[This Transcript is Unedited]
Boston Park Plaza Hotel
64 Arlington Street
Boston, Massachusetts 02116
MR. ROTHSTEIN: Good morning. My name is Mark Rothstein. I’m the director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine and chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
On behalf of the subcommittee and staff I want to welcome you to the first of two days of hearings on implementation issues under the HIPAA Privacy Rule. I also want to welcome our listeners who are listening us live VIA the Internet.
Before proceeding further it’s customary for us at our hearings and meetings to have introductions, beginning with members of the subcommittee and staff. I would invite subcommittee members to disclose any conflicts of interest they have at this time. I’ll begin by saying that I do not have any conflicts of interest. Richard?
MR. HARDING: I’m Richard Harding, M.D. I’m a clinical professor of psychiatry and pediatrics at the University of South Carolina and immediate past president of the American Psychiatric Association and member of the committee and subcommittee.
MR. COHN: I’m Simon Cohn, M.D. I’m the national director for Health Information Policy for Kaiser Permanente and practicing physician. I don’t believe I have any conflicts of interest. Obviously I’m a member of the subcommittee and of the National Committee for Vital and Health Statistics.
MS. GREENBERG: I’m Marjorie Greenberg from the National Center for Health Statistics, CDC. I’m the executive secretary to the committee.
MS. KAMINSKY: I’m Stephanie Kaminsky from the Office for Civil Rights. I am lead staff to the Subcommittee on Privacy.
MR. FINE: I’m Michael Fine, M.D. I’m senior managing partner of Hillside Avenue Family and Community Medicine in Pawtucket, Rhode Island and physician and chief in the Department of Family and Community medicine at Rhode Island Hospital.
MS. KEENER: I’m Betsy Keener. I’m the privacy officer at Harvard Vanguard Medical Associates in Boston.
MS. KHAJA: I’m Saliha Khaja. I’m an attorney for the Massachusetts Medical Society.
MR. SULLIVAN: I’m Tom Sullivan, M.D. I’m a solo cardiologist in Danvers, Massachusetts, president elect of the Massachusetts Medical Society and chair of the Privacy and Confidentiality Steering Committee at Partners Health Care in Boston.
MR. MACLEAN: My name is Andrew MacLean. I’m the general counsel at the Maine Medical Association.
MS. SQUIRE: I’m Marietta Squire. I’m with NCHS and staff to the subcommittee.
MS. CRAMER: I’m Anne Cramer, an attorney with Eggleston and Cramer in Burlington, Vermont and outside counsel to the Vermont Association of Hospitals and Health Systems.
MS. EKITA(?): My name is Leslie Ekita. I’m a consultant with Hayes Management Consulting.
MS. CALCAGNO(?): I’m Alex Calcagno. I’m on staff at the medical society.
MS. BUTKAVITZ(?): Anne Butkavitz, office manager for Dr. Marcus.
MS. SCHWARTZ: Nancy Schwartz, privacy officer, Fallon Community Health Plan.
MS. AHN: Jean Ahn, HIPAA project director, Yale New Haven Health System.
MS. KESSLER: I’m Martha Kessler. I’m a reporter with the Bureau of National Affairs.
MR. KOZIK: My name is Brian Kozik. I’m the compliance officer for the North Shore Medical Center in Salem, Massachusetts.
MS. DANCONIE(?): I’m Jane Danconie with the Office for Civil Rights.
MS. CENTURN(?): Hi. My name is Lisa Marie Centurn. I’m with the Centers for Medicare, Medicaid Services.
MR. EVENSTON: Scott Evenston, Office for Civil Rights.
MR. ROTHSTEIN: Thank you very much, and welcome to everyone.
The subcommittee has schedule seven panels of invited witnesses over the next two days to provide us with a variety of perspectives. In addition, there are two time slots available for public testimony, 4:30 to 5:30 p.m. on Tuesday, September 10th, that’s today, and 2:45 to 3:15 tomorrow, Wednesday, September 11th. Any individual who is not an invited witness may sign up and testify for five minutes.
The public testimony slots are on first come, first serve basis, although if the past is any judge we will not have a problem accommodating the public witnesses.
Let me emphasize the limited scope of this hearing. The final amendments to the privacy rule were published last month. We all are, or should be, shifting to a compliance mode preparing for the April compliance date.
The purpose of the hearing is not to revisit the substantive elements of the rule, although the subcommittee is well aware that it’s hard to talk about implementation issue without reference to at least some of the substantive areas of the law.
We are especially interested in learning from you answers to at least the following questions:
First, what are the available resources for HIPAA compliance, including those from professional organizations and trade associations? Second, are compilations of best practices available and how are successful implementations strategies disseminated? Are there any models for public/private partnership developments? How should covered entities go about coalition building and developing consensus procedures?
What outreach, education, and technical support programs are needed from the Office of Civil Rights, including suggestions for OCR priority setting? What areas are especially in need of guidance from OCR? How should we address the integration of HIPAA and other federal and state laws? And finally, can you assess the accuracy and quality of the information and services of vendors and consultants, especially as they pertain to small providers and health plans?
These are just a few of the implementation issues that the subcommittee and eventually the full committee plan to take up.
This is the first of three sets of hearings by the subcommittee dealing with these issues. We will also be meeting in Baltimore on October 29th and 30th and Salt Lake City on November 5th and 6th. After our final hearing the subcommittee will submit its recommendations to the full committee for discussion and possible action at our meeting in Washington on November 19th and 20th. If recommendations are approved by the full NCVHS, they will be transmitted in the letter to Secretary Thompson by Dr. John Lumpkin, chair of the committee.
Because of the large number of witness – and I think you’ve all seen our agenda that we have – and the narrow focus of the hearings, I strongly urge that witnesses strictly adhere to the following rules:
One, invited witnesses will have 10 to 15 minutes to give their prepared testimony. The close to 10 the happier I am. We will supply you with a one-minute warning. After each witness subcommittee members will have an opportunity to ask questions of a clarifying nature only. After all the witnesses of each panel have completed their testimony, the members of the subcommittee and the witnesses will use the remaining time of each session for further questions and discussions. That’s why it would be especially valuable if your initial comments were shorter, so we can have greater time for colloquy.
Witness may submit additional written testimony within 30 days to Marietta Rollison.
And number five, if any witnesses stray too far a field, such as going into what is the minimum necessary standard, I will enthusiastically encourage them to refocus their remarks or to conclude their testimony.
I would ask anyone in the room with a cell phone to please turn off the ringer. I want to please ask all of our witnesses, as well as subcommittee members, to speak clearly into the microphones for the benefit of those who are listening to us via the Internet.
And so with that we are ready now for our first panel, which is devoted to physician practice issues. I’d like to invite the witnesses to testify in the order that they’re listed on the program, unless there is some reason we should change the order.
Seeing no objections, I’d like to begin with Dr.
Eugenia Marcus.
Eugenia Marcus, M.D., Pediatric Health Care of Newton Wellesley
MS. MARCUS: Thank you, very much. I’m sorry I scooted in here at the last minute. It’s mornings like this that remind why I’m glad I don’t work in Boston.
I purposely titled this “What is this Hippo Thing?” because that’s what doctors think about at this point when you talk about HIPAA. They’re not quite sure what it stands for. They know it’s something that they have to do that the government is imposing on them. They’re not quite sure what it is.
It’s going to be like Y2K. They’re afraid it’s going to cost them money. They don’t realize that a lot of what they need to do is very simple. It’s education. It’s education of themselves, their staff, and their patients about things they need to do.
At this point I think the people who are responding from the physician offices are the office managers. There are a lot of meetings that are happening, which I’ll talk about later. It’s happening at that level of administration and leadership.
HIPAA has actually spawned an industry, which I’m sure everyone in this room is aware of. Everybody wants to sell you something to help you comply with HIPAA. The private sector is out there with books and newsletters and videos and CDs and websites and email news and teleconferences and all kinds of stuff about HIPAA.
Because there’s so many different components to HIPAA - there’s the transaction stuff, the security stuff, the privacy stuff - in the doc’s minds it’s sort of all jumble. Some of it, especially the stuff around the transaction sets, is technical in an area that they have no expertise in, so it seems the feeling that they get is that it’s pretty impossible.
The professional associations have really stepped up to the plate in HIPAA education with HIPAA newsletters, HIPAA tips on the website, teleconferences, printed material, some of which they sell for a modest fee, some of which is free. I’m on several list serves because of my information.
I didn’t get a chance to introduce myself actually. I’m Eugenia Marcus. I’m a pediatrician in private practice. I’m in a small group. We have three pediatricians. My office is in the medical building at the Newton Wellesley Hospital locally. I am very interested in information technology, and I chair the Information Technology Committee at the Massachusetts Medical Society.
I’ve been more than tuned into the issues around HIPAA. I’m on a variety of different lists serves that deal with HIPAA. People are ranting and raving about this horrible thing, and we should George Bush to cancel this thing. He’s going to make a lot of money out of it. There’s all kinds of stuff that’s going on.
People like the AMA, the Academy of Pediatrics, the Massachusetts Medical Society, which are the organizations that I have something to do with, all have some kind of programs that are out there to try to help the docs. The hospitals, the IPAs, the insurers, Medicare and Medicaid are often HIPAA help. This morning there’s a big HIPAA conference being sponsored by Medicaid and Medicare at this same time. My big critique of that is the notice for it came out like ten days ago. If you want doctors to respond, ten days is totally inadequate notice. They need two or three month lead time sometimes, depending on their schedules, to be able to rearrange patient care or other things that they’re doing in order to be able to get to an all day conference on something like this.
There’s a wide variety of interpretation of what these rules and regs are. On one of the list serves a doctor reported that the hospital had offered a HIPAA audit and advised him to encase his computer server in a locked metal box to protect the server and thus the data within. Anybody who know anything about computers knows that if he actually did this the heat from the computer would fry the data and then it would be totally secure, because nobody could get at it and it would be totally useless. Because of a lot of misinterpretation of what HIPAA and what is required, there’s a lot of angst in the community.
I’m going to talk now about some of the things that we’ve done in our office. You have to understand that this is ahead of the curve because most of my colleagues are not anywhere close to this point yet, but they could get there.
One of the things that we’ve done is that we’ve eliminated the sign in clipboard. We put a shredder in every doctor’s room and in the business office. Anything that has a patients name on it goes into the shredder. We put signs up around office indicating this is staff. Patients are not supposed to walk into certain areas.
We have a small office. I built this office six years ago. I built it around making some compromises between privacy and efficiency of workflow and patients’ comfort in the office. You’ll see that in a minute, because I have some pictures. We are moving towards eliminating paper in the office with a scanning program and an electronic medical record. We are not paperless yet, although that is an ever elusive goal.
This is our under-the-desk shredder in each one of the doctor’s offices. I forgot to ask Anne how much they actually cost.
MS. BUTKAVITZ: They’re anywhere from $50 to $200, however fancy you want to get.
MS. MARCUS: Do you remember what these particular one were?
MS. BUTKAVITZ: Those were probably about $60. You just kind of pull them right over the trash basket that you already have.
