[Senate Hearing 108-256]
[From the U.S. Government Publishing Office]
S. Hrg. 108-256
HIPAA MEDICAL PRIVACY AND TRANSITION RULES: OVERKILL OR OVERDUE?
=======================================================================
HEARING
before the
SPECIAL COMMITTEE ON AGING
UNITED STATES SENATE
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
WASHINGTON, DC
__________
SEPTEMBER 23, 2003
__________
Serial No. 108-23
Printed for the use of the Special Committee on Aging
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2004
91-119 PDF
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
SPECIAL COMMITTEE ON AGING
LARRY CRAIG, Idaho, Chairman
RICHARD SHELBY, Alabama JOHN B. BREAUX, Louisiana, Ranking
SUSAN COLLINS, Maine Member
MIKE ENZI, Wyoming HARRY REID, Nevada
GORDON SMITH, Oregon HERB KOHL, Wisconsin
JAMES M. TALENT, Missouri JAMES M. JEFFORDS, Vermont
PETER G. FITZGERALD, Illinois RUSSELL D. FEINGOLD, Wisconsin
ORRIN G. HATCH, Utah RON WYDEN, Oregon
ELIZABETH DOLE, North Carolina BLANCHE L. LINCOLN, Arkansas
TED STEVENS, Alaska EVAN BAYH, Indiana
RICK SANTORUM, Pennsylvania THOMAS R. CARPER, Delaware
DEBBIE STABENOW, Michigan
Lupe Wissel, Staff Director
Michelle Easton, Ranking Member Staff Director
(ii)
C O N T E N T S
----------
Page
Statement of Senator Larry E. Craig.............................. 1
Panel I
Richard Campanelli, Director, Office for Civil Rights, U.S.
Department of Health and Human Services........................ 3
Jared Adair, Director, Office of HIPAA Standards, Centers for
Medicare and Medicaid Services................................. 22
Panel II
Cathy Treadway, Medical Practice Administrator, The Woman's
Clinic, Boise, ID.............................................. 53
Mary R. Grealy, President, The Healthcare Leadership Council..... 65
Alissa Fox, Executive Director of Policy, Blue Cross Blue Shield
Association.................................................... 76
Janlori Goldman, Director, the Health Privacy Project............ 95
APPENDIX
Questions from Senator Lincoln to HHS............................ 127
Statement of the American Psychiatric Association................ 129
The Center for Medicare and Medicaid Frequently Asked Questions.. 132
Additional information submitted by the American Psychiatric
Association.................................................... 134
Statement of the American Clinical Laboratory Association........ 168
(iii)
HIPAA MEDICAL PRIVACY AND TRANSITION RULES: OVERKILL OR OVERDUE?
----------
TUESDAY, SEPTEMBER 23, 2003
U.S. Senate,
Special Committee on Aging,
Washington, DC.
The committee met, pursuant to notice, at 9:34 a.m., in
room SD-628, Dirksen Senate Office Building, Hon. Larry Craig
(chairman of the committee) presiding.
Present: Senators Craig and Fitzgerald.
OPENING STATEMENT OF SENATOR LARRY CRAIG, CHAIRMAN
The Chairman. Good morning everyone. Thank you all for
being here. I think some of our witnesses, and probably some
who would wish to attend, are still struggling in the aftermath
of Isabel. With the transportation and traffic lights and, of
course, last night's heavy rainstorm, it has slowed everything
down a bit. Some of my colleagues will be joining me this
morning. It is a busy morning here on the Hill.
We want to thank you all for joining us today. Today's
hearing will examine an issue of critical importance to the
U.S. health care system and to the 40 million seniors who
depend upon it.
Seven years ago, Congress enacted the Health Insurance
Portability and Accountability Act, otherwise known as HIPAA.
At that time, HIPAA's insurance coverage provisions were the
pieces that received the lion's share of the attention, and few
paid much attention to other but equally significant health
care changes buried within the bill.
Today, 7 years later, two such provisions are at long last
emerging from a long and tortuous regulatory process. One of
these, a new set of requirements governing medical information
privacy, went into effect in April. The other is a bundle of
new regulations for standardizing medical claims and
transactions which is scheduled to go into effect just three
short weeks from now.
Few can argue with the underlying intent of these
regulations, namely, the streamlining of health care
transactions and the protection of medical privacy. However, as
is often the case with Federal rulemaking, a kernel of
congressional intent has grown into a towering tree of
regulatory complexity that I don't think even Isabel could have
blown over this past week.
But even with the Federal bureaucracy standards, HIPAA is
extraordinary. The privacy provisions in the original law, for
example, numbered just 337 words, whereas the final HHS
regulation now runs up to 101,000 words. I have heard from many
Idaho doctors, patients and others, who are deeply troubled by
the confusion, disruption and uncertainty these new rules are
creating in the health care system.
During the month of August, and for the last couple of
years, at the town meetings that I regularly hold in my State,
doctors and providers attended expressing great frustration
over what is anticipated. More onerously, the looming HIPAA
transaction rules, if they are not reasonably implemented by
CMS, threaten to trigger what some say may be a train wreck of
stopping payments, cash-flow disruptions, denied care, or even
a widespread revision from electronic back to paper claims,
precisely the opposite effect Congress intended.
Legislation I sponsored in the last Congress postponed the
implementation of the transaction rules by one year, but it is
clear that grave problems remain. Meanwhile, the new HIPAA
Privacy Rules are continuing to cause confusion among patients,
providers and insurers. Stories of hospitals turning away
family members seeking information about their loved ones, as
well as ideological and disruptive effects, are common among
the letters I receive from my constituents.
Also disheartening is the fact that these new regulations
are costing doctors, hospitals, health plans and, inevitably,
patients, millions if not billions in compliance costs. We
would be remiss if we failed to ask: are the benefits from
these new regulations worth the heavy bite they are taking out
of our country's already squeezed health care budgets? Are
needed resources being diverted from the quality of patient
care, and equally important, is HHS doing everything it can to
implement a smooth and reasonable process?
Here today are senior officials from HHS to answer some of
these questions, as are representatives of providers, insurers,
and patients respectively. So I look forward to their
testimony.
On our first panel today we will hear from the officials at
HHS most directly responsible for overseeing both the new
transaction regulations and the recent medical privacy rules.
Jared Adair is Director of HIPAA Standards for the Center
for Medicare and Medicaid Services, the agency charged with
implementation and enforcement of the codes and transactions.
Also with us is Rick Campanelli, Director of the Office of
Civil Rights at HHS, the office charged with a similar role,
managing HIPAA's medical information privacy requirements.
Miss Adair, we are eagerly interested in hearing from you
about CMS's plans for the looming October 16 implementation
deadline. As you know, with only weeks to spare, providers,
payers and others are waiting with baited breath for the
directions from CMS, and I'm hopeful that you can clarify for
us today your agency's intentions as specifically and clearly
as possible.
Also, Director Campanelli, we are looking to you to provide
us with a much-needed clarification about what the new Privacy
Rules or do not do, or do not require, in common practice
situations and about what your agency is doing to make
continuing implementation as smooth as possible. Confusion, as
you know, runs very, very high amongst all those that I have
mentioned.
So, with that, Director Campanelli, why don't we start with
your testimony this morning, and then we will turn to Miss
Adair. Thank you both for being with us.
STATEMENT OF RICHARD CAMPANELLI, DIRECTOR, OFFICE FOR CIVIL
RIGHTS, U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
Mr. Campanelli. Thank you, Chairman Craig. I appreciate the
opportunity to appear before you today to discuss the HIPAA
Privacy Rule. As Director of the HHS Office for Civil Rights, I
oversee, as you said, ``The office that has responsibility for
implementing, enforcing and aiding covered entities to come
into compliance with the rule.''
Just over a year ago, on August 14, 2002, Secretary
Thompson finalized modifications to the Privacy Rule that
strengthened its privacy protections and improved workability.
With the rule's effective date last April, patients now have
critical Federal protections over the privacy of their medical
records, rights to access and to correct errors in their
medical records, rights to control how their protected health
information is used and disclosed, and a clear avenue of
recourse if the rights afforded by the rule are violated.
I know that some 5 months now after the compliance date has
passed that the committee is interested in hearing how
compliance is proceeding and what the Department is doing to
promote compliance and to address areas of confusion that may
have arisen with respect to the rule. A number of the concerns
that have come to our attention actually are not a problem with
the rule itself but, rather, misconceptions about the rule, and
we are working hard to correct those misconceptions, as you
will hear.
For instance, along the lines of some of those
misconceptions, we have seen reports that doctors may not share
patient information with other providers unless they first have
a patient's expressed written consent to do so. That's not
true, or perhaps it's more accurate to say that we fixed that a
year ago. The August, 2002 Privacy Rule modifications
specifically allowed doctors and other providers to share this
information for treatment purposes, to obtain payment, or to
carry out their day-to-day operations without first having to
obtain a patient's written approval.
Along with having made that and other essential
modifications before the rule went into effect, we have worked
hard to provide extensive technical assistance to covered
entities to help them comply with the rule and to minimize the
cost and administrative burden of compliance. For example, we
issued extensive guidance and answers to frequently asked
questions so that entities have ready and free access to
correct information. We must be doing something right, because
our data base, with some 200 frequently asked questions that
are searchable, has been accessed over 1.2 million times since
the beginning of the year, most of that just in the last few
months.
If you look at Exhibit 2 in your materials and also up
here, the second chart on the wall, the sample that you will
see shows just the first opening page of those FAQs, and it
shows that these FAQs set the record straight and clarify
misconceptions on a wide range of issues.
While it is still early to assess compliance with the rule
overall, we believe that, as a result of our modifications and
technical assistance, covered entities are widely complying
with the rule, individuals are widely benefiting from the
important privacy protections they received, and misconceptions
are being resolved and eliminated.
We recognize and are sensitive to the costs necessarily
associated with the implementation of the rule. That concern
was behind the modifications which improved workability and
reduced compliance costs. In December, 2000, we estimated costs
associated with the rule, as restated in my testimony, and have
seen cost estimates from time to time from various industry
sectors, but we can't evaluate how credible those industry
reports are. We note that most of the industry estimates we saw
arose prior to the rule's implementation, and many times were
associated with dire predictions of collapse of the entire
health care system, which obviously wasn't correct.
Nevertheless, we remain attuned to the wide range of
industry and consumer groups who inform us about their
perspectives on the impact of the rule, often within particular
industry segments. In addition, we are continuing to develop
and publish guidance to assist covered entities in complying
with the rule. Let me highlight some particular elements of
that guidance.
We have reached tens of thousands of people through our
presentations on the Privacy Rule over the last couple of
years. With a toll-free line we sponsor together with CMS, we
received 14,000 phone calls just since April 1, and we
responded to those calls. It's an indication, we hope and
expect, of success in this regard, in that the volume of calls
we are receiving now is about a third of what it was when the
rule first went into effect in April.
It is gratifying that many of the questions we get on those
calls and otherwise can be readily answered from the material
on our website. I won't go through all of them, but if you look
at Exhibit 1 there, that is the opening page of our website.
There are some important documents there that are helpful to
doctors and small providers like the ones you have reflected
on. For example, there is a summary of the Privacy Rule, which
is a clear summary, you can click through to particular
documents that give you FAQs on particular topics, a covered
entity decision tool, and sample business associate contract
provisions. We even have a segment of the website that is
focused on small providers where we have information that we
think is relevant to folks that you mentioned you are concerned
about.
Finally, two other points. We also appreciate the
assistance of other groups, including members of your second
panel today, such as the Healthcare Leadership Council and the
Health Privacy Project, which have produced important
information about the rule. We have met with each of those
groups and many others.
Our commitment to help covered entities comply with the
rule continues even as we are now pursuing our enforcement
responsibilities, and in that process, Congress mandated in
HIPAA that the Department resolve complaints through informal
resolution with covered entities. The Privacy Rule similarly
calls upon OCR to provide technical assistance to covered
entities in appropriate circumstances, even in the context of
resolving a complaint. Our approach to compliance and
enforcement is to employ a variety of enforcement options
available to us, as needed, to ensure that individuals receive
the privacy protections afforded by the rule.
At the same time, our experience to date is consistent with
our expectation, that we will be able to resolve most
complaints through voluntary compliance and informal
resolution, the most expeditious way of effectuating the rights
to the privacy of protected health information.
Thank you for the opportunity to make this presentation. I
look forward to your questions.
[The prepared statement of Mr. Campanelli follows:]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
The Chairman. Thank you very much for that presentation.
Now, Miss Adair, we will turn to you. Please proceed.
