 
prescriptive. So I think we have made improvements in it and 
hope to continue to do that.
    Ms. Goldman. I think it's really important when we're 
talking about cost to factor in both what the White House has 
estimated the cost to be which some of the testimony presented 
here does not acknowledge. The White House estimated that the 
cost associated with putting the Privacy Rule in place would be 
offset many billions of dollars by putting the transaction and 
code set regulations in place.
    In fact, when Congress put the mandate in HIPAA back in 
1996, many of us were involved in that process, and the reason 
the privacy regulation went into HIPAA is because the industry 
was pushing very hard to create that uniformity in the 
transaction and code sets, to create a common language for how 
health information would be coded and shared.
    There was an acknowledgement that putting privacy in place 
at the same time was a prudent measure, that we would be 
increasing risk obviously to privacy and discrimination by 
creating a national health information infrastructure, but that 
that was critical to moving forward with health care. So we 
could build privacy and security in at the outset, there was an 
acknowledgement by Congress and by most of us sitting here in 
this room that we had to do that together and that it would 
save money to do it together and it was the right thing to do.
    The White House estimates I think have been quite clear, 
that there will be a substantial cost savings ultimately, and 
we need to think about that.
    As I said earlier, it's very important to also factor in 
saving money from improving quality of care and broadening 
access to care and having more reliable data for research. Most 
of the estimates don't include that because I think it's a 
tough thing to measure.
    Ms. Treadway. Mr. Chairman, I would just like to bring this 
back down to the provider level. This is an unfunded mandate. 
These costs are creating additional costs for us to provide 
care for our patients, and skyrocketing the costs for health 
care. If you compound that by malpractice insurance and all of 
the other government regulations that we're facing, it is a 
struggle for physicians.
    As I talk to the different small groups in our State, they 
are very worried about their ability to keep up with the 
government regulations. As we've mentioned, it's volumes and 
volumes of information, trying to read it, trying to understand 
it. They don't have the staff to do that. They are there to 
take care of patients.
    There may be additional savings down the road, but at this 
point in time we are worried about how to keep our doors open 
and to take care of patients in light of not knowing if we're 
going to be paid for our service and trying our best to work 
within the system to comply with all of the government 
regulations that are there. We are very concerned, and the 
costs are nationwide, when you come down to an individual 
provider, the dollars are not there to comply and it's 
unfunded. So we are being forced to attempt to comply and it 
just skyrockets our costs of providing health care.
    Ms. Grealy. Mr. Chairman, we also were looking for national 
uniformity with the Federal Privacy Rule. We did not get that. 
The Healthcare Leadership Council has had to fund a one million 
dollar study so that we could provide information to all of our 
members, members of the confidentiality coalition, as to what 
is the interplay between the Federal law and regulations and 
the various State regulations. So this Federal regulation is 
merely a floor. It's not a ceiling. That is something that 
every provider is going to have to be aware of.
    I think perhaps you are seeing a bit of hyper-compliance. I 
think that has a lot to do with hospitals that have been 
involved in various investigations for what were billing 
errors, and yet having that characterized as fraud. I think 
everyone has taken compliance extremely seriously, and perhaps 
to the extreme, but feel that they've got to make this 
investment to make sure they're doing it the right way so that 
they are not subject to an investigation or a civil or criminal 
complaint.
    Senator Fitzgerald. Why do you believe so many parts of the 
health care system are having such continuing difficulty 
complying with the new transaction rules? What is it about the 
new rules that makes them so difficult to comply with?
    Ms. Fox. We think there's three reasons why it's so 
difficult. One is there is just a general lack of awareness 
about the regulation itself. Second, there is a lack of 
understanding about the cost and the scope of the regulation.
    I think a mistake that all of us made, quite frankly, Mr. 
Chairman, is that we had representatives working to develop 
these standards at the front end, but the people we had sitting 
around the table were our information technology staff, who 
while they are quite capable, they look at things from a 
systems only standpoint. What we realized in looking backwards 
is that when you change a code and you change these formats, 
and you now say, ``I'm only going to have this data or that 
data, it has a ripple effect on the entire operation--whether 
you're a payer, whether you're a hospital or a clinic--that we, 
quite frankly, just didn't understand.'' When you change that 
code, it can change your provider payment, it can change how 
you detect fraud and abuse, it could change your quality 
improvement programs.