MS. MARCUS: As you see it fits right over the trash basket. It really works quite efficiently. You can’t put a whole big wad of paper in their, but four or five sheets at time it just gobbles it up. The cleaning service at the end of the day empties it. You can see the recycle bin right next to that. There’s no patient identifiable information in the recycle bin, but we get plenty of other stuff to recycle.
This is the lab. You can see that the lab is open to the rest of the office. We put up a sign that said, “Patients keep out.” One of the things you might want to notice is the printer. There is a printer in the lab. What comes up on that printer is lab results from the hospital and the radiology departments, so they don’t have a courier system that runs around the buildings and delivers it anymore. They just print it out directly to each doctor’s office. This is in an area that patients don’t have access to. Also our fax machine is in an area that patients don’t have access to.
We talk to our staff about what HIPAA is and emphasizing respecting patient privacy. We discourage hallway conversations. Keep voices low in unavoidably open areas. When we put paper charts in the racks in front of the rooms we turn them the other way so that you can’t see the patient’s name on the chart if you’re walking by in the hallway.
We have a white board that lets the doctor know which room they’re going into next. We use the child’s first names, so it’s “Joey” or “Mary” or something like that, rather than a last name or first and last name with it.
We’ve reminded people to shut the door when they’re talking to a patient or examining a patient or talking to a patient on the phone. When you’re dealing with children people seem to feel that they don’t need as much privacy as an adult. I don’t take that attitude. Parents are even like that. They’ll tell you anything about their kids, but they wouldn’t tell you that same thing about themselves or their spouse.
Sometimes this is an education thing. If a parent starts to tell me something in a hallway I say, “Let’s go into this room and shut the door, and then you tell me about this.” It takes a bit of education to the patients themselves to respect their own privacy.
Because I have been somewhat more aware of some of these things I have been a HIPAA police myself in that people who interface with us have had breaches of things, like the emergency room faxes us information on any of our patients that happen to be there overnight. Sometimes we’ll get two or three patients on the same sheet. In order to file that information we need to cut and paste the paper literally with scissors and recopy it on to a full sheet in order to do this.
The telephone triage service does the same thing, and we’re trying to educate them about one patient on one sheet of paper. Children’s Hospital does the same thing, and I haven’t yet found the person there. That’s such a huge behemoth, I don’t know who the person is there to actually tell them, “Hey, you’ve got to fix this.”
We never leave medical information on an answering machine when we’re calling a patient. We publish rules on our website for email. We do a lot email with patients. We’re migrating to a secure website for all electronic communications with the office. Now we’re still using Outlook for some of these things, but we will be using a secure website.
We’re considering additional privacy education. I mention this particular company because it’s one that I know about. A friend of mine runs it, but I would think they have a good – so that’s by way of disclaimer – but they do have a really good patient education program. I mean physician education program.
Our problem areas: We have an open front desk. We have no plans to enclose it. I thought long and hard about this, and we had a lot of debates between the various docs. I walked around in other doctor’s office. Those that did have partitions all the way to the ceiling with sliding glass doors the doors are always open. The staff behind it doesn’t like to be separated in that way from the people that they’re taking care of.
We have very people friendly staff. That’s the kind of people that I want to be working for me. Sometimes the kids run around the back area, and I’ll come out and I’ll find a receptionist with kid on her lap while she’s answering the phone. That kind of a warm and friendly atmosphere is what I want to promote. I’m not about to close this thing in. We talk about this in terms of how to keep things as private as we can.
Paper charts and open shelving, I know there’s something about the rules that this stuff had to be lock up. The office is locked up at the end of the day. That is as good as we’re going to get until we transition to the EMR with the scanning program. That’s happening now. It probably won’t get done by April. We also have to work on paper charts ending up on the doctor’s desk.
Here’s our front office. You can see the open charts there. This is not a sign-in clipboard at the front. It’s forms for registration. A patient actually takes that clipboard, fills it out, and then the form is handed back to the secretary.
The needs that I see is for accurate interpretation, simple checklists of how to come into compliance, whatever forms are needed they need these forms. They need to have these forms, and it has to be affordable.
That’s it.
MR. ROTHSTEIN: Thank you, very much. Any clarifying questions from subcommittee members?
Thank you, very much Dr. Marcus. Dr. Michael Fine, please.
Michael Fine, M.D., Hillside Avenue Family and Community Medicine
MR. FINE: Would it be okay for me to speak from the table?
MR. ROTHSTEIN: Certainly.
MR. FINE: Great.
Good morning. My name is Michael Fine. Thank you for allowing me to testify. I’m a family physician and a managing partner of the largest family practice in Rhode Island, past president of the Rhode Island Academy of Family Physicians, and member and past chair of the Primary Care Advisory Committee of the Rhode Island Department of Health.
I practice in Pawtucket and Scituate, Rhode Island. The former a busy urban practice that serves a very diverse, economically stressed population; and the later a rural practice that serves an exurban, still farming, country town, so that my days are sometimes split between caring for recent Columbian immigrants, Brown professors, and dairy farmers. I’m going to echo, I think, many of Dr. Marcus’s remarks.
I’m speaking today both for myself and for the Rhode Island Academy of Family Physicians, whose executive board I conferred with in preparing these remarks.
Before I focus on HIPAA, I want to talk for a moment about family practice and primary care in Rhode Island, so that there’s a context in which I can set my remarks about HIPAA itself.
First, it’s important you understand that primary care in Rhode Island is still largely a retail, Mom and Pop operation. Seventy percent of Rhode Island primary care physicians practice in solo or very small groups. That is, we practice in groups of one or two, and we kind of make it up as we go along.
When I said I work in the largest family practice in Rhode Island, that’s six full-time equivalent physicians. There are a few large primary care groups of 30 to 60 physicians, but even those are struggling to justify their size in terms of the economies of scale they realize, which may or may not exist in the primary care world.
Most primary care physicians don’t have an office manager, a controller, or a compliance officer. Some don’t even have a practice attorney or accountant. Most of us think our main function is patient care, and some of us think that patient care alone will get us through the day.
In this way, primary care physicians are essentially acrobats of the particular. This is, we focus on one person at a time and try to sort out their health challenges for them one health challenge at a time in a world that requires constant juggling. We juggle patient needs, hospital needs, health plan needs, nursing home needs, visiting nurse needs, government needs, vendor of medical equipment needs, information from the Internet, drug company advertisement, and detail people.
You haven’t seen anything until you’ve seen and tried to make sense of a form called the “Home Health Certification and Plan of Care,” a form I get to complete four or five times a week.
For us the HIPAA problem is one of a long list of problems that have acronyms - OCEA, CLEA, STARK I, STARK II, the BBA of ’97, E and M coding, PHOs, PSOs, IPAs, and HMO’s - that don’t really seem to have anything to do with patient care, but which we perceive as one more bean bag to juggle or one more plate to spin. One of these acronym problems seems to appear about every second year. Each of these acronym problems is accompanied by its own set of mysterious rules, threats, and profiteers.
The rules are always not quite certain yet, but the final rule is going to come out in a few months. Someone is always saying how important it is to prepare to comply with the final rule, though we’ve never seen a final rule that isn’t constantly changing. We’ve learned to assume there really are not rules, just today’s version.
The threats are always vague but very ominous. We will go to jail. We will loose our licenses. Someone will fine us more money then we make in a decade. Someone else is going to take away our market share – a very curious notion to people who often work 14 hours a day and want nothing more then to go home and get some sleep.
The profiteers are always people who appear from nowhere to help solve a problem we didn’t know we had. They make recommendations. They charge $99 for a book, $199 for a seminar, $1,000 to $10,000 for a private evaluation of our policies and procedures. They provide many disclaimers that protect them in case they’re wrong.
After all these initials and all these years our acronym problems get attention only after all the other fires are put out. Remember, we’re the folks who look at sore throats and listen to the hearts of the 25,000 people we each care for. There is no acronym that is as compelling as someone you know and care about who’s sick.
Those of us who worry about confidentially do it in the context of running into the people who are our patients in the grocery store and do that at the level of trying to decide whether it’s okay whether to greet a patient before they great us. We’ve all developed listening skills, so when a concerned or nosy neighbor who’s a patient wants to know something about someone else who may or may not be a patient, we listen attentively and then try to give away nothing, not even acknowledge that the inquired about patient is a patient of ours.
But in fact, as Dr. Marcus said, confidentiality is two-edge sword. In order to be best at patient care we rely on breaches of confidentiality provided for us by family members or neighbors. Who’s drinking? Who isn’t coming out of the house? Who’s losing weight but won’t come to the doctor? Good primary care is a high wire act that causes us to be open to all the sources we can gather about the people we care for while not falling into the abyss of violations of trust.
That said, here is what small primary care practices in Rhode Island know about HIPAA. First, we know there is a rule out there, and one of these days they will figure out what the actual regulations are and tell us what the rule is and what we are supposed to do to comply with it.
Some of us think that everyone is supposed to file an extension, but no one really understands what it is we are extending. No one knows what compliance is, or how to comply as things stand. We all hope that during the next year someone will tell us clearly what it is we’re supposed to do.
We do get letters from our professional organizations that tell us what to do, but those letters are usually more confusing then what we read in the throw away medical press. I’m going to read a paragraph of a letter that I received at the end of August. It’s a letter to all Rhode Island health professions from the Rhode Island Medical Society, the Rhode Island MGMA, and all the Rhode Island health plans.
“Please note the original date for compliance with the transaction and code sets is October 2002. In December 2001 the Administration Simplification Compliance Act (ASCA, Public Law 107-105) gave covered entities not compliant by October 16, 2002 the opportunity to extend their compliance deadline by one year to October 16, 2003.
This extension opportunity is applicable to all HIPAA-covered entities other than small health plans. Those with less than five million in annual receipts do not have to file an extension and have until October 16, 2003 to become compliant. In order to qualify for this extension, covered entities must submit a compliance plan before October 16, 2002.”
I actually think there’s a typo not in what I wrote but what was in the letter, but I’m not smart enough to figure out where the typo is. Maybe smarter people then I can understand this. I can’t. We get these letters all the time, and communications like this make the eyes of primary care physicians glaze over.
We also get letters from health plans telling us what they are doing, but those letters don’t mean much to us. The letters look all the same, and they say the same thing. Many of us get invited to meetings at which it appears the same information is to be repeated. It’s mostly about what standards the health carriers are using for billing information, standards that don’t seem to apply to us directly since we have to submit claims on systems the plans control and we don’t.
It looks like the plans feel they need to invite us to meetings so they can be in compliance, but it doesn’t look like we need to come to the meetings for us to be in compliance, so we don’t go. But then it’s really not clear what small practices need to do to be in compliance, so most of us, as I said, aren’t doing anything much at the moment.
I’d like to tell you what we’re doing to support the privacy rule training mandate, but I’m afraid I don’t know what the privacy rule training mandate is. There are consultants and courses from a host of professional organizations, but it looks like even those all cost time and money at the moment they’re not going to say much beyond, “File for an extension and see what happens.”