STATEMENT OF JARED ADAIR, DIRECTOR, OFFICE OF HIPAA STANDARDS,
CENTERS FOR MEDICARE AND MEDICAID SERVICES
Ms. Adair. Thank you, Chairman Craig, and thank you for
inviting me here to discuss the progress that has been made in
moving toward compliance with the electronic transaction and
code set provisions of HIPAA.
CMS has a dual role in implementing HIPAA. The first is as
a regulator and enforcer, and the second is as a covered
entity, including Medicare, which is the largest covered
entity. CMS also works closely with the State Medicaid programs
that are, collectively, the second largest covered entity. From
that dual vantage point, I can tell you that substantial
progress has been made towards the October 16, 2002 compliance.
However, I can also tell you that many entities still have a
long way to go until they achieve compliance.
Before I tell you what we have done to avoid unintended
consequences on the compliance data, I would like to say that
the health care industry continues to believe that the goal of
HIPAA standardization is the right goal. What they have found
out is that the ``devil is in the details'' and that
accomplishing the goal is harder than originally thought. This
is characteristic of many large systems development efforts.
Another characteristic of large systems development efforts
is the need for contingency planning. It is critical to
acknowledge that things can go wrong and to have contingency
plans to mitigate those risks. CMS published enforcement
guidance that preserved October 16, 2003 as the compliance
date, but also allowed for those working toward compliance to
adopt contingency plans. If they make reasonable and diligent
efforts to become compliant, CMS will not impose penalties on
covered entities that deploy contingencies to ensure the smooth
flow of payments.
Specifically, as long as a health plan demonstrates its
active outreach and testing efforts, it can continue processing
payments to providers, even if providers cannot submit a
compliant claim.
While the industry welcomed our guidance, there were many
who would have liked us to go farther. They wanted a legal safe
harbor, but we went as far as the law permitted us.
Accordingly, some health plans and payers are still reticent to
announce or deploy contingency plans because of the potential
of being viewed as legally noncompliant. To alleviate these
concerns, CMS has been urging plans and payers to review the
guidance, to assess their training partners' readiness, to
consider their good faith efforts, and, as appropriate, to
deploy a contingency plan.
For example, Medicare is able to accept and process
compliant transactions, but on September 4, CMS announced its
contingency plan would be to accept and process transactions
that are submitted in a legacy format, while continuing to work
with their trading partners toward compliance. Just today,
Administrator Tom Scully and Tom Grissom, Director of the CMS's
Center for Medicare Management, announced the deployment of the
Medicare contingency plan after reviewing statistics showing
unacceptably low numbers of compliant claims being submitted.
This will ensure the cash-flow to Medicare fee-for-service
providers will not be disrupted.
Another factor for consideration is the cost of
implementation. The rule's impact analysis estimated a new
savings to the health care industry, as a whole, of $30 billion
over a 10-year period. The estimates were difficult to make.
For example, there was no existing comprehensive base line
showing the extent of electronic interchange in the industry,
nor which transactions and code sets were in use. Many covered
entities have revised upward their cost estimates because they
have encountered unexpected complications.
Aware that such a change to industry business processes
would be a coster, we looked for ways to minimize the cost.
First, we adopted standards that were developed by the industry
and already in widespread use. Second, we provided support and
education to facilitate implementation. Third, when
implementation efforts highlighted potential portions of the
standards that would have increased cost, CMS proposed and
adopted modifications.
While difficulties exist in achieving compliance, this is
not the time to waver in our commitment to offer order and
consistency in health care administrative transactions. Rather,
this is the time to work with covered entities as they strive
for the finish line.
CMS has provided the potential for a smooth transition
through our enforcement guidance for those still working to
achieve compliance. We expect that plans and payers will
favorably consider deploying contingencies to mitigate
unintended adverse effects on covered entities' cash-flow and
business operations. CMS expects that these contingencies will
mitigate unintended consequences of the transition.
We are often asked what will happen on October 16, 2003.
Certainly, there will be problems, but plans and payers'
willingness to appropriately deploy contingency plans will
facilitate a smooth transition. The health care industry's
combined emphasis on HIPAA compliance will allow us to make the
promises of HIPAA a reality.
Thank you. I look forward to answering your questions.
[The prepared statement of Ms. Adair follows:]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
The Chairman. Miss Adair, thank you very much for your
testimony.
Let me start with questions to you first this morning,
because I think you made some very important comments about
CMS' plans for implementation on October 16, comments that I
expect will be viewed with tremendous interest by thousands of
doctors and hospitals and health plans and patients. Because of
what you have just said and its importance, let me press you
for a few moments for some clarification.
Are you saying that CMS is today announcing a decision to
deploy a contingency plan under which Medicare will continue to
accept and pay non-HIPAA compliant or so-called legacy claims
past the October 16 deadline, at least for a limited period of
time?
Ms. Adair. Yes, sir. I am indicating that today
Administrator Scully did announce that we were deploying the
contingency that will allow us to accept, to continue to
accept--which we do right now--compliant transactions as well
as transactions as we took them prior to HIPAA.
We will continue to monitor. We will continue our good
faith efforts of outreach and testing to try to move the rest
of the folks from noncompliance into compliance. We will
evaluate their progress and then determine how long to keep
this contingency in place.
The Chairman. Well, that's obviously very significant.
Will private, non-Medicare health plans also be directed by
CMS to adopt similar contingency plans involving acceptance of
legacy claims past the deadline?
Ms. Adair. Since we put out our guidance on July 24, we
have had meetings with private insurers and talked to them
about and encouraged them to do that.
Those decisions are their own business decisions to make.
We are not in a position to mandate that they do it, but we
have talked to them about the potentials and encouraged them to
announce contingencies and, as necessary, to deploy those
contingencies.
The Chairman. Will there be any adverse enforcement
consequences to a plan if a private health plan takes this
route?
Ms. Adair. Should we receive a complaint, sir, that
somebody had done that, we would go back to that health insurer
and ask them what their good faith effort had been; had they
done outreach, had they done testing. If they have, in fact,
exercised what we would call good faith effort, there would not
be any penalty taken against them for having deployed that
contingency.
The Chairman. Would good faith effort be determined by that
kind of analysis?
Ms. Adair. Yes, sir.
The Chairman. When exactly will the details and fine print
of CMS' contingency plan be available?
Ms. Adair. We will today be sending instructions to our
Medicare contractors, so it would be available at that time,
sir.
The Chairman. OK. We're 3 weeks away.
Ms. Adair. That is the exact reason, sir, that on September
4, we indicated to providers and to insurance companies, if we
were going to deploy our contingency, what it would be, so that
they would have an understanding and be able to get themselves
ready for that. We feel like announcing it in advance helps
people understand what we would be doing.
The Chairman. How closely will the actual contingency plan
resemble the draft contingency plan informally circulated by
CMS in recent weeks?
Ms. Adair. Since September 4, sir?
The Chairman. Yes.
Ms. Adair. It will be exactly the same. Our decision today
was to deploy that plan.
The Chairman. Under CMS' contingency plan, for how long
past the deadline will Medicare continue to accept legacy
claims?
Ms. Adair. I cannot give you a specific date, sir. We will
be monitoring the percentages of compliant claims in production
as well as of our providers who are submitting, and make the
decision based upon that as opposed to a date certain.
The Chairman. Will the contingency plan include not only
provisions for payment of noncompliant claims but also
protection from adverse enforcement actions?
Ms. Adair. Could you ask that one more time? I'm sorry.
The Chairman. Yes. Will the contingency plan include not
only provisions for payment of noncompliant claims but also
protection from adverse protection actions?
Ms. Adair. I believe--I want to make sure I'm answering the
correct question, sir. So the question is, not only are you
concerned that not a negative action be taken against the plan,
but about providers submitting those claims----
The Chairman. Yes.
Ms. Adair. Should we receive a complaint about one of those
providers, we would, in fact, ask them if they had made
themselves good faith efforts to try to become complaint. If
they had not, we would ask them for a corrective action plan to
indicate how they would be moving forward. If they did either
of those, either the good faith or corrective action, we would
not have any conversations with them about enforcement action.
The Chairman. OK.
Ms. Adair. We would not ourselves--I'm sorry.
The Chairman. Go ahead.
Ms. Adair. We would not ourselves file a complaint against
them.
The Chairman. What is the HIPAA readiness of State Medicaid
programs?
Ms. Adair. The Medicaid programs, sir, run the gamut. There
are, in fact, programs that are notably already compliant and
have been taking compliant transactions for a while. For
example, I believe Idaho has been taking compliant transactions
since January. But there are others that are struggling right
now.
The good news is that all plans, all State Medicaid
agencies, have already instituted contingencies. So even though
they are still working toward compliance, they have plans to
continue payment.
The Chairman. Will Medicaid programs also be covered under
CMS' contingency plan?
Ms. Adair. No. Each State would themselves deploy the
contingency.
The Chairman. OK.
Ms. Adair. What I mentioned today was specific to Medicare.
Each Medicaid State agency, is responsible for deciding what
their contingency is, as well as for deploying the contingency.
The Chairman. Do you anticipate much of a revision by
doctors to paper claims?
Ms. Adair. I want to separate the conversation here of
Medicare to all others.
The Chairman. Yes.
Ms. Adair. I will deal with the Medicare one first, if I
might.
The Chairman. Please.
Ms. Adair. As you would certainly know, the ASCA
legislation had a provision in there specifically on Medicare
that said that, effective October 16, all claims should be
submitted to Medicare electronically. There were two
exemptions, notably for physicians' offices that are less than
ten FTEs, as well as facilities with less than 25 FTEs, and
would be allowed to continue to submit paper claims. But
everybody else was required to submit electronically.
So the answer to the question for Medicare is that we do
not foresee much of a revision to paper.
The Chairman. How will the contingency plans impact this?
Ms. Adair. As you know, sir, Medicare has a very high
percentage of claims coming in electronically, and since people
would be allowed to continue in the legacy formats, it should
have no impact there.
For the rest of the industry, going back to paper will be
driven by two things. No. 1, going back to paper would be very
difficult for some providers if they were already submitting
electronically. Reverting to paper would have them change many
of their business practices, which I don't think they would
want to be doing. Second is that providers may have contract
arrangements with the plans that may not allow them to go back
to paper.
The Chairman. Let me switch now, because I think we're
building an important record here that a few folks are going to
be reading in the next few hours as we move toward these
deadlines. This goes beyond that now to a statement you made
about a $30 billion savings.
What are CMS' current projections, if any, of the overall
cost of system-wide compliance with the HIPAA transaction
requirements to hospitals and doctors, et cetera?
Ms. Adair. Well, the $30 billion was an estimate that was
done back in the impact analysis with the August 2000 rule,
which promulgated the standards themselves. What you're asking
me, sir, is our experience in implementation----
The Chairman. That, because there's so many dollars out
there for health care, and when we start diverting them to this
kind of process and procedure, the natural reaction is they get
diverted away from the patient and the care itself. I think
that's going to be a growing concern here as we look at the
overall cost of compliance.
Ms. Adair. In our impact analysis we acknowledged, and I
think continue to acknowledge, sir, that in the first couple of
years we would experience the cost of change, change to these
electronic formats, to these standards, to these new code sets,
and that we would be experiencing a cost, and I think we have
brought that to bear.
The anticipation--and I think we still believe it--is that
once we have, in fact, overcome the cost of change, the
benefits will, in fact, be there.
The Chairman. Well, that is the flip side and that's
obviously fair to reflect on. That was going to be my next
question.
Have you looked forward, beyond the bubble of cost, if you
will, to the effect and the savings that the system might
benefit from?
Ms. Adair. I think that every day, in conversations that we
have with industry we assure ourselves that the benefits are,
in fact, there. As I mentioned in my written testimony, when
you take a look at what has happened in other industries, be it
banking, be it the shipping industries, that the benefits of
standardization, the benefits of inner-operability are there.
It is the cost of change and the pain of change that is
difficult to get through. So I believe we still do believe that
the benefits are there.
When you take a look right now, where there are over 400
proprietary formats that insurance claims can be submitted in,
getting down to the HIPAA standards, the benefits that that
will bring to the back offices of a physician or a hospital
are, in fact, very large and very significant for the health
care industry. So as you point out, it does take money,
precious money, to do it right now, but the long-term benefits
and the ability not to be expending those things in the future,
certainly I think the balance says that standardization is the
way to go.
The Chairman. Well, we hope that is the case.
A couple of last questions to you, Miss Adair. CMS
announced recently that it would pursue a relatively relaxed
complaint-driven approach to enforcing the new transaction
rules. Now, I say that because I think doctors and hospitals
have labored for years under a very aggressive CMS and OIG
enforcement of Medicare fraud and abuse rules.