    The way that our systems work is we piggyback everything on 
a single code. So once you change that--and the information 
technology staff just really didn't identify those issues. So I 
think we just didn't realize how expensive and big this 
regulation was to begin with.
    Senator Fitzgerald. What does that mean in concrete terms? 
How can we improve things for you? If you had two or three 
changes that you could make to the regulations, what would they 
be?
    Ms. Fox. It's not the regulation itself. It's really the 
process we would like to see changed. At the front end we would 
like to see--all of the stakeholders, involving our whole 
operation, not just our information systems people. Second, we 
think it's critical that we get a true cost-benefit analysis 
done collectively. Let's really look hard at what those costs 
and benefits are so we all agree on that.
    Third, it's critical to pilot test it. I think it's a big 
mistake that we didn't pilot test this. When you pilot test it, 
then you identify what the issues could be, what are the 
possible unintended consequences. Once you pilot test it, you 
can make sure that, before you tell the whole country to do 
something, you have identified the wrinkles.
    Senator Fitzgerald. Well, it's not being pilot tested.
    Ms. Fox. I'm sorry?
    Senator Fitzgerald. It's not being pilot tested, right? The 
whole country is doing it.
    Ms. Fox. I'm saying going forward, and when we do the next 
stages of these regulations, we need to learn from the mistakes 
we made this time. I think now what we need to do is--I think 
we're getting there. I think we need to employ contingency 
plans, make sure that providers get over this hump, but I think 
we really need to learn lessons from this experiment.
    Ms. Treadway. Mr. Chairman, I would like to comment on 
that, also.
    Part of the issue that we dealt with is that we didn't get 
final information from CMS until February of this year. Many of 
the vendors were waiting for that direction before they 
finalized their programs.
    This is an extremely complex process. We are dependent on 
the health plans, the clearinghouses and our software vendors, 
to all have their ducks in a row before we can begin testing. 
So as we work on it, we have been attempting to test for over a 
year now, and finally became a beta test site to begin testing, 
and felt that we were starting to move forward. It took two 
solid months before we got anything that ever went through. It 
just said beta file error. You have to be able to test real 
data.
    Then we found out they're not even testing with Idaho 
payers. It's very, very complicated. If there had been 
staggered implementation dates so that health plans and 
clearinghouses and vendors had different staggered dates for 
implementation, it would have made it easier from the 
providers' standpoint to go with.
    The other thing we're dealing with is they do not have to 
give us the missing data elements when we have a claim that's 
denied. All of this is just very, very complicated. I think the 
complexity is really a struggle for all of our small providers 
because we don't have experts helping us through this.
    Senator Fitzgerald. I have a question for Miss Fox. In your 
testimony you point out that HIPAA's efforts to achieve 
electronic claims standardization are going on, even as other 
uncoordinated efforts are being launched elsewhere in the 
government to promote greater use of electronic systems in 
health care, such as electronic medical records.
    How can we in government better go about advancing the goal 
of bringing new e-technology to health care without breeding 
even more confusion?
    Ms. Fox. We are recommending that Congress set up a 
stakeholder commission that would really look at where is the 
vision, where do we all want to go. A lot of people have a 
vision that we want to have electronic medical records that can 
move from doctor to doctor across the country. To get there, 
you really need to take these new standards we're doing today 
as a continuum to get there.
    If that is the vision, what is the smartest way of getting 
there? Is that the vision everybody agrees to? What should come 
next? What codes should we change? People are talking about 
going from ICD-9 to ICD-10. That's the coding system for 
diagnosis that hospitals and other providers use. People are 
talking about that as the next step. We have a consultant 
that's looking at it and saying that might not be the next 
step. You might want to actually describe the services, for 
example, like how you set an arm, and maybe you don't even--He 
was raising yesterday with us that maybe you don't even need 
going to a replacement for ICD-9 if you describe your services 
in a standard way.