Some of us have spent the time and money and have noted with sadness that it’s time and money that could have been spent learning about Lyme disease in kids, diabetes management, or congestive heart failure. Those of us who have not yet become cynical have become now cynical about the role of government in health care.
As I said before, my practice is the largest family practice in Rhode Island, and it’s probably a little more adept at dealing with the regulatory environment then most. We have a practice administrator, and we even have a compliance officer. That person has spent about 50 hours trying to sort out what it is we’re supposed to do, wading through websites and instruction manuals, so yesterday we applied for an extension.
In truth, we are probably reasonably compliant, though we’re not really sure what compliant means. We use all HIPAA compliant billing software, and a HIPAA compliant EMR, and maintain appropriate firewalls, so our electronic database is not accessible from the Internet.
Over a year ago we developed a confidentiality policy that all our employers and all our vendors are required to sign. But few smaller practices have the resources, time, or energy to do this work.
How can we make all of this easier? Please don’t ask us to do anything until you are sure that what you’re asking we really need to do. Please understand that our only job is patient care, and understand that the resources we commit to anything other than patient care diminishes that.
Please understand that confidentiality is what we want to achieve, but sometimes that’s a two-edged sword. We have a role in the communities where we practice and that role does not always allow confidentiality to be airtight.
Please don’t ask us to do things for health plans so health plans can be in compliance. Society has given health plans inappropriate power over us by refusing to regulate the market power of those plans. If you make us devote time and attention to satisfy them, patient care will suffer again.
Instead, understand who small practices are, the role they play in the health system, and what they do everyday. Let’s design some templates so practices can just follow the directions. Templates that are written in English, so we can continue doing what we’re here to do, which is to patient care first.
Thank you.
MR. ROTHSTEIN: Thank you, very much. Dr. Cohn?
MR. COHN: This is just a clarification. I really want to thank you. I think you also chaired the Subcommittee for Standards and Security, which has been involved with HIPAA electronic transactions. It’s your testimony, which we will share with that subcommittee, is probably worth my flying in from San Francisco alone.
Having said that, I do want to make sure that you understand, and others on the Internet, that there is no extension for the privacy rules. The extension you’re referring to is for the electronic transactions.
I just want to make sure – I think you understand that. I just want to make sure, because some of you comments seem to indicate that you thought that somehow you could get an extension for a year.
MR. FINE: And I would just respond by saying I am certain that none of my colleagues have this straight.
MR. COHN: I absolutely agree. I think that’s the lesson and the message here, so thank you.
MR. ROTHSTEIN: Rich, any clarifications?
Thank you for that reality check testimony. Now, Ms. Keener.
Betsy Keener, Privacy Officer, Harvard Vanguard Medical Associates
MS. KEENER: Good morning. My name is Betsy Keener, and I am the privacy officer for Harvard Vanguard Medical Associates.
Harvard Vanguard Medical Associates is a large, multi-specialty group practice located in 15 sites throughout the greater Boston area. As the privacy officer I am in charge of developing and implementing our privacy policies, and so I function as the project manager for the privacy aspect of HIPAA.
In my comments today I will discuss our experience to date implementing the HIPAA regulations, including best practices, available resources, coalition building, our approach to training, and, of course, some of the difficulties we have faced.
In spite of my experience managing other large, complex projects, implementing the privacy rule often makes my head spin. Although implementing the Privacy Regulations has been both interesting and thought provoking, it has also been a frustrating experience as my small group of staff and I try to understand the regulations, interpret them, determine what is reasonable and scaleable, all while wondering what aspect of the rules will change and what will remain.
I started by reading the federal regulations and attending a couple of seminars on the HIPAA regulations. I worked with other staff to form a project team, provided an overview of the regulations to senior management, and developed a preliminary budget.
As with most other health care providers, our budget was limited and using outside consultants was not a viable option. We did purchase a HIPAA compliance program that provided us with some helpful work plans and assessment guides to help us get started. It also gave us a level of confidence that we weren’t missing some aspect of the privacy regulations.
Understanding these privacy regulations has been a slow process. Every time I review a specific part of the privacy rule (for example, the accounting of disclosures requirement) I learn more.
For me, however, just reading the privacy rule was not enough. I had too many questions about what “reasonable” meant and wondered how other institutions were interpreting the rule. It became critical for me to talk with others who were also working on privacy implementation.
I joined the New England HIPAA workgroup over a year ago. This is a regional group of payors, providers, and vendors who meet monthly to discuss different aspects of HIPAA and collaborate on compliance. In addition to speakers and a general session, each meeting usually includes subgroup meetings. I attend the privacy and security subgroup and have learned a lot about how other organizations are approaching both the privacy and anticipated security regs.
I also joined the Mass Health Data Consortium and have found its Privacy Officer’s Forum to be particularly helpful. The bi-monthly meetings often involve content experts who share information about, or approaches to, certain aspects of the privacy rule.
Several months ago while chatting with representatives from Partners HealthCare and Boston Medical Center, it occurred to us that we really needed to have a meeting with privacy staff who worked only for provider organizations. This way we wouldn’t be distracted by solutions developed by the payors, and we could more comfortably share with each other the policies we developed without fear that our work would be packaged and sold by a consultant. The New England HIPAA Provider meeting met for the first time in May, and we have met monthly since then.
Through the Privacy Officers’ Forum we are affiliated with the Mass Health Data Consortium, who generously donates space for our meetings. Any provider from the New England area is welcome to join our meetings. These provider meetings have been important in helping me shape Harvard Vanguard’s response to the privacy rules.
Prior to the first meeting we drew up a list of topics to discuss. Our aim in the meetings has been to address how we are each planning to operationalize certain topics in hopes of arriving at “community standards.” Of course, before we start discussing how we plan to implement each aspect of the privacy rule, we have robust discussions on what the section of the rule means.
The majority of time our thinking is similar. However, there have been times when we have disagreed on what the regulations mean. For example, at the last meeting we did not reach consensus on the Accounting of Disclosure requirement. Specifically, we disagreed on whether we needed to account for public health disclosures that are required under state law (infectious disease reporting, births, deaths, gunshot wounds, etc.).
Some in the group argued that since these are required by state law and required under our licensure, the disclosures would be considered “health care operations” and consequently would fall outside the Accounting requirement. Others felt that the comment section specified that public health disclosures were required.
When we reach an impasse we continue topics until the next month in order to consult with our own legal counsel as to how to interpret the regulations.
We have also had conversations about topics that on the surface appear nearly laughable, but I think serve to point out our commitment to privacy, our confusion about the intent of the regulations, our concern about enforcement and sanctions, and of course, public scrutiny.
For example, we discussed whether baby pictures sent in by parents to their obstetrician or pediatrician can be displayed in those departments. Are those photos protected health information? On the one hand, this is information that is not created or maintained by our health care organizations. On the other hand, these photos are facially recognizable and are thus PHI.
What should we do? Post them and note this in our Notice of Privacy Practice, or should we develop an entire policy about this? Are we driving ourselves crazy? That answer would be “yes.”
Generally, we do try to stop and remind ourselves that the goal is to protect patient privacy in the context of delivering quality health care and that we need to find reasonable ways to accomplish this.
Here’s a list of the initial topics the New England HIPAA Provider group was interested in addressing from an operations point of view, in the hopes of arriving at either a community standard or a shared understanding of the regulations: registration areas and patient confidentiality; patient communication; patient requests to restrict data – no one, by the way, is planning to agree to this type of request; training; designated record sets; minimum necessary requirement; transportation of medical records; Notice of Privacy Practices; business associates; fundraising; disposal of PHI (both paper and non-paper waste); authentication of patients.
Not only have we shared ideas and approaches to the privacy rule, we have also shared some of our draft or completed policies with one another, but not for public distribution. We would certainly embrace any best practices, but generally any new policies and procedures have not been tested long enough to call anything a best practice, but rather a really good idea.
The philosophy of the group seems to be that we are all in this together, and if we can help each other out we will. I find that when I leave these meetings I have the feeling that implementing the privacy rule is actually do-able. This is often a different experience from how I feel about HIPAA on other days.
The other sources of information that I’ve used regularly are the list serves on HIPAA. It’s important to sift through the varying advice, but I’ve learned a lot about the nuances of the privacy rule that would have taken me longer to discover on my own. On the other hand, this research can be time consuming and the level of detail discussed can be quite overwhelming.
In addition, there are websites - WEDI/SNIP, Health Privacy Project, the Association of American Medical Colleges, to name a couple – that have useful information and provide helpful links to other websites. Also, some law firms have put together HIPAA information that is either displayed on their websites, or have policies and procedures available for a fee.
Harvard Vanguard opted to purchase a set of policies and procedures from a law firm we work with to provide us with a basis to compare with our existing privacy policies. This seemed more economical than to interpret the regulations completely on our own.
However, there continue to information gaps. For example, I would love to see a good summary of HIPAA in a brochure format for both staff and patients. I haven’t seen one anywhere. Also, more frequent guidance from HSS is critical. This can either be formal guidance document or more frequent updates to FAQs. There are so many nuances to this regulation that need to be clarified, and it would save us all a lot of time that is currently being spent either reading arguments on the list serves or contributing to those discussions.
In spite of our questions we are continuing to move forward. We are planning to begin a HIPAA awareness campaign in September – actually next week – at Harvard Vanguard. From the beginning our philosophy on the privacy rule has been that we want to protect patient privacy because it is the right thing to do, not just because of the new federal law. We want our patients to trust that we are handling their personal information confidentially. We have incorporated this philosophy into the awareness campaign, and will continue it into the formal training program as well.
We have developed a poster campaign with a theme of the week (for example, computer security, telephone privacy, access to medical records, etc.). The privacy tips associated with the theme will be displayed on posters, distributed by email, and found on the Harvard Vanguard Intranet. We will also have an information booth at each site for a limited period of time, and a privacy hotline number to field staff questions, a staff quiz (complete with prizes) and a campaign to acknowledge staff that go the extra mile to protect patient privacy. The goal is to get staff thinking more actively about privacy.
We have not yet finalized our formal HIPAA training for the nearly 4000 staff at Harvard Vanguard. We are still considering three options: doing the training ourselves in either large groups or in department staff meetings; a “train the trainer” model; and using an on-line training program.
We are leaning towards doing the training ourselves primarily so that we fully address the notion that compliance with the privacy rules will involve some culture change on the part of the staff. We can also respond immediately to any questions that may come up, and we can tailor the presentation to the audience here at Harvard Vanguard. We are concerned that using the “train the trainer” model may dilute the message.
Our strategy is to develop a core training program that can be easily tailored to the various departments. Certainly some issues are the same for everyone: how to authenticate the callers, the minimum necessary requirement, computer-related security, etc. However, we recognize, for instance, that the privacy issues that the clinical medical assistants are grappling with may be quite different than those in medical billing.
We evaluated several on-line training programs that offer role-based training and have found a few programs that are informative and reasonably interesting to watch and listen to. However, we are concerned that most of the on-line programs do a good job of describing the HIPAA regulations, they generally do not provide the flexibility to also train staff on Harvard Vanguard’s specific policies and procedures.