What assurance should they have that CMS' approach to HIPAA
will be different in the long run?
Ms. Adair. We have been hopefully very clear, sir, that the
most important thing for us when we talk about enforcement of
HIPAA is compliance, that that is the goal we are working
toward. We have been clear that we're going to be working on a
complaint basis. Our hope is that the industry begins to work
out the issues of noncompliance, but that if somebody wants to
come to us and file a complaint, we will, in fact, work with
them to become compliant. We will talk to them about where the
aberrancies are.
The legislation provided us the opportunity to work through
corrective action issues before we ever got to a place where we
would want to consider moving toward penalties, civil monetary
penalties. So that our goal really is to exercise what was
provided to us in the legislation, taking a look at corrective
action measures before we move to any kind of negative
activity.
The Chairman. I think a friendly CMS in that area of
compliance will be well-received.
Even CMS itself concedes that only about 14 percent of its
own Medicare transactions are currently HIPAA compliant. That
is a disturbingly low number, considering we're just weeks
away. Even assuming that implementation of contingency plans
provide for temporary acceptance of non-compliant claims, do
you believe it is possible for the U.S. health system to be
ready for full conversion to HIPAA compliance any time in the
foreseeable future?
Ms. Adair. I think we are all responsible, sir, for
continuing to do our best in outreach, getting people into
testing, so that we dramatically improve what you point out is
a very low number of claims in production. We are hopeful. It
is true the number you cite, 14 percent of claims in production
right now.
The number of providers is somewhat higher, and the number
of providers in testing is also somewhat higher. We believe
that on October 16 the number will shoot up a little bit, but
obviously, our opinion was certainly not enough to not deploy
the contingency. But we will continue to work with folks and we
do believe that, in our history, with changes of formats, that
we see a steep curve at the very last moment, but we did not
believe that it was adequate to not deploy our contingency, not
putting those payments at risk.
The Chairman. My last question of you--and obviously, we're
seeing the scope of this regulatory process and moving toward
compliance. How long do you think it will take for the full
system to achieve HIPAA readiness, and what additional steps
will CMS and the industry need to achieve to gain this goal?
Ms. Adair. I believe that we have formed very good working
relationships, sir, with the industry. We have been working
with the associations, both for payers, plans, as well as
provider organizations, associations. We will continue to be
working with them to stress the importance of compliance, and
we will be working with them, sharing with them the statistics
that we have on both Medicare, and hoping they share their
statistics with us, of those people that are testing, the
issues that they are having in testing, and those as they move
toward compliance.
It is not until we see the results of those efforts that we
could make a projection as to what is the date that we thought
we believed we should drop our contingency.
The Chairman. Director Adair, let me thank you for your
thoroughness today and your openness to obviously these very
real concerns that are out there across the industry at this
moment.
Ms. Adair. Thank you for the opportunity.
The Chairman. I think your announcement today and the
announcement of Director Scully come as a degree of relief, but
a clear recognition that, because of the character of the law
and its intent for implementation, there's going to have to be
a push forward. I think that cooperative working relationship,
helping systems through this, is a good deal better and a way
for our government to approach this problem than to immediately
start actions and compliance enforcement that recognizes fines
and penalties. That is not the way to go here as we nudge this
process along and bring it into compliance.
We still have small practitioners out there that serve our
communities and our citizens extremely well. Driving their
costs up and the complexity of their operations up is not
necessarily a way to achieve success and/or quality health
care. So we thank you very much.
Ms. Adair. Thank you.
The Chairman. Rick, thank you for your patience. Let me
follow up with a similar line of questioning to you, because
your testimony touches on some areas where the new Privacy
Rules have triggered confusion or disruption amongst patients
and providers. Clearly, what you have outlined this morning and
the response to your web page and the clarifications appear to
be working, or at least certainly being reacted to. Whether
they're working out there or not, or whether they're clarifying
action within the waiting room, if you will, is yet to be seen.
Nevertheless, because I and my colleagues continue to
receive numerous complaints, I would like you to clarify, as
specifically as you can, what the new rule does or does not
require in a few key areas.
These are, to what extent are providers free to share
patient information with other providers?
Mr. Campanelli. Well, that first one, Senator, is the one I
alluded to in my opening remarks. We have a good treatment of
it in the testimony and in the FAQs, which I recommend that
everybody visit.
The answer is that providers are quite free to share
patient information with other providers for treatment and that
means doctors can share freely with other providers without
having to get advance written consent from any person. I think
that's the area where you may have heard reports of confusion
on that.
The Chairman. Yes.
Mr. Campanelli. I will say that the anecdotal reports we
were getting of this early on, after April 14, we heard more of
that initially than we're hearing now. I think there's a couple
of reasons for that.
First of all, we went out of our way to make it clear in
the modifications that providers can share this information
freely with other providers for treatment purposes. There are
specific elements of the rule that provide this ability to
freely share x rays or other diagnostic information with other
providers.
Second, we have guidance and FAQs specifically on this
topic up there. The word we're getting is that when a provider
is told by another provider that he can't have that
information, he tells them ``yes, I can'', and this is why.
The Chairman. Then this question. Are doctors at risk if
they use informal or unsecured methods of communicating with
each other, such as phone calls, e-mails and faxes?
Mr. Campanelli. Well, the Privacy Rule requires that
reasonable safeguards be adopted in transmitting information.
But in most of those cases that you just described--faxes to a
number that is routinely being used, phone calls to talk to a
doctor, to another provider--certainly in all those cases that,
of itself, would be permitted under the rule. It requires
reasonable safeguards which the fax case, would likely be that
you confirmed the correct fax number. So on our guidance on the
web, we particularly talk about the ability of doctors to fax
information to others for treatment purposes. We make that
quite clear.
The Chairman. Where, if at all, is it required under the
rules for hospitals or other entities to deny information about
patients to families or friends, to clergy, and what about law
enforcement?
Mr. Campanelli. Well, taking them in order, the rule
certainly does not prohibit the sharing of that information.
Now, the rule does, as you recognize, adopt provisions which
protect the privacy of health information. That means that in
many of those cases what we do is we start out with a
requirement that the information be protected, unless there are
provisions in the rule that allow it to be disclosed. But we
have particular provisions in the rule that permit information
to be shared with friends and family members, or even anyone
who the individual patient identifies as being involved in
their care.
So in those cases where the patient does not object, the
rule makes it clear that a doctor can share that information
with friends, family members, others identified as involved in
the care relevant to the treatment or even to payment, to
helping the person obtain payment.
Let me give a little bit more information about that, if I
can, because there has been some confusion, where people have
asked, ``well, what if the patient is not conscious or not
present?'' In that case, the rule permits unless the patient
has opted out, has expressed some indication before that they
don't want the information to be shared--the treatment provider
or the other covered entity to make that decision in the best
interest of the patient. So whether the patient is there and
conscious, or the patient is not there, the information can be
shared when appropriate.
The Chairman. Are patients required to accept the new
privacy disclosures that doctors are giving out at doctor's
visits before care can be provided?
Mr. Campanelli. I'm sorry. Say that again, Senator.
The Chairman. Are patients required to accept the new
privacy disclosures that doctors are giving out at doctor's
visits before care can be provided?
Mr. Campanelli. I think what you're referring to is the
Notice of Privacy Practices that the rule has. If you've been
to the doctor, I know you have received one, and you've gotten
one from your health plan as well.
The answer is that patients are not required to accept them
as a condition of treatment. In fact, all that's required is
for the doctor or the other provider to provide the notice and
make a good faith attempt to obtain the patient's
acknowledgement of having received the notice. If the patient
doesn't want to sign that acknowledgement, the doctor or other
provider can merely note that they've made an attempt to obtain
the notice acknowledgement from the individual. It is certainly
not a condition of treatment to the individual.
The Chairman. But that kind of information must be within
the file to hold the doctor harmless?
Mr. Campanelli. Well, the requirement is that the doctor or
other provider make a good faith attempt to obtain a written
acknowledgement or document why it was not obtained, so it
would be prudent to just note that ``I attempted to get the
person's acknowledgement--'' you know, someone in the office,
not necessarily the doctor, but someone in the office to note
that the attempt was made to get it from the individual.
We've seen this happen in a wide variety of ways. The rule
is quite flexible and scalable, as we say, about how this can
happen. Sometimes there's a form that a person signs when they
get the notice initially. They can sign it, and that is either
handed back in, or if the patient declines to do it, then the
appropriate person there at the office can just note that the
patient declined to acknowledge receipt of the notice.
You know, I realize I didn't answer one of your questions
before that you asked. You asked me about clergy.
The Chairman. Yes.
Mr. Campanelli. Would you care for me to go back to that?
The Chairman. Please, and law enforcement.
Mr. Campanelli. Law enforcement.
First, clergy. I was talking earlier about the opportunity
in the rule, permission in the rule, for providers to share
information with friends, families, or individuals. Well,
clergy, similarly, of course, can receive information. But
there has been some confusion in the clergy arena with the
issue of hospital or facility directories, as they're referred
to in the rule.
Can a hospital have a directory of patient information?
The answer is the rule envisions and anticipates that
hospitals or other providers will have this directory of
patient information, where the patient has the opportunity to
be included or to opt out of having their information included
in a directory, and the patient can also include, for instance,
religious affiliation. So any member of the public--not just
clergy, but any member of the public--can come in, ask about
the patient, and if the patient has opted to be included in the
directory, just like now, just like we're all used to, receive
information about the patients location in the hospital, and
general condition.
In addition, clergy can view the directory without having
to have the name of the person. They don't have to ask for the
person by name, and they also can get the religious affiliation
information. So we are very solicitous of and very careful to
emphasize that individuals, friends, family, loved ones, others
involved in care or clergy, can get the information.
Let me mention that very early on, shortly after the
compliance date, we got a call from a reporter actually that
said a woman in one State had gone to a hospital to see her
husband and was told that she was not allowed to see her
husband because of HIPAA. I said, well, I don't think there's
anything in HIPAA that prevents this. So I asked the reporter
to go back and get a little information.
Well, it wasn't HIPAA, it wasn't the hospital, so we
wondered if the husband had actually declined to see the wife.
It is not HIPAA. HIPAA permits opportunities to share
information with spouses with families, and with clergy.
Now, law enforcement. Let me go to that.
The Chairman. Yes.
Mr. Campanelli. There are a variety of circumstances under
which law enforcement can have access to information. Again,
this is an example where the Privacy Rule balances two key
interests. A very important interest, which I know you
recognize, is the privacy of personal health information, and
also in this case the interest of law enforcement to carry out
their important responsibilities.
There are a variety of ways that law enforcement can have
access to the information. For instance, information that is
required by law to be disclosed may be disclosed to law
enforcement. Reporting of gunshot wounds which, State law
typically requires is permitted. Also, of course, where there's
a court order or a warrant, the Privacy Rule permits that
disclosure to occur.
In addition, there are a variety of circumstances outlined
in the rule that allow law enforcement to have access to this
information. For instance, for the purpose of identifying or
locating a suspect, a fugitive, a material witness or a missing
person, that information is permitted to be shared with law
enforcement.
PHI, Protected Health Information about victims of a crime
in response to law enforcement's request can be shared with law
enforcement if the individual agrees. Protected Health
Information about a decedent can be shared with law enforcement
if there's a suspicion that death resulted from criminal
conduct. Evidence of a crime that occurred on the covered
entity's premises can be shared with law enforcement. So if
there's an investigation going on right there about a crime,
that can occur.
If there is a provider on the scene of a medical
emergency--for instance, let's say there's a covered entity
that's an ambulance driver or company that is on the scene
responding to a medical emergency, they can share information
with law enforcement about the criminal activity, such as the
nature and location of the crime, the location of victims,
identity description, location of the perpetrator of the crime.
So we have really tried to make it clear.
We have heard of some areas where there's a misconception
about this. But there's an array of particular balances in the
rule where law enforcement is permitted to get this
information, to permit law enforcement to continue. Our effort
is to try to get the word out about this to law enforcement.
A lot of law enforcement jurisdictions understand this. We
have seen some areas where there's confusion on this and we've
tried to be in touch with them.
The Chairman. Are doctors subject to lawsuits if they
inadvertently disclose protected information?
Mr. Campanelli. There is no private right of action in
HIPAA against doctors for violation of the rule.
The Chairman. In your testimony you cite CMS estimates
projecting the cost of compliance by the Privacy Rule in the
neighborhood of $12-$17 billion over 10 years, and I'm sure you
are aware that some private estimates put the cost quite a bit
higher than that.