    These are the kinds of issues that I think we all need to 
discuss around the table, and walk through what are the steps 
to get you to the end result, how much money is it going to 
cost, what's the most efficient way to get there, what's the 
priority, and then let's go forward in a smart way so that 
we're not wasting resources.
    Senator Fitzgerald. So you would like to see Congress set 
up a commission that could hash this out.
    Ms. Fox. Yes.
    Senator Fitzgerald. Has anybody introduced a resolution in 
either the House or the Senate?
    Ms. Fox. No. We are talking to people now about such a 
proposal.
    Senator Fitzgerald. OK. So you might be working on that.
    Ms. Fox. Yes.
    Senator Fitzgerald. I guess I would ask all of you this, 
but especially Miss Goldman and Miss Grealy. In your 
estimation, what are the most troublesome areas in the new 
privacy regulations when it comes to patient or provider 
confusion?
    Ms. Goldman. I think that what we saw initially we are now 
seeing die down. As Director Campanelli testified earlier this 
morning, he's only getting about a third of the questions now a 
few months into the implementation phase.
    But I think the things that continue to trouble me are, 
one, the misunderstanding that doctors can't share information 
to treat patients. You see reports in the newspaper all the 
time, and I talk to doctors who say, if I refer a patient to 
another doctor, they won't then talk to me about the patient or 
information can't be shared back to me to treat the patient. 
That's just wrong. It's not even a question of interpretation. 
It's just wrong. I think it needs to be absolutely clear from 
the professional and trade associations, from OCR, from the 
State regulators, that doctors and other health care providers 
can share information to treat patients without having to get 
consent.
    Picking up prescriptions, visiting relatives in the 
hospital, again the status quo in some ways, the presumption 
that most of us share, that information should flow freely to 
treat people, to pay for their care, and to allow us, as family 
and friends, to be able to take care of those we love. So those 
are the things that I think we absolutely have to address.
    Of course, somewhere down the road, once there is a clear 
understanding and we do clarify the myths and facts about the 
privacy regulation, we would like Congress to take up what we 
consider to be some of the regulation's weaknesses, some of the 
gaps in the law, some of the areas where the law doesn't go far 
enough. I realize this may not be the best time to bring that 
up, but it is part of our long-term agenda, to make sure the 
law is more enforceable, to make sure it does cover employers 
directly when they do collect information themselves.
    Senator Fitzgerald. When was your group formed, Miss 
Goldman?
    Ms. Goldman. When?
    Senator Fitzgerald. Yes.
    Ms. Goldman. The Health Privacy Project was created at the 
end of 1997.
    Senator Fitzgerald. Where does it get its funding?
    Ms. Goldman. We get funding from foundations primarily.
    Senator Fitzgerald. OK.
    Ms. Goldman. Anybody who would like to contribute to the 
Health Privacy Project can see me after the hearing. 
[Laughter.]
    Senator Fitzgerald. Miss Grealy, would you have a response 
about what areas are the most troublesome in the privacy 
regulations?
    Ms. Grealy. Mr. Chairman, I participated in a town hall 
meeting in Baltimore on behalf of Congressman Cardin recently. 
As Miss Goldman has pointed out, there is a lot of confusion as 
to what information can be shared between health care 
providers. We heard quite a bit from social workers, who had 
the responsibility of monitoring mentally disabled adults in 
group homes and whether they could get information from 
physicians to make sure those adults are being treated 
appropriately.
    As I said earlier, I think there is a real sense of 
hypercompliance. Everyone was told you could only share the 
minimum amount of information necessary, or that you have to 
have the patient's prior written consent before you can do 
certain things. There is a lot of confusion. We have to do a 
lot of education.
    I think the Office of Civil Rights is doing a good job, but 
I'm not sure the general public and every provider thinks of 
going to the HHS website. So we are doing our best to try to 
get that information out there. As I said, we participate in 
town hall meetings in congressional districts; we do Hill staff 
briefings, again trying to tell people what this rule actually 
does.