Some of the on-line programs do allow for customization, and we may offer the solution for staff who are unable to attend a regular training program. We have not yet determined how we will be able to track attendance at these training programs, although we are hoping to craft an electronic link to our human resources information system.
We are fortunate at Harvard Vanguard that we have had an electronic medical record for over 30 years. As a result, I believe our staff has always had a heightened awareness of privacy issues. Our medical record system already has role-based access based on the job title of the employee. Medical assistants have a different level of access to patient information than registered nurses, who have a different access then physicians.
While we will need to review these levels of access under the privacy rule, we do not have to start from the beginning, which will save us a significant amount of time. We will still need to develop standards for the minimum necessary requirement for management staff, however.
Harvard Vanguard’s patient confidentiality policies and policies on breaches of confidentiality were at one time considered to be best practice and can be found on several industry websites. We have existing written policies that allow patients to access their medical record, or to request an amendment to their record.
However, these and other policies must all be modified to be HIPAA compliant. In addition, our medical record system records staff access to the patient records on a fairly granular level, which allows us to perform audits when a breach of confidentiality is suspected.
Implementing a privacy rule is a large effort. Yes, there are many policies and procedures to either develop or modify to reflect the new regulations. We will need to train nearly 4000 staff, which we hope will result in a culture change that furthers our existing climate of protecting patient privacy.
However, it is not the actual work that is daunting. It is trying to understand these complex regulations. It’s scary and frustrating when two intelligent, informed individuals can arrive at different conclusions from the same document. This happens over and over again. There’s so much information that trying to summarize even one aspect of the regulations requires a significant effort.
Each thoughtful question from a staff person can involve large amounts of time to research. With only eight months left before we are expected to be in full compliance with the regulations, I don’t have that kind of time to spend researching.
Fortunately, enough organizations or private individuals have been willing to share their knowledge of privacy with the rest of us. I have greatly appreciated their willingness to fill the knowledge gap. I believe the federal government needs to do more to clarify what is “reasonable” before it is decided in the media or through the court system.
I hope the National Committee on Vital and Health Statistics can encourage the Department of Health and Human Services to publish regular guidance and FAQs on the privacy regulations so that we can spend more time implementing the rule, and less time trying to decipher it.
Thank you.
MR. ROTHSTEIN: Thank you very much for that. I want to welcome Dr. John Danaher, committee member and subcommittee member as well. I’ll open the floor briefly for clarifying questions from subcommittee members. John.
MR. DANAHER: Betsy, good morning, and thank you for your testimony.
Is Harvard Vanguard both a group and staff model HMO?
MS. KEENER: We’re not an HMO at all. We’re a large multi-specialty group practice. We were an HMO when we were affiliated with Harvard Pilgrim, which we are no longer part of. We haven’t been for several years.
MR. DANAHER: So all the clinicians associated with you are on salary?
MS. KEENER: Yes.
MR. DANAHER: Okay. So there’s no clinicians that you contract with who are in private practice and group practices themselves?
MS. KEENER: We do have some specialists that see our patients on a contract basis, but the vast majority of our physicians are employees of Harvard Vanguard.
MR. DANAHER: How are you approaching – I understand how you’re thinking about, very thoughtfully, the 4,000 employees. How about those groups that are not directly under your employ? How are you thinking about training? Are you thinking about doing it, or are you asking them to show you proof that they’ve undergone training?
MS. KEENER: We haven’t gotten that far. We will either ask them to show us proof that they’ve been trained at their parent organization, or we will ask them to do an on-line training program that we offer them.
Because they have to be trained in our policies and procedures we can’t just rely on training in another organization, is my understanding. They can understand HIPAA if they work at some organization, but they have to understand what Harvard Vanguard’s policies and procedures are. We’ll need to do some type of training with them.
MR. DANAHER: I think for me that’s at least kind of an interesting point is that you might have an organization, a group, that’s got to both learn their own policies and procedures of Goddard Medical Associates or something and then also because they’re contracted to Harvard Vanguard also Harvard Vanguard’s.
MS. KEENER: Right, we may have different ways of doing things.
MR. HARDING: I’d like to thank you, too. I’m Richard Harding.
I’m glad that you raised this topic that the others also have raised about the motivation with us and the idea of that it’s the right thing to do to protect privacy, as opposed to “you must do this.” I think that’s been one of the things that has been troubling to all of us, of wanting to do it for the right reasons but have it come out sounding like it’s a must, instead of right.
I’m also just thinking here out loud about the issue that you raised about reasonableness or scalability. The subjective words that are in there I think were put in for good reason, because it’s pretty hard to know exactly what’s reasonable. I can see how it’s caused a great deal of going like that when you see that and trying to figure out how to define that without having the courts define it.
MS. KEENER: Exactly, or the media.
MR. HARDING. - or the media. I think those kinds of things would be helpful. If you have ideas I would certainly be interested in hearing them and appreciate what all three of you so far have said about some of those areas.
MS. KEENER: That was the main motivation in forming this provider group. Our feeling was if we were all doing it relatively the same way then it would work and patients would have a similar set of expectations when they went to partners or Goddard or a CareGroup or any of the – even the small physician offices. If you could arrive at some kind of community standard then it felt more comfortable for all of us.
We could discuss what “reasonable” means. Does it mean partitions? Does it mean glass? Does it mean a sign that says, “Please wait here”? Does it mean acoustic tiles? I could go on for hours.
MR. ROTHSTEIN: Anything else? Thank you. Now our next two speakers, Ms. Khaja and Dr. Sullivan.
MS. KHAJA: Thank you.
Good morning. My name is Saliha Khaja. I serve as associate counsel to the Massachusetts Medical Society and generally provide in-house advice and representation to the society on a number of corporate matters and health care related type programs and projects. Specifically, my legal practice area includes regulatory compliance relating to HIPAA, Fraud and Abuse, and Board of Registration in Medicine requirements.
I’m certainly pleased to be here today on behalf of the medical society and to share with you our efforts and our experiences to date in educating Massachusetts physicians about HIPAA and regulatory compliance requirements. The medical society applauds the committee in holding these hearings and is grateful for this opportunity to testify before you.
It’s interesting that you bring up the issue of privacy being a good thing. We have long supported privacy, both at the state and federal level. We continue to remind our members that this is something that they wanted. This is something that was brought to our leadership over membership concerns over the erosion of the patient/physician relationship. We asked for it; we got it. Now we have to do something with it, right?
Our Government Relations Department has worked very hard in bringing some relief to the small physician practice and the mid-size practice. That tends to be our target group because they have a little bit less support out there, so we try to help them in compliance efforts.
As for our message to our members, we strive to impress upon them that regardless of HIPAA electronic transference of health information is a reality. In light of this, we need protections and standards to guide the privacy of this information.
We understand that compliance with the HIPAA regulations certainly comes at a cost to physicians both financially, emotionally, and also in terms of practice change. There are changes that need to their day-to-day practices and their office policies. We’re constantly trying to help them with tackling each of these various areas.
In order for the medical society to accomplish its goals of providing the best and most accurate information and certainly something that will be useful and pragmatic to our members, we formulated an interdepartmental HIPAA workgroup. That consists of staff from the various departments, myself from the Office of the General Counsel, our Department of Health Policy/Health Systems, our Government Relations Department – Alex is here today – and our Membership Services Department. We’re trying to formulate ideas from each of these various groups to put out products and to vet products that will be helpful and useful.
As far as what we’ve done, you’ve heard from some of the panel members already. We’ve offered a number of district-level, continuing medical education programs that address HIPAA. In presenting to some of these groups I can tell you we found a varying level of understanding by the attendees. Interestingly, or maybe not interestingly, the attendees who were staff members, people who are office managers, support staff, they tended to have more exposure to HIPAA and a better level of understanding then perhaps the physician attendees.
As you can image that also created a great deal of frustration among the group. I can tell you there was a great of frustration expressed by physicians at one meeting that targeted the outright complexity of the regulations and the associated difficulty in trying to understand what needs to be done by smaller to mid-size group practices. We have very intelligent audience members, so it certainly is no reflection on their ability to understand difficult concepts, but it’s just the vastness and the bulk of these regulations, I think, that is very intimidating and difficult for them to tackle.
Of course, there was also a great deal of frustration and irritation over the birth of a HIPAA consulting industry. They have millions of consultants sending them pamphlets in the mail, emailing them, targeting them, and trying to sell them what may be good information and what may not be good information and also what is very costly. All of this plays into the mindset of trying to comply with HIPAA.
This fall we’re sponsoring two comprehensive educational programs entitled, “Positioning Yourself for HIPAA.” They have objectives including understanding the legal and administrative impact of the regulations, trying to help them in developing appropriate operational and procedural activities to comply with the HIPAA mandates.
We’re trying to scale it down and streamline and essentially demystify what is HIPAA. I think you get a sense that there’s a concern over what exactly it is and what exactly needs to be done. That’s our goal.
We held a very successful series of grand rounds education sessions. These were held throughout the state at 25 locations and truly proved to be successful. We partnered with a number of law firms in the state who were familiar not only with the legal requirements specific to Massachusetts, but also certainly the more local practices of medicine that may be unique to Massachusetts. This gave our members and anybody who attended the opportunity to have a one-on-one dialogue with an attorney and to present different scenarios and get answers to questions that were burning inside.
One of the teaching methods that seemed to be working well was introducing a hypothetical scenario, so having the patient come to the office. What happens when the patient walks in the door? What happens when the nurse takes the patient to the examining room? Tracing the whole treatment process up through hospitalization, and then also focusing on issues that are associated with the death of the patient and the protection of the information at that point.
We also are looking at offering HIPAA tool kits, both at a charge and also offering information that’s at no charge. We currently have some information that we’ve compiled that - Betsy had mention different work groups. The WEDI/SNIP group has been very good at putting out what we believe to be good information. We’ve made a compilation of good information that we’re offering.
We’ve also written our own HIPAA guidance booklet that we’ve tried to gather good pointers on drafting your own legal documents and drafting your own forms, but also certainly with the caveat that you have this looked at by a lawyer, which doesn’t make the reader happy. It’s something that needs to be done, because a lot of the forms have to be tailored to the individual practices.
That’s a message that we’ve been trying to hammer home, that it is scalable; it is reasonable. Enforcement, hopefully, will take into consideration your individual practice, needs, the size of you practice, the nature of your practice, and things of that nature. So we have those HIPAA tool kits coming out.
We also use our own media to get the word out. We have a newsletter called “Vital Signs” that’s distributed to our membership of approximately 18,000 physicians in the Commonwealth. We featured a number of articles including important deadlines to be aware of with HIPAA, proposed changes to the regulations, the extension that we’ve talked about.
We have an upcoming issue of Vital Signs, I believe it’s this October, that will also focus on projected costs, how to have discussions with you vendors and those types of issues. We have an electronic version of Vital Signs that comes out every week that contains a HIPAA tip, trying to alert the reader to what might be a current development they need to be aware of.
We have a HIPAA hotline. Our Department of Health Policy/Health Systems supports this HIPAA hotline to answer general questions. That hotline has been very hot. I can tell you it’s been ringing off the hook. I am the person who answers the more legal related questions. They come to the Office of the General Counsel.