Recognizing that, even before the new Privacy Rule,
providers were already bound by the requirements of patient
confidentiality, how much of a significant improvement are the
new rules, and are they worth the upwards of $17 billion of the
already scarce dollars we have discussed throughout this
hearing?
Mr. Campanelli. Let me say, Senator, that we are certainly
sensitive to the cost issues about this. I think there was an
understanding when Congress mandated or created the process by
which the Privacy Rule would be created that there would be
significant costs associated with it, and that they would be
outweighed, it was thought, and we still believe, in the
context of the cost savings from administrative simplification.
One thing I would say. It's true that there are protections
of privacy, laws to protect the privacy of medical information,
that exist in various jurisdictions throughout the country. But
they are really a patchwork of laws, and in many jurisdictions
there is no protection at all. So certainly one of the key
benefits of the Privacy Rule is to establish a Federal
foundation of protection for those rights, and to make clear
what those rights are.
Like I mentioned before, the rights of access, the right to
request an accounting of how disclosures are made and the right
even to make a correction to the record, to name just a few;
the right to make sure the information isn't disclosed for
marketing purposes, or to employers, in violation of the rule.
All of those are very important rights.
I think our citizens are well-served by knowing that they
have those rights, and many, I think when they're reading the
notices of privacy practices that they receive, really have
realized for the first time what is at stake here and what
rights they have available. So we are convinced that the rights
that are afforded now under the Privacy Rule are significant
and essential to the protection of privacy of our citizens.
We recognize there are costs, as Jared said, with respect
to the CMS circumstance. There are significant startup costs
associated with this and we recognize this. But we think, over
time, and we expect--and we are working toward this end--that
the protections of the rule and the requirements of the rule
will really become understood as part of the fabric of how
health care and payment are done and people will understand
them better.
The Chairman. Your testimony stresses that HHS is trying a
primarily compliant-driven approach to enforcement, with an
emphasis on informal resolution. Yet, recent reports indicate
that HHS has begun forwarding HIPAA privacy complaints to the
Department of Justice for criminal prosecution.
How much of this is going on, and how does this fit with
the policy of informal resolution?
Mr. Campanelli. Well, I think it's completely consistent
with it, Senator. You know, as I'm sure you recognize, some of
the provisions of the rule, a subset of provisions of the rule,
are subject to criminal penalties. HHS has responsibility for
enforcement of violations of the rule that are subject to civil
penalties, and the Department of Justice is responsible for
violation of the rules that are subject to criminal penalties.
So our referral of these cases to Justice reflects the fact
that these are really within the purview of the Department of
Justice to pursue them.
The Chairman. The process for referral is that you have
already made a determination that you believe these could be
criminal in nature, not civil?
Mr. Campanelli. That's correct, to this extent. There are
elements of the rule--for instance, disclosures that are a
knowing disclosure of protected health information in violation
of the rule, those are potentially subject to criminal
penalties. It is the Department of Justice that imposes those.
So in terms of our review, we intake cases and sometimes it
takes a little bit more information for us to determine what is
really the nature of this complaint.
But where a matter has arisen and it is apparent that it is
subject to criminal violations, then those are appropriately
dealt with by the Department of Justice and we refer them to
the Department of Justice.
The Chairman. Despite its huge size and complexity, the
Privacy Rule nevertheless relies heavily on some very general
standards, such as what a doctor may reasonably infer or
requirements to provide only minimum amounts of information
necessary.
What steps can HHS take to give providers and patients the
guidance they need to understand what these broad terms
actually mean in real world resolution?
Mr. Campanelli. Yes, Senator. We are sensitive to that. You
know, I just want to step back a bit for a minute and say why
is it like that.
I think one of the reasons is that the rule, as I said
before, attempted to be flexible and scalable. We recognize
that the covered entities who are subject to the rule run
everywhere from the small provider that you talked about in a
rural office, in a remote location, to major institutions. What
is appropriate and reasonable in the context of one would not
be appropriate and reasonable in the context of others. So
that's why the rule necessarily, and I think appropriately,
includes references to reasonable safeguards, because we
recognize that many of these things are not only relevant to
the size of the provider but to the particular context. Really,
you have to look at the circumstances to see what's
appropriate.
Now, how can we help with that? Well, I think that's where
our guidance has really come in and been welcome. In fact, the
rule in some cases makes it clear. For instance, I mentioned
with respect to providers' sharing x rays and other diagnostic
information for treatment. It is in the Privacy Rule where it
says that this information can be shared with reasonable
safeguards.
But in our guidance we try to give examples, helpful
examples, as much as possible, where we have been able to
identify, for instance, in a semi-private room, that a doctor
who is talking in a semi-private room should adopt reasonable
safeguards. That may mean lowering his voice in the room. You
know, we have offered that kind of information.
Or about medical charts. We have seen some confusion about
medical charts. People have said you can no longer have medical
charts on the wall on a patient floor. Well, it depends on what
other safeguards you can bring to bear on the case. Many times
a completely reasonable circumstance will be just to make sure
that any identifying information is facing the wall.
So in answer to your question, with the particular FAQ
guidance or our extensive guidance that's on the web right now,
where we have narratives and examples, that's what we're trying
to do. When we hear from folks that they need more assistance,
we have tried to be responsive to that.
I might just add that we are also in the process of
developing targeted information or guidance to particular
segments of the industry. For instance, small providers are
likely to be one of those groups.
The Chairman. You mentioned earlier, in response to a
question, the hodgepodge, if you will, of States and the
creation of uniformity that this provides. In some instances
State laws are more stringent than HIPAA.
Mr. Campanelli. Yes.
The Chairman. They argue that it's very difficult to assess
in practice.
Do you see this as a serious problem? What steps is HHS
taking to provide guidance regarding State preemption?
Mr. Campanelli. First, I confirm that the Privacy Rule
defers to more stringent State standards for the protection of
privacy. So that's correct. That means if a particular State
has a more stringent standard----
The Chairman. Equal to or greater than.
Mr. Campanelli. That's right, sir. In that State then, if
there is a higher standard for the protection of privacy with
respect to a disclosure or the use of personal health
information, that higher standard would apply. Obviously, that
will vary from jurisdiction to jurisdiction.
The Privacy Rule defers to States where they have opted to
take a higher or a more stringent position as to the protection
of health information.
Also, though, I want to say that in some circumstances we
are able to help covered entities comply where they have to
look to both State and local law. In fact, just recently, I
think just at the beginning of this month, in September, we put
up on the website a frequently asked question that helped
organizations and covered entities understand how they can more
easily and readily incorporate the State law into their Notice
of Privacy Practices, so that if they are a multijurisdiction
covered entity, they don't have to completely redo the entire
Notice of Privacy Practices every time a State law changes. We
tried to come up with a reasonable way where covered entities
could reflect the more stringent State standards and just
change that appropriately in a more narrow way, rather than
having to change everything. We are sensitive to that issue.
The Chairman. To both of you, thank you very much, Dr.
Campanelli, Director Adair. Thank you for your presence here
today and your forthrightness and testimony. I think we have
built a valuable record here and some extremely valuable
information has flowed this morning.
As you know, that is part of the responsibility of this
committee. We are a nonauthorizing committee, but we do work to
build a record for the other committees to use, and finance is
certainly one of those who uses us very readily, as
informational sources in looking at compliance or in looking
any adjustments or changes within current law. Again, we thank
you very much for your time here this morning, and we will
excuse you.
Ms. Adair. Thank you.
Mr. Campanelli. Thank you, Senator.
The Chairman. I will now ask the second panel to come
forward, please. Next let me welcome our second panel.
Cathy Treadway is a Medical Practice Administrator from
Boise, ID. She has been very active in helping coordinate HIPAA
preparation efforts statewide and is, I am told, one of Idaho's
best experts on this extremely difficult subject.
Mary Grealy is President of the Healthcare Leadership
Council, which is, as its name suggests, a leading voice for
America's health care industry, including providers, payers,
and health care entities and companies.
Alissa Fox is Executive Director for Policy for the Blue
Cross/Blue Shield Association of America, and will talk with us
about how the health plan community is responding to HIPAA, in
particular the new transaction standards.
Finally, Janlori Goldman is Director of the Health Privacy
Project, perhaps the country's most prominent non-profit
advocacy organization, focusing on patient privacy issues.
We welcome you all. Cathy, you came the furthest, I think,
so we will allow you to go first. We do appreciate you coming
out from Idaho to be a part of this record. Please proceed.
STATEMENT OF CATHY TREADWAY, MEDICAL PRACTICE ADMINISTRATOR,
THE WOMAN'S CLINIC, BOISE, ID; APPEARING ON BEHALF OF THE
MEDICAL GROUP MANAGEMENT ASSOCIATION
Ms. Treadway. Good morning. I am Cathy Treadway, the
Administrator of the Woman's Clinic, a nine-physician, 65
employee specialty OB/GYN practice in Boise, ID. I am a member
of the Medical Group Management Association and have held
several leadership positions in the Idaho MGMA. MGMA is the
Nation's oldest and largest medical group practice
organization, representing more than 19,000 members who manage
and lead 11,000 organizations, in which approximately 220,000
physicians practice.
I would like to thank Chairman Craig and the committee for
convening today's hearing on HIPAA implementation. Over the
past 2\1/2\ years, I have dedicated considerable energy to
increasing my knowledge of the HIPAA regulations and helping to
educate providers throughout Idaho as a member of the Idaho
HIPAA Coordinating Council. While I will be commenting briefly
on the HIPAA Privacy Rule, I will focus particular attention on
the electronic transactions and code sets, the TCS Rule.
I would like to begin by discussing the implementation
costs which practices already have incurred and will continue
to incur in the future.
Examining just our small practice, the Privacy Rule
implementation costs total in excess of $10,000. Like practices
throughout the country, we struggle with limited resources to
deal with the magnitude, complexity and costs of HIPAA
implementation. I must emphasize that these are just the
initial Privacy Rule implementation costs. There are
significant ongoing privacy costs for each practice, including
continuing education, training of staff and physicians,
printing and facility modifications.
Practice costs for TCS implementation typically include new
HIPAA compliance software, computer hardware, staff training,
education materials, and for my practice, additional claim
costs averaging $500-$600 per month. In addition, there are
numerous future HIPAA standards scheduled for implementation.
These include national identifiers, electronic claim
attachments, and security. Each of these standards will demand
additional implementation costs. These expenses must be
considered in conjunction with the many unfunded mandates group
practices face: projections of decreasing physician
reimbursement and sky-rocketing medical liability premiums.
It is imperative that both Congress and the Administration
not examine the effect of any one regulation in a vacuum, but
consider the cumulative effect that government decisions have
on patient access to quality care.
Let me briefly discuss the privacy regulations. While some
uncertainty regarding particular aspects of the rule remains,
it is important to note that we have not encountered any
significant problems from patients. Rather, the continuing
challenges stem from provider misunderstanding,
misinterpretation, and uncertainty in complying with the rule's
requirements. I have outlined these lingering issues in my
written statement.
I now wish to discuss the migration to the HIPAA standards
for TCS. Along with providers around the Nation, I am fearful
that cash-flow will be disrupted following the mandated
compliance date of October 16.
I have highlighted in my written statement my concern
regarding the current readiness level of most group practices
throughout the country. I would like to note, however, that
many of the members of this committee represent States with
large rural populations and, as such, I believe providers in
those jurisdictions share many if not all of my concerns.
According to an informal survey that I conducted, many
Idaho health plans are just beginning to test claims with their
provider customers. As a result, the vast majority of Idaho
health practices do not feel that they will be ready to submit
HIPAA compliant claims by October 16. In addition, some
software vendors are requiring providers to process their
claims through a proprietary commercial clearinghouse, thus
incurring a per-transaction charge. The result is yet another
unanticipated and ongoing cost for providers.
In my own practice, we have experienced significant claims
testing challenges. During our initial round of testing, the
rejected claims contained no specific error information. Thus,
we had no idea if the error was with our own software, our
clearinghouse, or potentially non-compliance on the part of our
health plans. As of September 19, last Friday, our vendor-
designated clearinghouse has yet to schedule testing with some
of the largest health plans in the State, including Blue Cross
of Idaho, Regence Blue Shield, and Idaho Medicaid. How can we
even hope to be paid by our payers after October 16 when we
cannot even test our claims? Fears of payment delays are
exacerbated by the fact that in States without prompt payment
laws, such as Idaho, there is no incentive for health plans to
pay claims expeditiously. In addition, Idaho Medicaid cannot
accept both legacy claims and HIPAA compliant claims. It is
HIPAA compliant or their software or paper claims.