    There are areas where we can reduce the regulatory burden. 
One in particular that I cite in my testimony is maintaining 
records of when you make disclosures. With the hundreds of 
millions of patients that are admitted to hospitals, that are 
treated by physicians, trying to track all of that is just 
overly burdensome and something we think can be streamlined.
    So we look forward to working with HHS and trying to refine 
this rule as we go forward. We think we can make it more 
simple. But we do have to do a lot more educating of the public 
and educating the providers. It isn't that clear. I think we 
who have been immersed in the rule understand it pretty well, 
but I think these questions still normally arise and we do have 
to do better on education.
    Senator Fitzgerald. Miss Treadway, I'm wondering if you 
could estimate for the panel what proportion of your time has 
been spent in the last couple of years working on or getting 
ready for HIPAA compliance.
    Ms. Treadway. I would estimate that of my time in my 
clinic, it has been in excess of 10 percent, 10 to 12 percent 
of my time that is spent on HIPAA privacy and on working within 
our group and within the State, trying to educate the providers 
and the administrators throughout the State on the regulations 
and what they need to do to prepare for that. I would say 
probably 10 to 12 percent of my time alone has been spent over 
the last couple of years doing that.
    Senator Fitzgerald. Do you feel your colleagues elsewhere 
in Idaho who are providers have become, as we've gotten closer 
to the implementation, better familiarized with the 
regulations?
    Ms. Treadway. I would say yes. Our Idaho HIPAA Compliance 
Coordinating Council has done a road show throughout Idaho on 
three separate occasions. The most recent one was this Friday. 
We had 121 participants in the morning and 121 in the 
afternoon, and a waiting list of people to get in on the HIPAA 
education. We had representatives from Medicare, Idaho 
Medicaid, Blue Cross of Idaho, Blue Shield of Idaho. They asked 
a question out there and asked in the morning session how many 
were ready for HIPAA codes and transactions, and three out of 
120 raised their hand, that said they thought they were ready. 
Mostly that was because their vendors had assured them that 
they would be ready to submit and be able to process claims. A 
lot of them are hoping to begin testing. Some of them don't 
even have the software loaded on their computer systems yet.
    So yes, are we fearful in Idaho, and yes, they are trying 
to get information across the State. When they have done these 
meetings, we've had huge attendance at them.
    Senator Fitzgerald. I wonder what HHS or the major provider 
organizations could be doing better to alleviate the confusion 
that you describe. It sounds like there are a lot of seminars 
being conducted and people certainly have the opportunity to go 
to those seminars, although you said there was a waiting list 
and not everybody was able to get in to them. But it would seem 
to me there would be plenty of opportunities to familiarize 
yourself and your organization with the new regulations.
    What else could HHS being doing?
    Ms. Treadway. I think continual education, continually 
working on simplification, are two really important parts of 
it. I think the steps CMS took today to work toward allowing an 
extension of that deadline is helpful. Unfortunately, we are 
within 3 weeks of the implementation of this. As we found out 
from the privacy rules, when the original regulations come out, 
and then when they do the loosening or the changes in them, 
some people read the original and they don't get all the 
changes. So as we look at these constant changes, it is very, 
very difficult to say am I dealing with the current 
regulations, or which area of the regulations am I truly 
dealing with.
    If I went to a seminar 2 years ago on any of these 
regulations, and I felt I was up-to-date on them and I didn't 
go to the most current one, I would have missed the entire 
process because things have changed so drastically during that 
time.
    As Senator Craig mentioned, there were 102,000 words in 
this legislation. You look at that and it's massive for a small 
doctor's office. In Idaho, the average is two-and-a-half 
physicians per clinic. You have five or six staff that are 
trying to implement these regulations. How can they even hope 
to be able to comply with it?
    Senator Fitzgerald. We have just 6 minutes left before I 
have to go and make a vote, so I'm going to bring this meeting 
to an end. But I just want to ask one more question for Miss 
Grealy.