In August of this year our president, Dr. Charles Welch, wrote a letter to our Massachusetts physician, which may have sounded much like what Dr. Fine had said. Again, it’s targeting sort of a deadline and trying to remind people that it’s still out there. It’s just keeping the awareness up.
Earlier this spring I was invited to speak at the Hampden District Medical Society’s annual meeting on the topic of HIPAA. At that point in time, as you can imagine, the biggest hurdle was trying to teach physicians both about the final privacy rules as well as what might then be final because the NPRM was still pending.
That made people outraged. They said, “Just tell us what we need know.” It was a little difficult to do that. We’re happy that the final rules are out and that they do much like what the NPRM was. What they heard as what might be coming is truly here, and we have to live with it.
A lot of these meetings that we’ve had with members have generated discussion over certain issues. That’s what I wanted to bring to the committee’s attention. People are looking for forms from the government. People are receiving forms, finding forms on the Internet, getting forms from us, getting forms from their friends, making their own forms; but everybody wants to see something come from the government. They’re more comfortable with it. They feel more secure that it’s correct. They also want to use it as a starting point and feel like at least they have a baseline to work off of.
Everybody wants to know what to do about their business associates. Is my cleaning staff in the evening are they considered business associates? Should they be treated differently then a utility person? There’s a difficulty in them understanding who qualifies as a business associate and who doesn’t. That would be helpful to have some guidance on defining business associates.
I also just wanted to briefly mention we have a number of our staff members who participate in a variety of statewide work groups focusing on HIPAA issues. As we’ve already heard, the New England HIPAA workgroup is excellent. The Mass Health Data Consortium is excellent. There is the HIPAA Education Coordinating Committee, which is facilitated by the Mass Health Data Consortium. I sit on the Boston Bar Association’s HIPAA Preemption Task Force, which is an excellent group of local individuals that are trying to pour over all of the hundreds and thousands of privacy rules that we already have in Massachusetts and see how they stack up to the new federal privacy rules.
I just got an email yesterday from the chair of that committee telling all of the members that three different subcommittees addressed the same preemption issue and came up with three different answers. That’s something we have to address tomorrow at our next meeting. The point is, everybody sees it differently. Everybody thinks it will be enforced or interpreted differently; and so guidance, as best we can get, would be helpful.
The Massachusetts Medical Society, as I mentioned, has been very actively involved in introducing and raising HIPAA awareness in Massachusetts. The areas that we can spend more energy with simplifying and demystifying the compliance process for the smaller to mid-size groups include:
Once again, thank you for taking the time to listen to our experiences and concerns. The medial society is very grateful to have had this opportunity to share them with your committee.
MR. ROTHSTEIN: Thank you. Dr. Sullivan?
MR. SULLIVAN: Thank you.
Good morning. My name is Tom Sullivan. I’m the president-elect of the Massachusetts Medical Society. It’s a responsibility I take seriously. At 221 years old we’re the oldest state medical society in the United States. We represent approximately 18,000 physicians, as you heard. I also hesitate to say we represent any physicians, just that we have 18,000 members. Trying to represent physicians is a real job.
I’m a practicing cardiologist in the North Shore of Boston. I have an appointment at the North Shore Medical Center, which is one of the affiliated community hospitals in the Partners HealthCare System. I maintain a solo practice in Danvers, Massachusetts.
By the way, I do have some experience similar to what you heard. For the first nine year I was in solo practice, then for approximately 12 years I became an associate medical director. I was one of 7,000 employees of a not-for-profit staff model HMO. Then in 1995 I returned to solo practice. I feel I have that perspective of a small operation as well as a pretty large one.
I’m pleased to be able to testify here today before the National Committee on Vital and Health Statistics’ Subcommittee on Privacy and Confidentiality. Thank you for providing me with the opportunity.
On my behalf, and also on behalf of the medical society, I’d like to also thank you for holding these hearings on privacy rule implementation efforts. I believe there are a number of areas that can be addressed to assist solo practitioners, such as myself and small group physicians, in coming into compliance with HIPAA privacy regulations.
I consider myself to have probably more than the average exposure to the HIPAA regulations because of my long-term interest in this topic. Over the course of the years I’ve been involved with a number of professional associations and activities and devoted a lot of time to this. Currently I serve as the chair of the Confidentiality and Security Steering Committee at Partners, arguably one of the largest health care systems in the country.
We were real pioneers. I see Brian Kozik sitting here, too, who I met through Partners, and you’ll hear from him later. In 1998 we developed a very comprehensive privacy and confidentiality program after several years of discussing with many physicians on the staff at Partners, especially psychiatrists who dominated our committee. We made that available public ally to the Internet in 1998. I think Harvard Vanguard and Kaiser and the Mayo also put their policies and procedures on. It was hosted by CPRI Host.
In addition, I chair the American Medical Association’s e-Medicine Advisory Committee. We get involved with a lot of these issues at the AMA. Also in 1995, a year before HIPAA, at my behest our state medical society created a very comprehensive policy on privacy and confidentiality. It was passed by our House of Delegates in 1996. We also brought it to the American Medical Association, and they used it as the basis of their privacy and confidentiality policy. So in coming to Massachusetts, you’re sort of in one of the hotbeds of concern in New England.
Some of you may know, you heard that Mass Health Data Consortium was mentioned. I was a part of that, too. We, and the National Library of Medicine, funded the book, the study that was – the book, if you don’t know it, For the Record, which was published by the National Academy of Sciences. That was partly our funding that created that.
I certainly agree that we’ve been in the forefront of saying that protecting privacy is the right thing to do. As Bill Braithewaite(?) used to like to say, “The industry and the citizens came to us and said, ‘Make us do what we know we have to do.’” Saliha said we’re getting what we asked for. We’re very much in favor of it, but we’re worried about the complexity and the cost of implementation.
I can also tell you that I’ve chaired my own hospital’s privacy committee. There’s nothing like terminating an employee for privacy violations that gets the word around that we’re serious about this. I’ve been involved with a few of the efforts steering the right way how to do that. It’s not pleasant, but that is one of the most powerful implementation tools we have.
I said I can probably do a pretty decent job of telling physicians what the privacy rules are and how they came to be and how they’ve evolved over time; at the same time I’m having some difficulty preparing my own private office for the April 2003 compliance deadline. I principally wanted to speak today just about my own personal compliance efforts and what I’m grappling with as a solo practitioner.
Generally, the complexity of the regulations and the lack of adequate time due to the uncertainty and the changes that have occurred in implementing the final privacy rules has caused me a great deal of concern. I’m not concerned just for myself, but also for similarly situated colleagues who will be working on implementation with a small budget.
Despite all my HIPAA knowledge I’ve got a lot to learn, and yet I think I know more then 98 percent of the physicians in this country. I have a lot to learn. I have yet to prepare any forms in my own office, because I’ve helped write them for these huge institutions. I have not drafted a final privacy notice yet, and I have not specifically trained my single employee, who’s a certified medical assistant and who’s also my office manager.
I have designated myself as the Chief Privacy Officer and the Chief Security Office. I have obtained a secure password for my office manager to log on to the network hospital system and to access patient medical records on a need-to-know basis. That was brought up by one of the questions a little earlier.
I direct my health system and my hospital’s security and privacy program, but I’m not an employee. When I said my employee needs to access the medical record to prepare lab tests and so forth they said, “Well, she’s not an employee.” Here I am the director, the head of the program. What kind of hold do we have on your employee?
I can tell you that in my experience, again, that the people who in my recent experience who’ve taken this privacy rule most seriously have been the practicing physicians who are not the employees of big organizations who have either terminated or severely disciplined some employees who don’t live up to what they consider their own personal standards are of privacy.
I’ve obtained personally a secured messaging website with the assistance of the American Medical Association and the Massachusetts Medical Society. We promoted the organization called “MEDEM,(?)” which some of you may have heard about. It’s a joint venture of a number of specialty societies. One of the biggest features of that is secure messaging.
I’ve also made it my practice to verbally inform my patients of the new privacy rule on a face-to-face, one-to-one basis, even though I’ve not consistently documented that in my chart. I’m still looking for an authoritative sample privacy notice from HSS or OCR, similar to what has been done with the business associates, that’s geared toward small practices.
I want to focus again on some specific things that I think HSS can do. One I just mentioned, the sample form for small practices. Two is the final Security Rule. Three is clarification of some activities, and you’ve heard a litany of them recently. To me the issue of phone, fax, and email is a little bit confusing. And then fourth, the clarification of the “Opt-Out” comments for less than 10 FTEs.
I’m departing a little bit from my prepared remarks, because I didn’t want to make this boring. I mentioned here that a package of model forms is what I think small group practices would really be very much helped by, if you could facilitate that.
I don’t think that we should be asked to pay hundreds of dollars for so-called HIPAA tool kits that are being circulated in the market place. I hope it’s clear to most, if not all of you, that similar to rising malpractice premiums and other health care costs, we’re unable to pass these costs on to our patients or even to negotiate with health plans to include them as a legitimate, necessary, and mandated cost of our operations. We need assistance so that we don’t have to shoulder this burden finically. At least if we had model forms or a sample form to begin the process, we could personalize them to suit our individual needs.
Again, you’ve heard there seems to be consistent message from the Office of Civil Rights that rules are meant to be “scalable.” I sort of echo – it’s nice going fifth or sixth in line. You can say I agree with most of my colleagues here. We really need to understand scalability a little bit better.
Let me move on to the security rule. I think it goes without saying that it’s difficult to get a good handle on HIPAA privacy rules will impact my day-to-day operations without having the benefit of a final security regulation. There’s a great deal of talk that the final security rule will be similar to the proposed rule; but it’s almost four years since we’ve had the proposed rule, and we have no final, authoritative information.
It would be tremendously helpful to see what the entire package looks like, because I believe that security is very much intertwined with privacy. We need to see that final security rule as soon as possible to feel comfortable and see what’s practical for a small group practice. And yet the compliance is only eight months away.
I’ll address the third item, the phone, fax, and email activities. It seems to me there’s a lot of conflicting information - This is one where I may have missed some very clear statement - regarding phone, fax, and emails of protected health information. They’re involved with the standard transactions -- and I do understand the difference between the codes and transactions in the privacy rule -- but for many small offices billing transactions might utilize the fax machine as well as paper and the post office.
I’ve heard from some sources that fax transmissions are not really included under HIPAA, unless there’s a billing clearing house. Thus, one should not worry about them. Others have said, “Well, it’s unclear whether faxing is covered, so you should go ahead anyway and consider faxing as covered and just be compliant.”
What about all the physicians who still do all their billing on paper but need to fax PHI to hospitals or other physicians when one of their patients is being seen? This area needs to be clarified. Again, maybe it’s clear and I missed it in all these regulations, but that’s a question I have.
And then finally, the opt-out issue for less than 10 FTEs. I’m not sure where this came from. I’ve recently been reading the same list serves that others have referred to and I’ve seen these how to escape from HIPAA. We’ve been wondering whether we’ll be exempt from HIPAA if we have less then 10 FTEs on our own staff. If that’s true, 10 FTEs, most physicians in the country don’t have 10 FTEs. There’s probably only 20 or 30 or 40 percent of physicians in the United States that have more then 10 FTEs.