Our continuing concern with the lack of industry readiness
led MGMA and almost 40 other provider organizations to request
the government issue a definitive statement to the industry
regarding enforcement of the TCS standard. On July 24, HHS
responded with guidance regarding the enforcements of the HIPAA
TCS standards after October 16. The HIPAA statute requires
covered entities to comply with TCS by October 16. By restating
that fact while also outlining some conditions under which CMS
will not impose penalties, the agency sent health plans
conflicting messages in the July 24 guidance. Consequently,
some health plans believe that they are legally compelled to
reject noncompliant transactions. This quandary is particularly
problematic for those health plans that will not be compliant
until shortly before the deadline and, therefore, are not in a
position to engage in provider testing until that point.
However, the guidance did send a signal to health plans that
they should make every effort to continue the cash-flow for
their provider customers.
CMS bolstered this enforcement flexibility position with
the publication of a set of Frequently Asked Questions on
September 8. In them, CMS states that a contingency plan for a
payer could include not only the acceptance of legacy claims,
but also flexibility in terms of data content and the offering
of interim payments.
Legacy claims are those that CMS and private plans
currently accept. Exercising data claim flexibility would allow
the government and private sector plans to process and pay
claims that do not include all the required data elements.
While MGMA was pleased to see this turn around, we believe CMS
must explicitly tell noncompliant health plans that failure to
develop appropriate contingencies to prevent cash-flow
disruptions is unacceptable and is grounds for immediate
enforcement action.
Regarding TCS, CMS should first instruct its intermediaries
to continue processing noncompliant claims after the October 16
deadline. We are pleased to hear this morning the announcement
regarding CMS contingency plans. However, CMS needs to clarify
that all public and private health plans are permitted to
accept, process and pay HIPAA compliant claims with fewer data
elements than required.
Second, CMS should strongly encourage health plans to
return claims to providers with an explanation of any data
content deficiencies in a timely manner. This will permit the
entry of missing data and prompt resubmission of claims.
Mr. Chairman, while MGMA is confident that complete HIPAA
implementation will eventually ease some administrative burdens
and facilitate improved data inter-change within the health
care community, significant roadblocks continue to exist. MGMA,
along with Idaho MGMA and IHCC, believe our recommendations
will help providers manage this difficult transition.
We urge Congress to play an active role in ensuring that
the administration takes the necessary steps to avoid
interruptions in the delivery of care.
I appreciate the committee's interest in this important
topic and thank the committee for inviting me to present my
views on this issue.
[The prepared statement of Ms. Treadway follows:]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
The Chairman. Cathy, thank you very much.
Now let me turn to Mary Grealy.
STATEMENT OF MARY R. GREALY, PRESIDENT, HEALTHCARE LEADERSHIP
COUNCIL
Ms. Grealy. Thank you, Mr. Chairman. Thank you very much
for this opportunity to testify on the medical privacy rules
that are part of the Health Insurance Portability and
Accountability Act, HIPAA.
This is a matter of considerable importance to America's
patients, health care consumers and health care providers, and
I commend you for the attention that you are bringing to this
important issue.
I am here today on behalf of the members of the Healthcare
Leadership Council, a coalition of the Nation's leading health
care companies and institutions. Our membership embodies all
sectors of health care, and every one of our members is
directly affected by the HIPAA Privacy Rules.
HLC also leads a coalition of over 100 organizations that
strongly supports effective patient privacy protections.
Mr. Chairman, you called this hearing in part because of
information you are receiving from health care providers about
the cost and confusion associated with the HIPAA privacy
regulations.
Let me say at the outset that we believe many of these
difficulties could be avoided if Congress enacted a single
national uniform standard for medical record confidentiality.
What we have instead is a new Federal privacy regulation that
does not replace the existing patchwork quilt of various State
privacy laws but, rather, coexists with those laws. So no
matter how well regulators write these rules, additional cost
and lack of clarity is inevitable because doctors, hospitals
and others are trying to navigate through a maze of Federal and
State laws and regulations.
Having said that, let me specifically address the impact of
the HIPAA Privacy Rules. To say these regulations are complex
is an understatement, but that is, in part, because they are
attempting to fulfill a difficult objective. How do we protect
the sanctity of a patient's medical information privacy while
at the same time ensuring that necessary information is
available for providing quality health care and conducting
vital medical research? The HIPAA regulations as revised by the
current administration, while not perfect, do attempt to strike
this necessary balance.
In terms of the value of these regulations, one point needs
to be made. They do exactly what they are intended to do.
Disclosing identifiable health information for purposes other
than carefully defined, appropriate health care activities is
strictly prohibited, unless the patient grants specific prior
written authorization. If you disclose an individual's medical
information to their bank, their neighbors, their employer, or
their local newspaper, without their permission, you are going
to be hit with Federal civil and criminal penalties.
These regulations, as I said, are not perfect, but they are
an improvement over what they might have been. Under the
original proposed regulations developed by the previous
administration, patients would have had to give their written
consent before they could receive treatment, receive a reminder
to make an appointment, have a doctor schedule their surgery,
or even have a relative pick up a prescription. These rules
would have generated treatment delays and volumes of
unnecessary paperwork.
There are more improvements, though, that need to be made.
As we revisit these rules--and there is a provision to have
them reviewed and modified annually--we need to ask a critical
question: do these regulations sap resources for unnecessary
compliance activities, resources that could otherwise be
devoted to patient care? The answer to that question is clearly
yes.
HHS has estimated that the Privacy Rule will cost the
private sector $17.5 billion over 10 years. Compared to other
studies, including one by Blue Cross/Blue Shield, this is a
very conservative estimate. Regardless of the actual total, it
is clear that we're seeing billions of dollars funneled toward
regulatory compliance at a time when health care providers are
coping with dire fiscal austerity.
The Inova Health System in Virginia, with five hospitals
and 1,400 beds, told a congressional staff briefing that their
implementation costs had thus far totaled about $1.5 million.
Concentra, a network of 244 occupational health care centers,
has already spent $3 million on initial implementation of the
Privacy Rule.
A single small hospital, Emerson Hospital of Concord, MA,
has had to devote two full-time employees whose sole jobs will
consist of HIPAA related paperwork. They will be compiling
detailed information disclosure records that few if any
patients will ever request.
There is a need to undertake a comprehensive review of
these regulations to determine how to best achieve their
intent, without forcing the expenditure of precious resources
for nonessential compliance activities.
Mr. Chairman, health care companies and institutions want
to act as working partners with the public and with the
government to ensure that we achieve strong patient privacy
protections without impeding treatment and medical research.
While we still believe that the best course of action is a
single, uniform Federal privacy standard, we look forward to
working with this committee and with the Administration to
ensure that Federal patient privacy protections serve the
national interest as efficiently and effectively as possible.
Thank you.
[The prepared statement of Ms. Grealy follows:]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
The Chairman. Thank you, Miss Grealy.
We will next hear from Miss Fox.
STATEMENT OF ALISSA FOX, EXECUTIVE DIRECTOR OF POLICY, BLUE
CROSS AND BLUE SHIELD ASSOCIATION
Ms. Fox. Thank you, Mr. Chairman. I appreciate the
opportunity to testify this morning on HIPAA's administrative
simplification rules.
Blue Cross Blue Shield plans across the country are very
committed to the goals of administrative simplification to
reduce the costs, hassles, and paperwork of our health care
system. However, we are concerned that these goals will not be
realized unless we change the entire process for establishing
and implementing the many administrative simplification
standards that lie ahead of us.
I would like to make three points. First, despite a 3-year
implementation period, with an extra year that we got, thanks
to your leadership, Mr. Chairman, we still have many providers
who are not ready for the October 16 HIPAA transaction and code
set regulation, just 3 weeks away. As a result, payers are
planning to deploy expensive backup contingency arrangements to
minimize disruptions and prevent unintended consequences, such
as providers returning to paper in order to get paid.
There are several reasons for our unreadiness: general lack
of awareness about the regulation, especially among small and
rural providers; lack of understanding about the cost and
complexity of what it takes to become HIPAA compliant; and the
late revisions made to the rule just last February that
resulted in delayed vendor software needed by the industry.
Second, important lessons can and should be learned from
the first phase of HIPAA administrative simplification which
should be considered before additional standards are adopted.
It is important to realize there are numerous additional
standards on the horizon. They fall into three categories.
There are additional HIPAA rules that HHS is expected to
release in the next year that Cathy Treadway talked about a
little bit earlier. Second, there are modifications to the
standards that we are just now implementing, some of which call
for wholesale, very expensive changes, such as ICD-10, and new
information technology initiatives by Congress and the
administration to develop uniform standards for clinical
information and the interoperability of information systems so
that patients' medical records can move from doctor to doctor
across the country electronically.
We believe the lessons learned include, first, a credible
cost-benefit analysis, which is a must before any future
standards are adopted. When HHS adopted the transaction and
code set rule, the projected costs were greatly underestimated.
HHS estimated the cost at $5 billion for the entire industry.
Two years ago, we commissioned the Nolan Company who found the
HHS estimate to be understated by a factor of 10 for health
plans and a factor of 3 for providers, thereby underestimating
total industry cost by $11 billion.
Now that the compliance date is here, it appears the Nolan
estimate is on the low side and that the actual industry costs
just to implement the HIPAA administrative simplification
transaction and code set rule are likely to be significantly
higher than the earlier $16 billion we originally estimated.
A second lesson learned is that the industry must involve
all aspects of their operation in developing the standard, not
just the IT shop. A key mistake all stakeholders made is
treating administrative simplification as a systems issue, just
like Y2K. We have found, however, that these standards have a
ripple effect throughout the entire health care operation,
whether it's a payer, a health care clinic, or a hospital. A
change in one simple code can affect medical policy, quality
improvement programs, how much you get paid for the service, as
well as fraud and abuse detection efforts, just to name a few.
The third lesson is standards must be pilot-tested before
we adopt them. It is only when a standard is actually pilot-
tested that we can identify the issues and any unintended
consequences that should be addressed before we ask the entire
industry to go ahead and adopt them.
Finally, we urge Congress to create a high level
stakeholder commission to develop a national health care
information technology strategy based on industry consensus.
The current piecemeal approach to information standards is akin
to building a house room by room without an overall blueprint.
While the standards now being contemplated have great potential
to improve quality and cut costs, this goal will not be
realized under the current process. The industry needs a
blueprint to know where we are headed, with a prioritization
and timeline to provide order and predictability to all of us,
and importantly, to ensure that the standards are implemented
in the most cost-effective and efficient manner.
Mr. Chairman, as you have highlighted this morning, with so
many demands on the industry, health care premiums rising at
double digit rates, and with over 40 million Americans
uninsured, it is critical that we spend our resources wisely.
Thank you.
[The prepared statement of Ms. Fox follows:]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
The Chairman. Miss Fox, thank you very much.
Now, the last person on this panel, Janlori Goldman,
Director of the Health Privacy Project. Welcome. We look
forward to your testimony.
STATEMENT OF JANLORI GOLDMAN, DIRECTOR, THE HEALTH PRIVACY
PROJECT
Ms. Goldman. Thank you. Thanks very much for inviting me to
testify.
As you probably know, the Health Privacy Project not only
develops expertise and analysis on a range of health privacy
issues, we also coordinate a consumer coalition for health
privacy. It is made up of provider groups and disability rights
groups, labor organizations and consumer groups so that we can
better represent the interests of patients, since we all are
patients. We can better represent the interests of patients who
both want research to go forward, and want to improve health
care, but also want to make sure they're not putting themselves
at risk for discrimination and privacy violations.
The Privacy Rule, as you have heard already today, is the
first Federal law that provides a minimum set of privacy and
security rules for Medical information. It allows both provider
groups and health plans to build privacy into the practice of
delivering health care.
One of the things that has not been discussed this morning
that I want to talk about for a moment is why we needed this
health privacy law. We needed it because we had documented
evidence that, without privacy, people had barriers to care,
quality of care was at stake, and some people were afraid to
get health care because they didn't want to subject themselves
to potential discrimination. They were afraid their employers
would get access to information, they were afraid that friends
and family members, coworkers, might learn about sensitive
conditions. Where they were not able to be honest with their
doctors, they put themselves at risk for untreated and
undiagnosed conditions.
We believe very strongly that there is a high cost that has
been paid by the public because of the lack of privacy, and a
cost that has not been assessed either by this Administration
or by any of the industries who talk to you about the cost of
putting privacy in place. We believe there will be substantial
cost savings, not just the offset from the transaction and code
set rules, but also because people will be more encouraged to
fully participate in their own care and, again, not put
themselves at risk.