    Your organization, the Healthcare Leadership Council, has 
taken the lead in launching an industry-wide study examining 
differences between the Federal Privacy Rule and each State's 
privacy rule. Why is this study necessary, and approximately 
how many States have more stringent requirements than HIPAA?
    Ms. Grealy. Many States. I don't have the exact number.
    The reason we undertook this study was because Congress did 
not make this privacy rule or law preemptive of State law.
    Senator Fitzgerald. Except if it's a more lax privacy rule.
    Ms. Grealy. So it establishes the regulation as a floor as 
opposed to a ceiling.
    Senator Fitzgerald. Right.
    Ms. Grealy. So we don't have that single national uniform 
standard.
    Senator Fitzgerald. Would you like that?
    Ms. Grealy. Yes, we would.
    Senator Fitzgerald. Miss Goldman wouldn't, I guess.
    Ms. Grealy. We had asked also that, given that we didn't 
get that, that HHS provide guidance and interpret what is the 
difference between the Federal regulation and the State law. 
HHS has refused to do that. So that's why it fell to the 
industry----
    Senator Fitzgerald. Well, they're not in the business of 
interpreting the States' laws.
    How many States have tougher privacy laws?
    Ms. Grealy. I'm sure Miss Goldman would know. I believe 
it's the majority.
    Ms. Goldman. We did a similar analysis in 1999. It's not as 
targeted to the industry as the Healthcare Leadership Council's 
analysis, which is being sold to some in the health care 
industry. Ours is, as I said, available for free.
    What we found was that most of the privacy regulation as it 
currently reads will preempt most State law, because most State 
law is less comprehensive and less specific.
    Senator Fitzgerald. How many States have tougher laws?
    Ms. Goldman. Well, where the States do have tougher laws, 
there are a couple of States where, even in some of the kind of 
broad areas, like access to records or limitation on disclosure 
that you might find in California, for instance, there are more 
stringent State laws in those broad areas.
    Senator Fitzgerald. Any State besides California?
    Ms. Goldman. California comes to my mind. Minnesota does as 
well.
    But most States have these condition-specific laws that the 
privacy regulation----
    Senator Fitzgerald. Now, I have to ask you this. Do you 
think it's a good thing for companies to have to comply with 
different laws in all the different States? I mean, don't you 
think that adds a lot of cost to the health care system and 
cuts down on the affordability and availability of health care?
    Ms. Goldman. Well, I'm glad you asked that, because prior 
to the privacy regulation taking effect, every health care 
organization in the country had to comply with 50 different 
State laws, patchwork laws.
    Senator Fitzgerald. That's true.
    Ms. Goldman. The privacy regulation, in many ways, created 
substantial uniformity. In most of the Federal laws in this 
country, we don't preempt State law. We might preempt State law 
that's weaker----
    Senator Fitzgerald. Isn't she right, Miss Grealy?
    Ms. Grealy. We lobbied strongly for Federal legislation 
that would establish that uniform standard, to avoid exactly 
what you're saying, the additional cost. So now, going forward, 
you will always have to check what's happening with the State 
law as it's updated, as it's changed. So is that really a cost 
we need to incur in the system?
    Senator Fitzgerald. I'm sorry, Miss Goldman, but we're 
running out of time here. Is your organization lobbying in 
certain States to make the privacy laws tougher than the 
Federal laws?
    Ms. Goldman. Well, let me first say that we don't lobby, 
but we----
    Senator Fitzgerald. Advocate?
    Ms. Goldman. Well, we have not actually advocated that. 
What we're trying to do is work with a lot of the same issues 
that some of the industry people are. We are working with a lot 
of the safety net providers, the community clinics----
    Senator Fitzgerald. Are you supporting tougher----
    Ms. Goldman. Not necessarily.
    Senator Fitzgerald. So you're not supporting tougher 
privacy laws in any of the States?
    Ms. Goldman. We haven't gotten into that area at all. We're 
just trying to help folks sort out where the privacy laws in 
the States and the Federal laws come together.
    Senator Fitzgerald. OK. Miss Fox, you wanted to say 
something, and then I am going to have to adjourn the meeting. 