MS. MARCUS: Is that a per doc number?
MR. SULLIVAN: Right, per doc. Right.
I think of all these things and these regulations, and I’m referring to my peripheral brain now days more and more. I have my little Palm Pilot with Hippocrates, and I’m wondering whether or not I need the HIPAA rules on these, whip them out in my office and say, “Let’s see. I’m exempt here,” whatever. It really is complex. We really could use some clarification from HHS.
In summary, let me make it very clear, as I said, I’m very much in favor of the new emphasis on privacy and confidentiality. It’s a good thing for all of us that it has the force of law behind it.
I’m a strong advocate of promoting the electronic exchange of billing information, and also, in the near future, of clinical information. I believe it will help us reduce costs in the long run, and improve the care of our patients.
Nevertheless, the short-term implementation costs and the complexity of the privacy rule and, in my opinion, the inexcusable delay in the release of the final security rule, need to be addressed expeditiously.
Thank you once again for the opportunity to present my opinion with the perspective of a solo practitioner who’s also been around.
MR. ROTHSTEIN: Thank you, Dr. Sullivan. Any clarifying questions?
MR. COHN: I think we need to sort deal with opt-out. My understanding is the opt-out really has to do with Administrative Simplification Claims Act in having to do with issues related to billing the Medicare and the issue that Medicare is not going to accept paper forms as part of the ASCA Compliance Act, except that there was an exception made for people of less than 10 FTEs.
Stephanie, can you clarify that? I don’t think this has anything to do with the Privacy Rule.
MR. SULLIVAN: You may be right. I may have – I’m just telling you what I’ve seen on a list serve.
MR. COHN: I just want to make sure we get this clarified in the moment here, rather than waiting.
MS. KAMINSKY: That’s correct. That’s were the genesis came from, but my understanding is that in general when ASCA was passed it gave physicians the one-year delay for the Standards and Security, but it threw in that if you are billing Medicare you have to become electronic. You have to do your billing electronically.
One the one hand, it gave a little leeway; but it also forced more docs to become covered entities who otherwise wouldn’t, with the exception of the 10 physician office. There’s another exemption also, I believe.
Therefore, it is linked to privacy, because once you become a covered entity you must comply with the privacy rule.
Folks who bill Medicare will have to do it electronically, that will then make them a covered entity, and they will then have to comply with privacy. There is this 10-office employee exception for the billing of Medicare.
MR. SULLIVAN: Just remember that 10, that comprises a huge number of docs. Most docs who practice in this country don’t have 10 FTEs.
MS. KAMINSKY: Well, not all health care providers are covered entities. This has always been a piece of the way this HIPAA regulation has been moving through. There was always a little bit of leeway put out there for folks who are going to continue to do things on paper instead of electronically.
There was sense, if I understand correctly, that Congress didn’t want to force all providers to become electronic and play by the games of HIPAA. On the other hand, there was a notion that the industry was moving in that direction and there have been other things, such as this ASCA legislation, that have tried to advance that direction.
MR. SULLIVAN: Thank you.
MR. COHN: Stephanie, thank you for the clarification. I guess my understanding – I’ll have to go back and read the hundreds of pages of federal rules. I had thought that the definition of abuses around security and privacy were not related to electronic transactions. I guess that’s my misunderstanding.
MR. ROTHSTEIN: Thank you. Now, Mr. MacLean.
Andrew McClean, J.D., Maine Medical Society
MR. MACLEAN: Good morning. Again, Andy MacLean with the Maine Medical Association.
You’ll probably hear many of same themes from me this morning. I do think that there are a few twists that we can offer from the Maine perspective.
Here are a few facts about the Maine Medical Association. I would also comment that we have some demographic factors that impact our health care system in Maine that are substantially different from the other witnesses you’ve heard from this morning.
Obviously, we’re the largest state in New England. We’re the most rural. We have a population that in general is older, sicker, or unhealthier than most of the population. That does have a significant impact on our health care practitioners in Maine.
Maine’s Washington County, the far eastern county in Maine, it wouldn’t be unusual for a pediatric sole practitioner in that country to have 75 percent of the families on Medicaid in their patient payor mix.
I think one of the over-arching themes I try to sound when I’m speaking to physicians – and this is certainly different and perhaps one of our frustrations with the whole HIPAA privacy process – is physicians have also had a privacy obligation, unlike perhaps the other covered entities.
Here are several of the bases, I think, for the physician’s obligation. We’ve had an ethical obligation for many years. There are common law bases for the obligation. Most particularly in Maine we have a comprehensive privacy stature ourselves. I think we were one of the first states that attempted to pass such a law. I think it provides a worthwhile learning experience for other states and all of us as we look to HIPAA implementation.
It is a law that was submitted by the Maine Medical Association in 1996 when issues were being debated in Congress. It was based on a draft bill that was either developed by the Massachusetts Medical Society or a privacy working group that I know has been on-going in Massachusetts for some time.
Also interestingly, there were two specific issues out there in the marketplace that I think were of great concern to legislators in Maine that prompted this legislation: One was that the marketing tactics of pharmaceutical companies, and the second was one of the large health plans in Maine was requiring an extremely invasive six-page form of information to be filled out basically before any outpatient mental health services could be provided.
I’m going to repeat one of Saliha’s phrases. We have certainly tried to demystify the privacy laws when we’ve been speaking to physicians in Maine. We have worked very hard to provide low cost or free educational seminar and practical tools for our members. Our CDO and I have been out speaking over the last two years about the Maine privacy law and about HIPAA to basically anyone who would listen to us: practices, hospital medical staffs, county medical societies, and so forth. We’ve been working tools, some of which you’ll see attached in my packet.
It’s my feeling, and part of my message, that good faith efforts at complying with the HIPAA privacy regulation are the same as best practices under current privacy law.
This is a slide that I took from a presentation, about an hour-long presentation that I’ve given on our state privacy law and HIPAA. It’s one of those things where doctors will say, “Gee, the rule’s in flux. We can’t do anything. We’re paralyzed until it’s finalized.” I think that’s nonsense.
This is the kind of thing I say, “Look, if you take nothing else from this talk this morning, here are four things that I think you can and should do when you go back to your office right now that will not break the bank and will not absorb an inordinate amount of personnel resources in your practice.”
Obviously, appoint a privacy officer. Don’t make more out of that then I think is intended. It simply means that someone on your staff should know something about the privacy obligations that the physician has and collect the materials that come in across the desk and coordinate the training for other members of the practice.
Develop and use a consent form. You’ll see in the packet I have drafted a one-page consent form that in my view is useful as a general – I think it is what would have been intended as truly a consent form under the original privacy rules. Something that would be used as part of new patient in-processing, something that could be combined with the other documents that you put in front of a patient at the beginning of the relationship, the informed consent, the financial responsibility pieces, that kind of thing.
I also say that that general form is necessary, but it may not be sufficient. You may need to look at a belt and suspenders approach. The second part of this is the authorization form concept under HIPAA. There maybe some types of treatment for which informed consent about the disclosure needs to be closer in time to the proposed release.
In Maine, for instance, that would be HIV testing. It may also be the case with some of the other sensitive areas of treatment, such as mental health and substance abuse. You might want to take this general form and adapt it to something that is more specific, more narrowly tailored.
Third, develop a simple privacy policy. Issues of internal security, staff, and I probably should have put, listening to Dr. Marcus’s talk, patient access within the office.
Finally, take a look at your personnel policy. You ought to have a provision in there that emphasizes the importance of staff, protecting the confidentiality of patient information.
Now, I’m not going to put you through this. I’m going to quickly run through these slides. I think you’ll find some of the quotes from the Wall Street Journal kind of amusing. It’s been very interesting to watch this national debate about the HIPAA privacy rule, because we lived it in Maine between 1996 and 2000. We have lived with our law now for two years. After the first hubbub about it I think practitioners in Maine are quite comfortable with it.
These show you the types of authority for disclosure under the Maine law. The problem with the initial attempt was that it set a standard of written authorization by the patient and provided no exceptions. That’s what had people backed up in hospital waiting rooms and emergency rooms and so on.
You’ll see the one or more of 20 statutory exceptions. Under the Maine law, this is the way we really address the issues of treatment payment and health care operations. Those are the types of things that are the subject of the exceptions to the requirement for written authorization.
I would like to try to address the specific questions that were put to us in the initial email briefly. In terms of technical assistance that I think practices could use, aim at the practice managers who are the likely privacy officers. In terms of educational offerings, remember if you want to attract physicians generally they’re going to have to be in the evenings. Simplify, simplify, simplify, I think is the message.
Offer practical tools. You’ve heard it several times this morning. Forms, form consents, form authorizations, form Notice of Privacy Practices are very helpful. I heard Betsy’s request for summaries. I guess I would offer one thought about why that doesn’t happen more often, and this may just be the lawyer in me. I think lawyers are very uncomfortable with summaries, because it’s very difficult to capture all of the important aspects of the law in a summery. Rather than go through that exercise, frankly whether it’s the government or any of us that are trying to help out the medical community, I would focus on those more practical tools.
Best practices: I guess the main thing I would offer here is regardless of the March 27th changes to the privacy regulation that say that consent isn’t necessary for treatment, payment, and health care operations, I think using the type of consent form that I described and that I’ve included in the packet at the beginning of the relationship is a best practice. It’s something that I would certainly recommend that all of you use.
Compliance resources: Certainly we’ve turned to the medical societies by and large. We’ve been doing the work on our own. I also use the AMA website a lot. I included that, because you can get to all of the other national specialty society websites from there. They all have this type of information on the website.
We continue to do education forums. We have planned, now that the regulation’s final, we have a half a dozen around the state taking place between now and the end of the year. We have a - it’s more then a HIPAA hotline. We have a legal hotline. Gordon and I take anywhere from a dozen to two dozen calls a week about a variety of compliance and other legal issues.
How are practices handling the training mandate? I think it varies. I mentioned that we’ve done some of this, other outside resources certainly. Privacy officers in the practices are doing some of that on their own. By and large, in my observation in Maine, I think they’re doing a pretty decent job.
Coalition building: Some of this is going on. I think it’s more common with the more technical aspects of HIPAA compliance, the transaction standards rule, the technical people. I think, frankly, it’s more valuable in that area. You’ve heard it from – I think Betsy mentioned perhaps more than any of us the conflicting interpretation. I do think there’s a danger that these sessions can turn into group hand wringing about, “Oh, what do we do? What do we do?” I think the energy is better directed at the practical tools and forms and so forth.
Preemption analysis: This is something – one of those things that only lawyers could love. I feel a little guilty whenever I take calls from people who say, “How are you doing in your preemption analysis?”
My response is, “I’m not doing a preemption analysis.” I don’t have time to do a preemption analysis. I don’t really care to do a preemption analysis. One day the governor of Maine, if he should choose to pursue the exception, is going to sort this out. Until then, our advice is going to be assume that you’re going to have to comply with both.