We also know not just the empirical data in terms of this
20 percent who have withdrawn from care, but we also know
individual stories that have been very compelling, people who
have lost their jobs because information was misused, people
whose information was sold without their permission, people
whose information was put on the Internet, and most recently,
even in the Kobe Bryant case, the accuser there had her medical
records released by a hospital in Colorado without her
knowledge, without her permission, and against both Colorado
law and the privacy regulation.
The Privacy Rule, as you heard, was a long time in the
making. It went through an extensive rulemaking process. The
Bush Administration did make substantial modifications to ease
industry concerns. But we do have limits on access and
disclosure outside of health care. People can now get their own
records, and the notice is very substantial in telling people
how their information is used.
Despite a 2\1/2\ year implementation process and compliance
period, myths do persist. I think that Director Campanelli
testified very eloquently about how most of those myths have
been dispelled. Most of the initial myths and misperceptions
and confusion about the privacy regulation was in some ways
kind of a blip. There was a lot of early misunderstanding, most
of which was put to rest by OCR, and by the industry. The
Health Privacy Project put out a Know Your Rights. We have done
some substantial public education.
But some of the myths do persist, and I think they're very
troubling. For instance, the myth that doctors can't share
information with each other or other health care providers--
absolutely wrong. Relatives can visit their family members in
the hospital and pick up prescriptions and other kinds of
medical information unless, of course, the patient has taken a
step to opt out.
The notice is not a consent form. The Bush Administration
was clear that consent is not required for treatment and
payment. The notice tells people how their information is used
and what their rights are. It does not have to be signed. We
just encourage people to do it to acknowledge that they
received it. There is no private right of action, so under the
Federal law people don't have a right to sue.
The cost issue I think I have addressed already.
State law, which some people have addressed, is really
important. Prior to promulgation of the privacy law, the Health
Privacy Project compiled and summarized State Medicaid privacy
laws. They are available on our website for free.
We found that the Privacy Rule will bring substantial
uniformity. Yes, there will still be 50 different State laws,
but for the most part, most of them will be preempted because
the Federal rule is more stringent or more comprehensive. Where
the State laws will still continue to exist is usually in a
condition-specific area. There are specific laws related to
HIV/AIDS or mental health, or abuse and neglect. Those laws
were carefully crafted at the State level and they will
continue to stand. The Privacy Rule doesn't address medical
privacy on a condition-specific basis.
Let me just conclude with three quick points. We believe
the privacy regulation is absolutely important in encouraging
people to get care, in improving quality of care, so the
information we have for research and public health is reliable.
We believe that it allows information to flow freely within the
health care context without barriers, but it puts limits and
safeguards in place so the information will not go to
employers, will not go to law enforcement without some court
order, that there are some limits in place. We think that's
critical.
The temporary confusion, as I have said, I think has been
addressed by OCR, by the Health Privacy Project, and others.
But I want to urge the professional and trade associations,
many of whom are in this room today, to step up their technical
assistance and their guidance. Some of the confusion that
occurred early on I think was inexcusable, involving some very
fundamental, basic misunderstandings and confusion. So I think
we know what those areas are and to step up technical
assistance is key.
Again, I don't think it is fair to ask people to sacrifice
their own health care and their own ability to get care in
order to protect their privacy. We know a substantial portion
of this population has done that so far. My hope is that, over
the next few years, we will be able to go back into the public
and do another survey following up on our 1999 survey, to
measure if the privacy regulation encouraged people to get
care. Has it encouraged doctors and patients to communicate
more freely with each other? Have we seen that the cost issues
in some ways are outweighed and maybe even offset by increased
participation and by the transaction and code sets? So I look
forward to that continuing dialog with you and the rest of the
committee.
Thank you.
[The prepared statement of Ms. Goldman follows:]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
The Chairman. Ms. Goldman, thank you very much.
I don't think there's anyone on this committee, certainly
not the Chairman, who doubts the value of and the importance of
why Congress moved in the direction it did, not only for the
very reasons you talked about--individuals denying themselves
care for fear of a disclosure--but also the reality of the
march of medical science. We all understand a doctor and
medical professional's relationship to a patient and what that
professional may know simply by medical science's ability today
to determine certain kinds of things we didn't know that might
determine future decisionmaking for the part of the patient
that we as a society ought not be disclosed beyond that is
critically important. I hope that we work our way through it.
My intent is not to cast a shadow over the importance of
the privacy, but to make sure that we do it right, that we
streamline it as best we can, that we get the informational
flow out so that it doesn't become an impediment. It was not
intended to be. So I thank you for that testimony.
I'm going to have to leave, but I must tell you, I am
pleased to be joined by my colleague, Senator Peter Fitzgerald,
who is going to carry on with the questioning. The first
question he's going to ask, I do believe--I'm going to set him
up for it--is a question that you, Cathy, alluded to, and some
of you did, and I would like for the record for you to assess
the announcement that you heard this morning from CMS as it
relates to style of implementation, method, process to the
legacy clause and all of that, and what that's going to mean in
the short term as we work our way through this very complicated
bureaucracy or regulatory process that we have set ourselves
into with HIPAA.
Last, let me thank you all for being here, and especially
let me thank the Senator for joining us this morning as a
member of this committee to ask some very important questions
for the record. Thank you.
Senator Fitzgerald. [Presiding.] Senator Craig, thank you
very much.
I did want to ask you your thoughts on CMS' announcement
this morning. Do you believe their willingness to extend the
time past October 16 for filing claims under the old system
will have a positive effect, and do you think any additional
steps are needed? Anybody on the panel, I would encourage you
to respond.
Ms. Treadway. Mr. Chairman, I would say that it is much
appreciated that CMS has recognized that we will not be ready
October 16, and taking the opportunity to extend that so that
the health plans can accept both legacy claims and the HIPAA
compliant claims.
However, as I mentioned in my statement, as we look at
Idaho, not all systems can take both HIPAA compliant claims and
legacy. It's one or the other. The State of Idaho Medicaid is
in that exact situation. So even though it will help, it still
has a long ways to go before we will not be experiencing delays
of payment.
In addition, I also mentioned that we need guidance on
whether they can accept and process and pay HIPAA compliant
claims that don't have all the data elements that are required.
All the new elements that are required are not necessarily
needed to process payment. We do not want to see health plans
being able to deny claims that they could process and pay. In
Idaho, we do not have prompt payment legislation. That means
there is no incentive for health plans to make that extra
effort to get those claims paid. We are very fearful there will
be significant delays in payment, which are going to affect our
clinic's ability to provide care for our patients.
Senator Fitzgerald. Miss Fox.
Ms. Fox. Yes, I would like to comment. Thank you. I would
like to comment both with respect to Medicare and as a private
payer. Many of our plans contract with CMS and are actually the
day-to-day processors of the Medicare claims. So we believe
that their announcement today is very good news.
Both our Medicare contractors and private payers are very
concerned that the low level of provider readiness could, if
you don't have an announcement like this, result in providers
returning to paper claims. Paper claims are expensive, both on
the part of the provider and the payer, and could involve
significant delays in payment because you would have to hire so
many more people to process those paper claims. Under CMS'
announcement, Medicare has announced that they will process the
old electronic formats so that providers won't have to revert
to paper if they're not ready for October 16.
On our private side, we are now polling our plans. Our
plans are prepared. They do have contingency plans that would
also allow existing legacy claims to be submitted and processed
after October 16, and we are now polling our plans to see to
what extent they are going to deploy them consistent with CMS'
guidance.
I would add, however, that one of the recommendations made
by MGMA is just not doable. What they are asking is that CMS
tell payers that they must process a partially complete HIPAA
claim. The whole purpose of standardizing these HIPAA
electronic claims is so that a provider, when they submit a
claim to Aetna, Cigna, Blue Cross or Medicare, knew that once
they filled out the claim, that was an acceptable claim for all
payers.
If you start saying you're only going to fill out 60
percent for one payer, 70 percent for another payer, you
basically return to what we're trying to get away from, which
is a lot of variation by payers instead of standardization. So
we are very committed to the standardization and we're very
committed to smoothing transition to HIPAA and assuring cash-
flow to providers. We believe by plans continuing to process
existing legacy claims after October 16 for some period of time
the objective of smoothing the transition will be met.
Senator Fitzgerald. Any other comments on that?
Ms. Grealy. Senator, I think, whether we're talking about
the transaction code sets or we're talking about the Privacy
Rule, the CMS approach really represents something that I think
is very important, that the government, whether we're dealing
with CMS or the Office of Civil Rights, act as a working
partner and collaborate with the health care industry as
they're trying to implement these very complex rules. So I
think, symbolically, it's very important that they're taking
that approach, they're listening to what health care providers
and plans are saying, and trying to work through these issues
with them.
Senator Fitzgerald. I would think you would all agree that
to have uniform transaction rules will really be a good thing
and will take some costs out of the health care system
ultimately, after the initial transition phase.
Ms. Fox. I think we need to look at that carefully. I think
there are a lot of benefits, but I think it's important to note
that these HIPAA transaction code sets is phase one. There are
lots of phases on the horizon, so it's not like you do this and
you're done. Really what's envisioned is constant change for
the next several years. So I think we----
Senator Fitzgerald. How many phases does HIPAA bring us
through?
Ms. Fox. We don't know the answer to that question,
actually. There is lots of different phases on the horizon.
There are three standards that are due out within the next
year, and CMS is already looking at modifications to the ones
we're just now struggling to implement. So we are recommending
that we get a stakeholder commission to really look at that,
how many phases are we talking about, where are we headed, how
are we getting there, are we getting there in the most cost-
effective and efficient manner, and make sure that everybody
has a consensus on how we're proceeding.
Senator Fitzgerald. Along those same lines, I wonder if
each of you could summarize briefly the best dollar estimates
that you are aware of regarding the costs incurred by the
entities you represent in complying with the new HIPAA
transaction rules, and with the privacy regulations.
Ms. Grealy. Well, we represent the entire health care
industry, and we're focusing just on the Privacy Rule. That's
what we have worked on.
As I said in my statement, HHS put out an estimate of $17.5
billion over 10 years. Blue Cross Blue Shield had an estimate
of, I believe it was $45 billion----
Ms. Fox. Forty-two.
Ms. Grealy [continuing.] Of $42 billion. As you can see,
it's a rather disparate range.
I don't think we'll really know. We know that it is in the
tens of billions of dollars, and that $17.5 billion is quite a
low estimate. Yes, it's an important issue, but I think we need
to look at how else could those resources be used. How else
could the funds for those personnel that are being hired, been
used. What other hires could have been done--more nurses at
bedside probably would be a preference. So we hope we can
strike a balance.
As Senator Craig said, let's see if we can streamline this
process, make it as cost efficient as possible, while we're
trying to meet the real concerns of the patients.
Senator Fitzgerald. Do you think the costs are appropriate
to the benefits that are likely to be achieved?
Ms. Grealy. Do I think we could have done it in a less
prescriptive, less regulatory way? Yes, I think we could have
done it more efficiently and cheaper.
Senator Fitzgerald. Achieve the same benefits?
Ms. Grealy. Achieve the same benefits.
Senator Fitzgerald. Is that HHS' fault or is that Congress'
fault because Congress mandated HHS to promulgate regulations
if we didn't act.
Ms. Grealy. I think the regulations could have been much
more streamlined. We have made progress and we have made
improvements, and we will have the opportunity to do that from
year to year. But the initial regulation that we were dealing
with was voluminous and way too detailed and way too
prescriptive. So I think we have made improvements in it and
hope to continue to do that.
Ms. Goldman. I think it's really important when we're
talking about cost to factor in both what the White House has
estimated the cost to be which some of the testimony presented
here does not acknowledge. The White House estimated that the
cost associated with putting the Privacy Rule in place would be
offset many billions of dollars by putting the transaction and
code set regulations in place.
In fact, when Congress put the mandate in HIPAA back in
1996, many of us were involved in that process, and the reason
the privacy regulation went into HIPAA is because the industry
was pushing very hard to create that uniformity in the
transaction and code sets, to create a common language for how
health information would be coded and shared.
There was an acknowledgement that putting privacy in place
at the same time was a prudent measure, that we would be
increasing risk obviously to privacy and discrimination by
creating a national health information infrastructure, but that
that was critical to moving forward with health care. So we
could build privacy and security in at the outset, there was an
acknowledgement by Congress and by most of us sitting here in
this room that we had to do that together and that it would
save money to do it together and it was the right thing to do.