You have all been terrific witnesses and we appreciate it.
    Ms. Fox. Thank you so much for letting me just add my two 
cents.
    I think it's important to realize that we're not talking 
about here's the Federal privacy law and here's the State 
privacy law. The States have multitudes of privacy laws and 
they're buried in lots of little statutes. For example, there 
might be a privacy law that talks about AIDS patients, another 
privacy law that talks about maybe immunizations----
    Senator Fitzgerald. But couldn't you argue that it's 
preempted by HIPAA?
    Ms. Fox. You have to look at each individual provision in 
each statute. One State might have ``x'' number that aren't 
preempted, but lots of ones that are. So it's not simply saying 
in California it is and in Nebraska it isn't. There are lots of 
different rules and you have to go provision by provision in 
lots of different State laws that are buried in lots of 
different statutes. So it's very complicated.
    I'll tell you our plans are working through privacy and are 
very committed to it, but of all the things that they find 
difficult, it is the conflict between State and Federal rules, 
and if you're a provider and you're in DC and you practice in 
Maryland and Virginia, what are your rules? It's very 
complicated. That's why we're supporting HLC on this position.
    Senator Fitzgerald. There is one conclusion I think I can 
safely draw--that HIPAA is probably very good for my 
profession, which is the legal profession.
    Ms. Fox. Full employment.
    Senator Fitzgerald. Full employment for lawyers, health 
care lawyers.
    All of you have been terrific witnesses. I wish we had more 
time. I want to thank you for making the trip here. We will 
leave the record open for any Senators for a period of 2 weeks.
    Thank you all very much. This meeting is adjourned.
    [Whereupon, at 11:43 a.m., the committee was adjourned.]
                            A P P E N D I X

                              ----------                              


                 Questions from Senator Lincoln to HHS

    Question. I am aware that CMS has a contingency plan ready 
to put into effect that would allow Medicare and Medicaid 
fiscal intermediaries to run dual systems to accept electronic 
billing submissions in either the current format or the HIPAA-
compliant format. However, CMS hasn't made a decision to 
implement this plan yet. It seems reasonable to allow this 
considering the consequences to health care providers. When 
will you make this decision?
    Answer. CMS announced its decision to implement the 
contingency plan for Medicare on September 23, 2003. Each state 
will make its own decision regarding implementation of it 
contingency plan.
    Question. I have heard from providers in Arkansas that much 
of the privacy law is left up to interpretation. For example, 
the legal counsels advising the physicians and the legal 
counsels advising the hospitals often differ in their 
interpretation of the regulations, and thus many providers have 
questions. What services has the government provided in 
answering questions providers might have?
    Answer. The Office for Civil Rights (OCR) has conducted, 
and is continuing to conduct, and extensive public education 
effort to produce and disseminate a wide range of guidance 
about various aspects of the Privacy Rule that need 
clarification or are of concern to the public and to covered 
entities, including providers. We do this through a variety of 
ways, such as by making presentations to educate various 
groups, providing a toll-free call-in line for questions, and 
by publishing Frequently Asked Questions (FAQ) and other 
guidance and technical assistance materials on our website. The 
following provides additional detail on each of these 
activities:
    Presentations. OCR senior Privacy experts, from Washington 
DC and throughout our regions, have made well over a hundred 
presentations during 2003 alone. These include four national, 
all-day HIPAA Privacy Rule conferences, attended by some 6000 
participants, sponsored in conjunction with universities and 
key industry groups, held earlier this year. In addition, OCR 
has conducted or participated in numerous telephone audio 
conferences.
    Toll-Free Call-In Line. In conjunction with the Centers for 
Medicare and Medicaid Services (CMS), OCR offers a free call-in 
line, 1-866-627-7728 for HIPAA questions. Since April 1, 
combined phone-line operators and OCR staff have received and 
responded to some 14,000 calls related to the Privacy Rule.