I don’t think that the Maine statute conflicts with the privacy rule. I think certainly there’s an argument that Maine’s law is more protective, because we still retain – I think, though, with the exceptions you may say the exceptions swallows the rule. But I still think that from the best practice standpoint and the premise of the law is written authorization to disclose. Again, it’s a completely unrealistic expectation that a physician practice would do this.
HIPAA vendors and consultants, certainly the accuracy and quality varies. You’ve heard this theme loud and clear, that I think we’re very concerned about the scare tactics that we hear. The message seems to be, “You couldn’t possibly comply with this law without our help.” I think that’s disturbing.
Thank you.
MR. ROTHSTEIN: Thank you, very much.
We have a few minutes for general questions. I’d like to just ask one question of the panel. I thank all of you for you testimony.
A common theme has been your, if I may collectively refer to your remarks, as the need for the department to come out with more clarity in terms of giving you model forms and guidelines and so on and so forth.
My question is besides producing the model for various practices and a model notification and model this and that, do you see a need for actual training to be done by the department? In other words, for the department to actually coordinate on-site training programs, to do web-based instruction, to do video conferencing, etc., besides just producing these documents. From you various perspectives, would you rather tailor it to your own institutions, and you’ll take the ball and run with it?
MS. MARCUS: I think you need to do everything. We definitely would benefit from having sample forms and instructions on how to use them and adapt them and what kinds of things are going to be the most important.
Just looking back at the efforts that the government made around the terrorism and the bio-terrorism stuff, where they had webcasts and then they had videos. If you couldn’t make the time to the webcasts you could order the videos. I think some public health organization actually made them available, and they were free.
I think that there are so many different ways in which you need to reach the people who need to know that whatever you can do is going to help. In the same way that the private sector is responding with newsletters and tips and CDs and stuff like that, if the docs had that available from the government and didn’t have to pay $100 or $300 for whatever the private sector is offering that would be really helpful.
Just like I mentioned, Medicare and Medicaid is having, as we speak, a HIPAA seminar with ten days notification. If I wasn’t obligated here this morning and had this already blocked out in my schedule, I would have looked at that and said, “Can’t get to it,” and it would have gone into the recycle pile.
That response is being duplicated in multiple offices. If they can’t get to that, maybe if they had a video that they could throw into their VCR at night they might be able to get to that; or if there’s a webcast that they could log on to at 10 o’clock at night, although who wants to look at HIPAA at 10 o’clock at night.
The thing is that multiple ways is always very helpful. Before I just close, if you have another couple minutes, this summer I was a patient. I have some comments about HIPAA from the point of view of a patient. If you have time for that we’ll go to that.
MR. ROTHSTEIN: Thank you Dr. Sullivan. Dr. Fine.
MR. SULLIVAN: I just sort of echo what Dr. Marcus said. Just as we want you to produce a model, a sample Notice of Privacy, you could produce a model or sample training program, a videotape available, a web cast, a Power Point thing that you could download.
I think a model training program that maybe it wouldn’t be one size fits all, but something for hospitals. I’m obviously more concerned with the provider side then the payor and the clearinghouse. Model compliance, model training programs for hospitals, physicians, related health care workers, I think would be very helpful.
MR. ROTHSTEIN: Dr. Fine.
MR. FINE: I was going to add only that it depends on whether – the answer to the question is it depends. It depends on whether models and information can be made simple and clear. If it’s models that reflect the complexity that people are struggling with and try to cover the bases of all possible options, it’s not going to help much.
MS. KEENER: I have one thing I’d like to add to that.
I think having a model, anything would be very helpful if you can get it us soon. April is coming up very quickly. For those of us in a large organization, we have a lot to do. We have a lot of people to train. If you give us a model training program in February, I’m going to be happy. It’s just not enough time to do it. Anything you can get to us in the fall would be great, but after that it just won’t help us at all.
I would just also add that from my position what I really need is timely answers to questions. If a bunch of us in the room are struggling with something, is there someone we can send a quick email to? Is there someone we can call? Just so that in within a month or so we have an answer to a question instead of writing and finding out much later.
MR. MACLEAN: I think that the professional organizations are comfortable with the role of developing these tools and tailoring them to our individual membership.
I would have the government focus more time on interpretive guidance. I meant to mention that I thought that the guidance document that OCR published in the summer of 2001 was extremely helpful. While no one likes to read the Federal Register, I though the clarifying comments in the March 27th publication were excellent, too.
I would have you focus more on that kind of thing, and maybe supplement that with an opportunity to ask specific clarifying questions.
MR. DANAHER: I’d like to ask a question of two of the presenters. I thought that they were both excellent presentations.
There’s a little bit of a dissidence I have. When Mr. MacLean, when you presented - and again I just thought it was terrific - the impression I’m walking away with is that many of the mandates, especially in the areas of privacy and security, especially in privacy, are not going to be a big problem for the Maine physicians, because in point of fact there’s already a Maine privacy regulations that may or may not be more stringent. It’s almost as HIPAA for the Maine physicians is an almost non-event. My perception is that if we were to go to many of these offices that they would have policies and procedures, etc.
Then Ms. Khaja’s presentation made it sound – and I think probably Dr. Sullivan is probably the number one most knowledgeable physician in Massachusetts on HIPAA, quite frankly. Massachusetts has had a privacy act in place also. So I guess I’ve got this dissidence in trying to understand why have the Maine docs gotten it and it’s not going to be a problem for them; and the Massachusetts docs, who have also had a privacy reg, they’re so far behind the curve, or whatever.
MR. SULLIVAN: Can I comment a little bit on that?
We’ve had some privacy laws in Massachusetts, but there has been a bill in the Massachusetts legislature for almost four years now that has not passed yet. It’s been discussed not to the level similar to where it was done in Maine. I think Maine had the advantage of actually passing the law, where as in Massachusetts, as usual, was still deliberating on passage of the comprehensive law that allows, for instance, private right of action, which I don’t know if the Maine law does. The proposed Massachusetts law does, and it hasn’t passed.
There’s been a debate, but it’s in a small circle of legislatures and privacy advocates. Therefore, most physicians, I think, don’t know about the Massachusetts statutes, even though Saliha has referred to the fact that we do have some other ones, but they’re no where near as comprehensive as what has been debated over the last few years.
MS. KHAJA: Just a few comments on that. I think it always seems to be more ominous when it’s coming from the feds. People think back to Fraud and Abuse and how it’s criminal in terms of prosecution. I think while certain practices, in terms of interaction with the patient, may remain the same in Massachusetts, what you don’t have are parallel administrative requirements.
I don’t anybody has a Notice of Privacy Practice document in Massachusetts, even though some of those practices may certainly be in place. It’s these other types of statutory requirements, legal documents, I think, that are what the big change is focused on, but not so much in terms of, “Do we work to protect privacy?” Absolutely. Massachusetts has been very good at that.
MR. MACLEAN: I think that most Maine physicians, if you walked into most practices in Maine you would find them using some sort of consent and authorizations form. Now that the rule is final and with the new emphasis on the Notice of Privacy Practices, we need to spend some time there. I would not say that you would walk into most Maine practices and find a good Notice of Privacy Practices in place.
I did include from the AMA website one of their model notices. I’ll tell you my initial reaction to it. It’s a good document, but it’s lengthy. Our experience with the Maine statute, whether it’s forms or notices, they have got to be short and simple. No boxes to check. No blanks to fill in, because you will have people stacked up at admission if you do.
MR. HARDING: Richard Harding.
One of the issues that has been swimming around in my head is the phrase, “HIPPA compliant.” We’ve heard about HIPAA compliant forms, HIPPA compliant vendors. Who’s the credentialer of that?
What I heard was maybe the medical association gets leaned on to say, “Okay, who’s HIPAA compliant? What’s a HIPAA compliant form?” Does the professional associations feel that’s their responsibility to be the credentialer of HIPAA compliance, or is that something the department, HSS, OCR, should be doing very clearly for people?
MS. KHAJA: I think ultimately it’s the enforcement arm. For privacy it will be OCR. That’s what I tried to allude to in my testimony, which is our physicians are going to feel more comfortable if they’re provided with a form from the enforcement arm then if they’re provided with a form from somebody else.
MR. SULLIVAN: That’s a good question, because it comes up. I chair the Information Systems Committee in my hospital. We’re hearing the discussion among the vendors all the time. When they’re talking about HIPAA compliance they’re talking about the final security. Just as there was in the last year or so prior to Y2K, there were these, quote, Y2K certification programs, but none of them were – as far as I know – directed by the government.
It’s similar to there are groups setting themselves up now saying we’re going to certify that you’re HIPAA compliant, but nobody has the kind of authority, or the ring of authority, that may mean something, other than they may be a big organization or they’ve got some real stars and some vendor’s background.
MR. ROTHSTEIN: To follow up on that, I think there is a substantial likelihood of confusion among small practitioners who get a solicitation and say, “Purchase this because it’s HIPAA compliant.” They have the erroneous impression that it’s met some federal standard, when really it’s just marketing slogan.
We had the same thing 30 years ago when OCEA came into existence. We had vendors saying that this is OCEA certified, and OCEA doesn’t certify anything. I think to the extent that the medical associations perhaps could publicize that. You’re likely to be bombarded with mailings saying, “Buy our HIPAA compliant,” and there is no such thing and consult with us, or whatever.
Dr. Marcus?
MS. MARCUS: I think that that’s going to further confuse things. There has to be some standard by which the physicians can measure things. If you come out and say that the word “HIPAA compliant” really has no teeth, it’s like saying the emperor has no clothes. The docs are just going to throw up their hands further and say, “I give up. I’m just not going to do any of this.”
I think it behooves the government to put some standard behind saying, “If this has or includes this, this, this, and this then it meets the minimum standards for HIPAA. You can trust that if you do these things you will be incompliance.” I think docs want to be compliant, but they just don’t know what they need to be compliant to.
MR. ROTHSTEIN: Well, clearly the government needs to set out the standards. I think the concern is that it’s got this self-proclaimed Good Housekeeping seal that some commercial entity bestowed upon itself. That would be my concerned.
MR. SULLVAN: Physicians are familiar with the term “compliance” long before the Administrative Simplification. We have the issues CLEA, the labs in our offices, were you compliant with Fraud and Abuse, one of the first big parts of HIPAA before Administrative Simplification. I think we’re all familiar with the word “compliance,” but I agree that unfortunately it’s taken on this connotation that is confusing.
MR. ROTHSTEIN: Simon, did you have any further questions? With that – yes?
MS. MARCUS: Can I just make one other suggestion?
In addition to producing materials to educate the doctors about HIPAA and what they need to do, I think it’s really important to produce materials to educate the public about privacy issues. They don’t really understand that, and they’re breaching their own privacy all the time. They do it in the sense that they’re just totally unaware of it.
Public service announcements, videos, the insurance industry is really good at that. Who are those two characters on TV that were blamed for killing the prescription? You could do a scenario like that around the privacy stuff, and that’s going to sail right home to the public.