The White House estimates I think have been quite clear,
that there will be a substantial cost savings ultimately, and
we need to think about that.
As I said earlier, it's very important to also factor in
saving money from improving quality of care and broadening
access to care and having more reliable data for research. Most
of the estimates don't include that because I think it's a
tough thing to measure.
Ms. Treadway. Mr. Chairman, I would just like to bring this
back down to the provider level. This is an unfunded mandate.
These costs are creating additional costs for us to provide
care for our patients, and skyrocketing the costs for health
care. If you compound that by malpractice insurance and all of
the other government regulations that we're facing, it is a
struggle for physicians.
As I talk to the different small groups in our State, they
are very worried about their ability to keep up with the
government regulations. As we've mentioned, it's volumes and
volumes of information, trying to read it, trying to understand
it. They don't have the staff to do that. They are there to
take care of patients.
There may be additional savings down the road, but at this
point in time we are worried about how to keep our doors open
and to take care of patients in light of not knowing if we're
going to be paid for our service and trying our best to work
within the system to comply with all of the government
regulations that are there. We are very concerned, and the
costs are nationwide, when you come down to an individual
provider, the dollars are not there to comply and it's
unfunded. So we are being forced to attempt to comply and it
just skyrockets our costs of providing health care.
Ms. Grealy. Mr. Chairman, we also were looking for national
uniformity with the Federal Privacy Rule. We did not get that.
The Healthcare Leadership Council has had to fund a one million
dollar study so that we could provide information to all of our
members, members of the confidentiality coalition, as to what
is the interplay between the Federal law and regulations and
the various State regulations. So this Federal regulation is
merely a floor. It's not a ceiling. That is something that
every provider is going to have to be aware of.
I think perhaps you are seeing a bit of hyper-compliance. I
think that has a lot to do with hospitals that have been
involved in various investigations for what were billing
errors, and yet having that characterized as fraud. I think
everyone has taken compliance extremely seriously, and perhaps
to the extreme, but feel that they've got to make this
investment to make sure they're doing it the right way so that
they are not subject to an investigation or a civil or criminal
complaint.
Senator Fitzgerald. Why do you believe so many parts of the
health care system are having such continuing difficulty
complying with the new transaction rules? What is it about the
new rules that makes them so difficult to comply with?
Ms. Fox. We think there's three reasons why it's so
difficult. One is there is just a general lack of awareness
about the regulation itself. Second, there is a lack of
understanding about the cost and the scope of the regulation.
I think a mistake that all of us made, quite frankly, Mr.
Chairman, is that we had representatives working to develop
these standards at the front end, but the people we had sitting
around the table were our information technology staff, who
while they are quite capable, they look at things from a
systems only standpoint. What we realized in looking backwards
is that when you change a code and you change these formats,
and you now say, ``I'm only going to have this data or that
data, it has a ripple effect on the entire operation--whether
you're a payer, whether you're a hospital or a clinic--that we,
quite frankly, just didn't understand.'' When you change that
code, it can change your provider payment, it can change how
you detect fraud and abuse, it could change your quality
improvement programs.
The way that our systems work is we piggyback everything on
a single code. So once you change that--and the information
technology staff just really didn't identify those issues. So I
think we just didn't realize how expensive and big this
regulation was to begin with.
Senator Fitzgerald. What does that mean in concrete terms?
How can we improve things for you? If you had two or three
changes that you could make to the regulations, what would they
be?
Ms. Fox. It's not the regulation itself. It's really the
process we would like to see changed. At the front end we would
like to see--all of the stakeholders, involving our whole
operation, not just our information systems people. Second, we
think it's critical that we get a true cost-benefit analysis
done collectively. Let's really look hard at what those costs
and benefits are so we all agree on that.
Third, it's critical to pilot test it. I think it's a big
mistake that we didn't pilot test this. When you pilot test it,
then you identify what the issues could be, what are the
possible unintended consequences. Once you pilot test it, you
can make sure that, before you tell the whole country to do
something, you have identified the wrinkles.
Senator Fitzgerald. Well, it's not being pilot tested.
Ms. Fox. I'm sorry?
Senator Fitzgerald. It's not being pilot tested, right? The
whole country is doing it.
Ms. Fox. I'm saying going forward, and when we do the next
stages of these regulations, we need to learn from the mistakes
we made this time. I think now what we need to do is--I think
we're getting there. I think we need to employ contingency
plans, make sure that providers get over this hump, but I think
we really need to learn lessons from this experiment.
Ms. Treadway. Mr. Chairman, I would like to comment on
that, also.
Part of the issue that we dealt with is that we didn't get
final information from CMS until February of this year. Many of
the vendors were waiting for that direction before they
finalized their programs.
This is an extremely complex process. We are dependent on
the health plans, the clearinghouses and our software vendors,
to all have their ducks in a row before we can begin testing.
So as we work on it, we have been attempting to test for over a
year now, and finally became a beta test site to begin testing,
and felt that we were starting to move forward. It took two
solid months before we got anything that ever went through. It
just said beta file error. You have to be able to test real
data.
Then we found out they're not even testing with Idaho
payers. It's very, very complicated. If there had been
staggered implementation dates so that health plans and
clearinghouses and vendors had different staggered dates for
implementation, it would have made it easier from the
providers' standpoint to go with.
The other thing we're dealing with is they do not have to
give us the missing data elements when we have a claim that's
denied. All of this is just very, very complicated. I think the
complexity is really a struggle for all of our small providers
because we don't have experts helping us through this.
Senator Fitzgerald. I have a question for Miss Fox. In your
testimony you point out that HIPAA's efforts to achieve
electronic claims standardization are going on, even as other
uncoordinated efforts are being launched elsewhere in the
government to promote greater use of electronic systems in
health care, such as electronic medical records.
How can we in government better go about advancing the goal
of bringing new e-technology to health care without breeding
even more confusion?
Ms. Fox. We are recommending that Congress set up a
stakeholder commission that would really look at where is the
vision, where do we all want to go. A lot of people have a
vision that we want to have electronic medical records that can
move from doctor to doctor across the country. To get there,
you really need to take these new standards we're doing today
as a continuum to get there.
If that is the vision, what is the smartest way of getting
there? Is that the vision everybody agrees to? What should come
next? What codes should we change? People are talking about
going from ICD-9 to ICD-10. That's the coding system for
diagnosis that hospitals and other providers use. People are
talking about that as the next step. We have a consultant
that's looking at it and saying that might not be the next
step. You might want to actually describe the services, for
example, like how you set an arm, and maybe you don't even--He
was raising yesterday with us that maybe you don't even need
going to a replacement for ICD-9 if you describe your services
in a standard way.
These are the kinds of issues that I think we all need to
discuss around the table, and walk through what are the steps
to get you to the end result, how much money is it going to
cost, what's the most efficient way to get there, what's the
priority, and then let's go forward in a smart way so that
we're not wasting resources.
Senator Fitzgerald. So you would like to see Congress set
up a commission that could hash this out.
Ms. Fox. Yes.
Senator Fitzgerald. Has anybody introduced a resolution in
either the House or the Senate?
Ms. Fox. No. We are talking to people now about such a
proposal.
Senator Fitzgerald. OK. So you might be working on that.
Ms. Fox. Yes.
Senator Fitzgerald. I guess I would ask all of you this,
but especially Miss Goldman and Miss Grealy. In your
estimation, what are the most troublesome areas in the new
privacy regulations when it comes to patient or provider
confusion?
Ms. Goldman. I think that what we saw initially we are now
seeing die down. As Director Campanelli testified earlier this
morning, he's only getting about a third of the questions now a
few months into the implementation phase.
But I think the things that continue to trouble me are,
one, the misunderstanding that doctors can't share information
to treat patients. You see reports in the newspaper all the
time, and I talk to doctors who say, if I refer a patient to
another doctor, they won't then talk to me about the patient or
information can't be shared back to me to treat the patient.
That's just wrong. It's not even a question of interpretation.
It's just wrong. I think it needs to be absolutely clear from
the professional and trade associations, from OCR, from the
State regulators, that doctors and other health care providers
can share information to treat patients without having to get
consent.
Picking up prescriptions, visiting relatives in the
hospital, again the status quo in some ways, the presumption
that most of us share, that information should flow freely to
treat people, to pay for their care, and to allow us, as family
and friends, to be able to take care of those we love. So those
are the things that I think we absolutely have to address.
Of course, somewhere down the road, once there is a clear
understanding and we do clarify the myths and facts about the
privacy regulation, we would like Congress to take up what we
consider to be some of the regulation's weaknesses, some of the
gaps in the law, some of the areas where the law doesn't go far
enough. I realize this may not be the best time to bring that
up, but it is part of our long-term agenda, to make sure the
law is more enforceable, to make sure it does cover employers
directly when they do collect information themselves.
Senator Fitzgerald. When was your group formed, Miss
Goldman?
Ms. Goldman. When?
Senator Fitzgerald. Yes.
Ms. Goldman. The Health Privacy Project was created at the
end of 1997.
Senator Fitzgerald. Where does it get its funding?
Ms. Goldman. We get funding from foundations primarily.
Senator Fitzgerald. OK.
Ms. Goldman. Anybody who would like to contribute to the
Health Privacy Project can see me after the hearing.
[Laughter.]
Senator Fitzgerald. Miss Grealy, would you have a response
about what areas are the most troublesome in the privacy
regulations?
Ms. Grealy. Mr. Chairman, I participated in a town hall
meeting in Baltimore on behalf of Congressman Cardin recently.
As Miss Goldman has pointed out, there is a lot of confusion as
to what information can be shared between health care
providers. We heard quite a bit from social workers, who had
the responsibility of monitoring mentally disabled adults in
group homes and whether they could get information from
physicians to make sure those adults are being treated
appropriately.
As I said earlier, I think there is a real sense of
hypercompliance. Everyone was told you could only share the
minimum amount of information necessary, or that you have to
have the patient's prior written consent before you can do
certain things. There is a lot of confusion. We have to do a
lot of education.
I think the Office of Civil Rights is doing a good job, but
I'm not sure the general public and every provider thinks of
going to the HHS website. So we are doing our best to try to
get that information out there. As I said, we participate in
town hall meetings in congressional districts; we do Hill staff
briefings, again trying to tell people what this rule actually
does.
There are areas where we can reduce the regulatory burden.
One in particular that I cite in my testimony is maintaining
records of when you make disclosures. With the hundreds of
millions of patients that are admitted to hospitals, that are
treated by physicians, trying to track all of that is just
overly burdensome and something we think can be streamlined.
So we look forward to working with HHS and trying to refine
this rule as we go forward. We think we can make it more
simple. But we do have to do a lot more educating of the public
and educating the providers. It isn't that clear. I think we
who have been immersed in the rule understand it pretty well,
but I think these questions still normally arise and we do have
to do better on education.
Senator Fitzgerald. Miss Treadway, I'm wondering if you
could estimate for the panel what proportion of your time has
been spent in the last couple of years working on or getting
ready for HIPAA compliance.
Ms. Treadway. I would estimate that of my time in my
clinic, it has been in excess of 10 percent, 10 to 12 percent
of my time that is spent on HIPAA privacy and on working within
our group and within the State, trying to educate the providers
and the administrators throughout the State on the regulations
and what they need to do to prepare for that. I would say
probably 10 to 12 percent of my time alone has been spent over
the last couple of years doing that.
Senator Fitzgerald. Do you feel your colleagues elsewhere
in Idaho who are providers have become, as we've gotten closer
to the implementation, better familiarized with the
regulations?
Ms. Treadway. I would say yes. Our Idaho HIPAA Compliance
Coordinating Council has done a road show throughout Idaho on
three separate occasions. The most recent one was this Friday.
We had 121 participants in the morning and 121 in the
afternoon, and a waiting list of people to get in on the HIPAA
education. We had representatives from Medicare, Idaho
Medicaid, Blue Cross of Idaho, Blue Shield of Idaho. They asked
a question out there and asked in the morning session how many
were ready for HIPAA codes and transactions, and three out of
120 raised their hand, that said they thought they were ready.
Mostly that was because their vendors had assured them that
they would be ready to submit and be able to process claims. A
lot of them are hoping to begin testing. Some of them don't
even have the software loaded on their computer systems yet.
So yes, are we fearful in Idaho, and yes, they are trying
to get information across the State. When they have done these
meetings, we've had huge attendance at them.
Senator Fitzgerald. I wonder what HHS or the major provider
organizations could be doing better to alleviate the confusion
that you describe. It sounds like there are a lot of seminars
being conducted and people certainly have the opportunity to go
to those seminars, although you said there was a waiting list
and not everybody was able to get in to them. But it would seem
to me there would be plenty of opportunities to familiarize
yourself and your organization with the new regulations.