    Website at http://www.hhs.gov/ocr/hipaa/. Our website plays 
a key role in our outreach activities, and has enabled us to 
post and broadly disseminate information that provides 
additional clarification in helpful areas, and to clear up 
misconceptions when they arise. In turn, providers can use 
these posted materials to educate each other. From January 
through July 2003, OCR's Privacy Rule homepage received 847,800 
visits. Some of the helpful materials on our website include: a 
comprehensive Summary of the HIPAA Privacy Rule, which is 
linked to more detailed guidance on particular aspects of the 
Privacy Rule; a Covered Entity Decision Tool, which 
interactively assists entities in determining whether they are 
covered by HIPAA; sample Business Associate Contract 
Provisions; targeted guidance materials explaining the research 
and public health provisions of the Privacy Rule; and fact 
sheets for consumers.
    In addition, a key feature of our website, accessed over 
1.2 million times since January of this year, is our database 
with over 200 searchable FAQs. The database is simple to use, 
and provides clarifications on many different aspects of the 
Privacy Rule, including many areas that are of particular 
interest and relevance to the provider community. For instance, 
there are a number of questions that address permissible 
disclosures among health care providers for treatment. Our 
website is also organized to be as helpful as possible and 
includes a link focused on materials we believe are of 
particular interest to small providers and small businesses.
    We continue to develop guidance and other materials to 
educate covered health care providers and other covered 
entities about the Privacy Rule so that the Rule's 
implementation is effective and efficient, and does not impede 
a patient's access to quality health care. This includes 
continuing to develop FAQs as we become aware of misconceptions 
of other issues about the Privacy Rule that need clarification. 
We also are in the process of developing additional targeted 
technical assistance materials, focusing on explaining the 
Privacy Rule to consumers as well as specific industry groups, 
including smaller health care providers and institutional 
health care providers.
    Question. Health care providers in Arkansas, particularly 
rural hospitals, have told me that because their older 
information technology systems require so much updating to 
comply with HIPAA they may not be ready by October 16. They say 
even with the grant money available to them, it is still tough 
financially. What is scary to them is that hospitals won't 
receive Medicare and Medicaid payments if they are not in 
compliance by the deadline, or if the fiscal intermediary is 
not in compliance by that time. What steps has CMS taken to 
identify those hospitals and other providers who continue to 
struggle with this (despite the fact that we gave them an extra 
year to comply) so that they are not faced with a huge 
financial crisis? Rural hospitals in Arkansas depend heavily on 
revenue from Medicare to keep their doors open.
    Answer. CMS has taken a number of steps to ensure the 
smooth flow of payments after October 16, 2003. Fiscal 
intermediaries are in compliance; and, CMS has deployed its 
Medicare contingency plan to maintain provider cash flow and 
minimize operational disruption while trading partners work 
with Medicare to achieve full compliance. Furthermore, we 
understand that all States are prepared to adopt contingencies 
to keep Medicaid payments flowing.
    In Arkansas' case, CMS has been working closely with the 
State for the past three years to provide technical information 
and funding at 90 percent federal financial participation 
matching rate for its Medicaid claims processing system.
    Arakansas has said that the State's system will be able to 
accept HIPAA-compliant formats as early as October 13. Their 
backup strategy for providers whose systems are not yet HIPAA-
compliant is for them to download from the website software 
developed by the State to enable all providers to submit HIPAA-
compliant claims, together with code crosswalks which walk 
providers from the old codes to the new ones. As a fallback, 
providers also can use Direct Data Entry (DDE) to submit claims 
to the State. Claims would be rejected only if a provider does 
not utilize these various contingencies. The State is very 
sensitive to the cash flow requirements of small and rural 
providers and has made every effort to ensure payments will 
continue.
    Question. I have heard from providers that new HIPAA 
requirements are being added daily, making it impossible for 
them to keep up. One provider said that they've noted 100 new 
requirements in a two-month period, Is this true?
    Answer. No. The requirements have not changed since the 
Final Rule adopting changes to the HIPAA Electronic 
Transactions and Code Set Standards was published on February 
20, 2003, which actually reduced the number of requirements. It 
is possible that as they have begun to test, providers are 
discovering that adjustments to their systems are needed in 
order to become compliant.
[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

                                  