What else could HHS being doing?
Ms. Treadway. I think continual education, continually
working on simplification, are two really important parts of
it. I think the steps CMS took today to work toward allowing an
extension of that deadline is helpful. Unfortunately, we are
within 3 weeks of the implementation of this. As we found out
from the privacy rules, when the original regulations come out,
and then when they do the loosening or the changes in them,
some people read the original and they don't get all the
changes. So as we look at these constant changes, it is very,
very difficult to say am I dealing with the current
regulations, or which area of the regulations am I truly
dealing with.
If I went to a seminar 2 years ago on any of these
regulations, and I felt I was up-to-date on them and I didn't
go to the most current one, I would have missed the entire
process because things have changed so drastically during that
time.
As Senator Craig mentioned, there were 102,000 words in
this legislation. You look at that and it's massive for a small
doctor's office. In Idaho, the average is two-and-a-half
physicians per clinic. You have five or six staff that are
trying to implement these regulations. How can they even hope
to be able to comply with it?
Senator Fitzgerald. We have just 6 minutes left before I
have to go and make a vote, so I'm going to bring this meeting
to an end. But I just want to ask one more question for Miss
Grealy.
Your organization, the Healthcare Leadership Council, has
taken the lead in launching an industry-wide study examining
differences between the Federal Privacy Rule and each State's
privacy rule. Why is this study necessary, and approximately
how many States have more stringent requirements than HIPAA?
Ms. Grealy. Many States. I don't have the exact number.
The reason we undertook this study was because Congress did
not make this privacy rule or law preemptive of State law.
Senator Fitzgerald. Except if it's a more lax privacy rule.
Ms. Grealy. So it establishes the regulation as a floor as
opposed to a ceiling.
Senator Fitzgerald. Right.
Ms. Grealy. So we don't have that single national uniform
standard.
Senator Fitzgerald. Would you like that?
Ms. Grealy. Yes, we would.
Senator Fitzgerald. Miss Goldman wouldn't, I guess.
Ms. Grealy. We had asked also that, given that we didn't
get that, that HHS provide guidance and interpret what is the
difference between the Federal regulation and the State law.
HHS has refused to do that. So that's why it fell to the
industry----
Senator Fitzgerald. Well, they're not in the business of
interpreting the States' laws.
How many States have tougher privacy laws?
Ms. Grealy. I'm sure Miss Goldman would know. I believe
it's the majority.
Ms. Goldman. We did a similar analysis in 1999. It's not as
targeted to the industry as the Healthcare Leadership Council's
analysis, which is being sold to some in the health care
industry. Ours is, as I said, available for free.
What we found was that most of the privacy regulation as it
currently reads will preempt most State law, because most State
law is less comprehensive and less specific.
Senator Fitzgerald. How many States have tougher laws?
Ms. Goldman. Well, where the States do have tougher laws,
there are a couple of States where, even in some of the kind of
broad areas, like access to records or limitation on disclosure
that you might find in California, for instance, there are more
stringent State laws in those broad areas.
Senator Fitzgerald. Any State besides California?
Ms. Goldman. California comes to my mind. Minnesota does as
well.
But most States have these condition-specific laws that the
privacy regulation----
Senator Fitzgerald. Now, I have to ask you this. Do you
think it's a good thing for companies to have to comply with
different laws in all the different States? I mean, don't you
think that adds a lot of cost to the health care system and
cuts down on the affordability and availability of health care?
Ms. Goldman. Well, I'm glad you asked that, because prior
to the privacy regulation taking effect, every health care
organization in the country had to comply with 50 different
State laws, patchwork laws.
Senator Fitzgerald. That's true.
Ms. Goldman. The privacy regulation, in many ways, created
substantial uniformity. In most of the Federal laws in this
country, we don't preempt State law. We might preempt State law
that's weaker----
Senator Fitzgerald. Isn't she right, Miss Grealy?
Ms. Grealy. We lobbied strongly for Federal legislation
that would establish that uniform standard, to avoid exactly
what you're saying, the additional cost. So now, going forward,
you will always have to check what's happening with the State
law as it's updated, as it's changed. So is that really a cost
we need to incur in the system?
Senator Fitzgerald. I'm sorry, Miss Goldman, but we're
running out of time here. Is your organization lobbying in
certain States to make the privacy laws tougher than the
Federal laws?
Ms. Goldman. Well, let me first say that we don't lobby,
but we----
Senator Fitzgerald. Advocate?
Ms. Goldman. Well, we have not actually advocated that.
What we're trying to do is work with a lot of the same issues
that some of the industry people are. We are working with a lot
of the safety net providers, the community clinics----
Senator Fitzgerald. Are you supporting tougher----
Ms. Goldman. Not necessarily.
Senator Fitzgerald. So you're not supporting tougher
privacy laws in any of the States?
Ms. Goldman. We haven't gotten into that area at all. We're
just trying to help folks sort out where the privacy laws in
the States and the Federal laws come together.
Senator Fitzgerald. OK. Miss Fox, you wanted to say
something, and then I am going to have to adjourn the meeting.
You have all been terrific witnesses and we appreciate it.
Ms. Fox. Thank you so much for letting me just add my two
cents.
I think it's important to realize that we're not talking
about here's the Federal privacy law and here's the State
privacy law. The States have multitudes of privacy laws and
they're buried in lots of little statutes. For example, there
might be a privacy law that talks about AIDS patients, another
privacy law that talks about maybe immunizations----
Senator Fitzgerald. But couldn't you argue that it's
preempted by HIPAA?
Ms. Fox. You have to look at each individual provision in
each statute. One State might have ``x'' number that aren't
preempted, but lots of ones that are. So it's not simply saying
in California it is and in Nebraska it isn't. There are lots of
different rules and you have to go provision by provision in
lots of different State laws that are buried in lots of
different statutes. So it's very complicated.
I'll tell you our plans are working through privacy and are
very committed to it, but of all the things that they find
difficult, it is the conflict between State and Federal rules,
and if you're a provider and you're in DC and you practice in
Maryland and Virginia, what are your rules? It's very
complicated. That's why we're supporting HLC on this position.
Senator Fitzgerald. There is one conclusion I think I can
safely draw--that HIPAA is probably very good for my
profession, which is the legal profession.
Ms. Fox. Full employment.
Senator Fitzgerald. Full employment for lawyers, health
care lawyers.
All of you have been terrific witnesses. I wish we had more
time. I want to thank you for making the trip here. We will
leave the record open for any Senators for a period of 2 weeks.
Thank you all very much. This meeting is adjourned.
[Whereupon, at 11:43 a.m., the committee was adjourned.]
A P P E N D I X
----------
Questions from Senator Lincoln to HHS
Question. I am aware that CMS has a contingency plan ready
to put into effect that would allow Medicare and Medicaid
fiscal intermediaries to run dual systems to accept electronic
billing submissions in either the current format or the HIPAA-
compliant format. However, CMS hasn't made a decision to
implement this plan yet. It seems reasonable to allow this
considering the consequences to health care providers. When
will you make this decision?
Answer. CMS announced its decision to implement the
contingency plan for Medicare on September 23, 2003. Each state
will make its own decision regarding implementation of it
contingency plan.
Question. I have heard from providers in Arkansas that much
of the privacy law is left up to interpretation. For example,
the legal counsels advising the physicians and the legal
counsels advising the hospitals often differ in their
interpretation of the regulations, and thus many providers have
questions. What services has the government provided in
answering questions providers might have?
Answer. The Office for Civil Rights (OCR) has conducted,
and is continuing to conduct, and extensive public education
effort to produce and disseminate a wide range of guidance
about various aspects of the Privacy Rule that need
clarification or are of concern to the public and to covered
entities, including providers. We do this through a variety of
ways, such as by making presentations to educate various
groups, providing a toll-free call-in line for questions, and
by publishing Frequently Asked Questions (FAQ) and other
guidance and technical assistance materials on our website. The
following provides additional detail on each of these
activities:
Presentations. OCR senior Privacy experts, from Washington
DC and throughout our regions, have made well over a hundred
presentations during 2003 alone. These include four national,
all-day HIPAA Privacy Rule conferences, attended by some 6000
participants, sponsored in conjunction with universities and
key industry groups, held earlier this year. In addition, OCR
has conducted or participated in numerous telephone audio
conferences.
Toll-Free Call-In Line. In conjunction with the Centers for
Medicare and Medicaid Services (CMS), OCR offers a free call-in
line, 1-866-627-7728 for HIPAA questions. Since April 1,
combined phone-line operators and OCR staff have received and
responded to some 14,000 calls related to the Privacy Rule.
Website at http://www.hhs.gov/ocr/hipaa/. Our website plays
a key role in our outreach activities, and has enabled us to
post and broadly disseminate information that provides
additional clarification in helpful areas, and to clear up
misconceptions when they arise. In turn, providers can use
these posted materials to educate each other. From January
through July 2003, OCR's Privacy Rule homepage received 847,800
visits. Some of the helpful materials on our website include: a
comprehensive Summary of the HIPAA Privacy Rule, which is
linked to more detailed guidance on particular aspects of the
Privacy Rule; a Covered Entity Decision Tool, which
interactively assists entities in determining whether they are
covered by HIPAA; sample Business Associate Contract
Provisions; targeted guidance materials explaining the research
and public health provisions of the Privacy Rule; and fact
sheets for consumers.
In addition, a key feature of our website, accessed over
1.2 million times since January of this year, is our database
with over 200 searchable FAQs. The database is simple to use,
and provides clarifications on many different aspects of the
Privacy Rule, including many areas that are of particular
interest and relevance to the provider community. For instance,
there are a number of questions that address permissible
disclosures among health care providers for treatment. Our
website is also organized to be as helpful as possible and
includes a link focused on materials we believe are of
particular interest to small providers and small businesses.
We continue to develop guidance and other materials to
educate covered health care providers and other covered
entities about the Privacy Rule so that the Rule's
implementation is effective and efficient, and does not impede
a patient's access to quality health care. This includes
continuing to develop FAQs as we become aware of misconceptions
of other issues about the Privacy Rule that need clarification.
We also are in the process of developing additional targeted
technical assistance materials, focusing on explaining the
Privacy Rule to consumers as well as specific industry groups,
including smaller health care providers and institutional
health care providers.
Question. Health care providers in Arkansas, particularly
rural hospitals, have told me that because their older
information technology systems require so much updating to
comply with HIPAA they may not be ready by October 16. They say
even with the grant money available to them, it is still tough
financially. What is scary to them is that hospitals won't
receive Medicare and Medicaid payments if they are not in
compliance by the deadline, or if the fiscal intermediary is
not in compliance by that time. What steps has CMS taken to
identify those hospitals and other providers who continue to
struggle with this (despite the fact that we gave them an extra
year to comply) so that they are not faced with a huge
financial crisis? Rural hospitals in Arkansas depend heavily on
revenue from Medicare to keep their doors open.
Answer. CMS has taken a number of steps to ensure the
smooth flow of payments after October 16, 2003. Fiscal
intermediaries are in compliance; and, CMS has deployed its
Medicare contingency plan to maintain provider cash flow and
minimize operational disruption while trading partners work
with Medicare to achieve full compliance. Furthermore, we
understand that all States are prepared to adopt contingencies
to keep Medicaid payments flowing.
In Arkansas' case, CMS has been working closely with the
State for the past three years to provide technical information
and funding at 90 percent federal financial participation
matching rate for its Medicaid claims processing system.
Arakansas has said that the State's system will be able to
accept HIPAA-compliant formats as early as October 13. Their
backup strategy for providers whose systems are not yet HIPAA-
compliant is for them to download from the website software
developed by the State to enable all providers to submit HIPAA-
compliant claims, together with code crosswalks which walk
providers from the old codes to the new ones. As a fallback,
providers also can use Direct Data Entry (DDE) to submit claims
to the State. Claims would be rejected only if a provider does
not utilize these various contingencies. The State is very
sensitive to the cash flow requirements of small and rural
providers and has made every effort to ensure payments will
continue.
Question. I have heard from providers that new HIPAA
requirements are being added daily, making it impossible for
them to keep up. One provider said that they've noted 100 new
requirements in a two-month period, Is this true?
Answer. No. The requirements have not changed since the
Final Rule adopting changes to the HIPAA Electronic
Transactions and Code Set Standards was published on February
20, 2003, which actually reduced the number of requirements. It
is possible that as they have begun to test, providers are
discovering that adjustments to their systems are needed in
order to become compliant.
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