Putting the entire onus on the physician is not going to meet everything that you need. For instance, I tell patients when they send me email that they shouldn’t use their work email, because they don’t own that email and their boss has the right to look at that email if they so choose. I say get yourself a hot mail account, because you can use, if you need to, because then you can use your office computer to access the Internet, send the email from the hot mail account, and the message stays on the hot mail account. It doesn’t go through your office network.
People were just, “Oh, really!” They had no idea about stuff like that. One dad was asking me for a mental health referral for his kid. I wanted to check out a couple of people before I gave him the names.
He said, “Well, why don’t you send me an email?” I went through this scenario. He gave me his office card, his office email. I said, “I’m not so sure you want this to go through you office network, because you may not want your boss to know about your kid’s mental health problems.”
He looked me straight in the eye and he says, “I’m the boss.”
I said, “Okay.” In general, the public doesn’t understand things like that. In this new electronic age, they really need to start to understand that. You could do a lot of good with public education.
MS. ROTHSTEIN: Thank you for that point. Once again, thank you to all the witnesses. We know you’re very busy, and we appreciate you sharing time with us.
Unfortunately, we are behind schedule; but we will take our break now. The second panel will begin promptly at 11:30.
(A short recess was taken)
MR. ROTHSTEIN: We’re on the record again. This is Mark Rothstein, chair of the National Committee on Vital and Health Statistics Subcommittee on Privacy and Confidentiality. I want to apologize to the members of the second panel for running over.
My plan is to have this panel between now, 11:30, thereabouts, and 12:45. I understand that some of you may need to leave early, so we have readjusted the order in which you will be giving your presentations. With only four on this panel, as opposed to six on the last panel, I don’t think that should be too great a problem. That’s why I was a little bit free with your time. I apologize for doing that.
As we did at the beginning of the morning the subcommittee members introduced themselves and indicated any possible conflicts of interest. Dr. Danaher came in late and did not have an opportunity to do that, so I’ll recognize him now.
MR. DANAHER: Thank you, Mark.
First of all, I’d like to apologize for being late. My name is John Danaher. I’m a member of NCVHS and a member of the subcommittee on privacy. I am also the president CEO of a web-based training company focused on health care compliance, with a special focus on HIPAA. I do not believe that my presence today will be a conflict of interest. I thank you for allowing me to be here.
MR. ROTHSTEIN: Thank you.
Let me just remind the panel members to please speak into the microphones. You will have 10 to 15 minutes for you initial remarks. I’ll give you a one-minute cue. After your initial presentation I’ll ask members of the subcommittee if they have any questions of a clarifying nature for each speaker. Then at the end of all four presentations we’ll have a panel Q and A and chance for some interaction.
Because of his schedule I have put Dr. Halamka first. If there are no objections from the co-witnesses on this panel, please proceed.
John Halamka, Chief Information Officer, Caregroup Healthcare Systems
MR. HALAMKA: Good morning, and thank you. My name is John Halamka. I’m the chief information officer of the CareGroup Health Care System.
CareGroup is six hospitals, about a $1.4 billion integrated delivery network serving eastern Massachusetts, 12,000 employees, 3,000 doctors, about a million active patients. As CIO of that organization I’m responsible for all clinical, financial, and administrative educational and research IT. Therefore, the responsibility for HIPAA Administrative Simplification and the security rule implementation for this collection of hospitals and doctors falls to my organization.
In addition, I’m chairman of the New England Health EDI network, which I will describe in a moment, is a consortium of 45 major payor and provider organizations in Massachusetts largely, but we’ve also expanded to Connecticut and Rhode Island. That organization is responsible for Administrative Simplification implementation throughout the New England region. In the respect that being chair of that, I’m responsible for administrative simplification across the New England region, moving today about 150,000 HIPAA transactions a day across largely hospital-oriented groups.
I’m also the CIO of the Harvard Clinical Research Institute, responsible for maintaining patient privacy on all of the clinical trial data gathered across 1,700 hospitals, and I’m associate dean of Harvard Medical School, responsible for all educational technologies. At Harvard I’m protecting student and faculty privacy.
I wanted to focus our remarks today on really the hospital side, of course talking about privacy and security, but mentioning a bit about Administrative Simplification, because it does dovetail into privacy and security, given the consortium approach we’ve taken in New England.
I will completely agree with the previous panel in saying that there’s much work to do and there’s significant burden in implementing HIPAA, but from a hospital’s perspective it’s both what we want. As an entire legislation, HIPAA saves us millions of dollars. It does things that we really need to do for the benefit of our patients and our doctors anyway. The three areas I’ll describe, the administrative simplification, privacy, and security rule.
In 1998 John Glasser, the CIO of Partners, and Rick Shoot, the CIO of Tufts, and others gathered together in New Orleans -- gathered Mass Health Data Consortium and a number of other organizations came together to talk about privacy, security, public infrastructure. At that meeting we decided to do HIPAA together as a region.
You can see some of the partners that came together: CareGroup, Harvard Pilgrim, Tufts, Lifespan, U Mass, Lahey, Boston Medical Center, Children’s. Today as I mentioned, it’s 45 provider and payor groups representing about 90 percent of the health care transaction done in Massachusetts, working together to implement administrative simplification without having transaction fees or friction. It’s really a convening organization agreeing how to use the standards embodied in HIPAA to reduce cost of medical care.
In addition to doing the administration simplification, we have an important privacy and security rule, in that together we adjudicate how we going to exchange transactions. Business partner trading arrangements are done collectively. Today, this organization has one trading partner agreement for Massachusetts.
Of course, we’ve all signed our individual agreements with each other. That is, we produced the one document and I sign it with Tufts and Blue Cross and Harvard Pilgrim, etc. In effect, from an efficiency standpoint we agree as a state to have effectively one set of forms, one set of documentation, one set of agreements for the information that we are interchanging amongst ourselves.
We’ve also been able to do security together. Although we’ve said, “Yes, Partners, Blue Cross, Harvard Pilgrim, we’re individually responsible for security and implementation of the security rule in our organizations,” we’ve learned lot together about how to do it right. We know the rule isn’t yet finalized or implemented, but as I’ll described there’s some basics of protecting ourselves that we’ll all want to do anyway.
Just as an amusing anecdote, Zip Davis(?), a large publisher, decided to challenge the security of the NEHEN network and all of these various payors and providers, and asked my permission to bring white hat hackers into the data center of CareGroup and give them 48 hours over a network connection inside the data center to try to compromise the security of patient information traded by this consortium. They were not successful.
They did, however, write a wonderful 30-page article in Baseline magazine in June describing their efforts to break the security and compromise privacy of this group. Some of the theoretical attacks that they performed gave this group enough warning, if you will, to be able to bolster it’s security measures as a group. Now, in fact, we have a document that says, “Folks, we are going to protect ourselves and here are some of the basics, although the security is not final, that we have learned from these white hat hackers, we better have these security measures in place.”
To give you a sense of where we are as a state, I think that you will find we are much ahead of the United States with regard to the administrative simplification portion. We have completed in the State of Massachusetts eligibility, specialty referral, claim status inquiry, referral authorization and inquiry, and electronic remittance. We’re just in pilot on claim status across these various organizations I’ve described, claims submission, both institutional and professional. In the winter we will have a complete, live implementation of all of the NCX 124010 HIPAA mandated transaction throughout our region.
We have really taken this consortium approach and leveraged it to educate all of our payors and providers. Because we do this together, as was described by the last group, there’s enough mass that we can produce education materials and share them with the individual practitioners, the individual staff members and employees of our various organizations. Although we came together for the purpose of administrative simplification, we do much privacy and security for policy making and education and promulgate that information throughout all of our groups.
How are we doing with the Privacy Rule? We recognize the Privacy Rule in its current form requires notice, consent, and transfers to third parties with appropriate trading partner agreements, appropriate standards and policies for accessing, copying, and amending, dealing with complaints and enforcement, and a audit trial to find out who got the information.
Each of our individual organizations in CareGroup has deferred to the central committees of the CareGroup organization the policy making regarding this particular set of Privacy Rule limitation. They way we’ve organized ourselves, as we said, at CareGroup, the integrated delivery networks, we will come up with a consistent master policy manual that will be shared with all of our hospitals and all of our doctor’s office. We will have privacy officers appointed at each individual entity. We will, together, produce standard forms centrally. We will produce a single Notice of Privacy Practices to be disseminated throughout all of our organizations.
We will develop a central staff training program, web-based, as was described would be ideal for NCVHS and HHS to do, a consistent disciplinary action program, which basically states if you compromise patient confidentiality you’re fired. Pretty simple. Every employee, both doctor and staff, must sign an agreement upon becoming an employee or affiliated care group that acknowledges the disciplinary action that will take place if you compromise patient confidentiality.
Together we decide on access controls. Who has the right to see patient information and in what circumstance? We have certain information, such as mental health and substance abuse information that get special protection. This is even beyond what the privacy and security rules state today. You cannot access mental health or substance abuse information electronically without signing a consent, if you will. As you click on that element that you are going to access it states, “This is especially protected information. This access will be audited, guaranteed.” We will email the author of the note, if it’s a mental health and substance abuse note, at the very act of opening this you must tell us why you are looking at it. We’ve done quite a bit of access control work.
Standardize complaint and amendment procedures, of interest we have made available to the 1 million active patients of CareGroup a web-based amendment procedure, so that we, with appropriate access control, a patient is given an user name and password access to their entire medical record and then is capable of both amending that medical record and reviewing the audit trail on-line, showing all individuals who have access to that medical record and why.
We’ve been up on that since 1999. We’ve done about 2.5 million transactions through that system since 1999. It’s called “Patient Site,” and it’s available for you to look on at the web at PatientSite.CareGroup.org. You can take a tour and actually exercise the medial record amendment and security audit process.
As I mention, standard policies for addressing compliance and dealing with non-compliance throughout our organization. We have a large research community, about $150 million in NIH sponsored research and dealing with standard IRB and standard approvals for accessing of patient identified or aggregated information throughout the network.
All of our business associates agreements are handled centrally. And of course, standard op-out procedures and dealing with common policies on the marketing, fundraising and development side across all of our hospitals.
That’s a huge amount of work but, again, the way that we’ve decide to do it is that we have this central organization we call CareGroup that is going to be responsible for those work plans that I’ve mentioned, the communication of all HIPAA requirements to the affiliates.
In effect, acting as an internal consultant and resource.
We have elected not to seek any outside consulting assistance in our HIPAA privacy or security activities. Occasionally we will hire, for example, in the security realm a contractor who may have special expertise on some technical issue, but we’ve not brought in any of what I call those – I think the last panel referred to it – the nay sayers and panic inducers who say, “Unless you hire us you will have no chance of being HIPAA compliant.”
Just to tell you, I probably get a dozen emails a day saying, “We are HIPAA experts,” spelled H-I-P-P-A. I write them back that a HIPPA is an African female animal.
We have provided template and work plans, policies and procedures, consents and authorizations. We can do that because, again, we’re $1.4 billion organization. As the last group stated, the non-affiliated practitioner or the small practice just can’t do the kinds of things that we can do because of our size. I encourage HSS to develop templated policies and procedures for dissemination to those non-affiliated practices.
We participate on committees both national and regional. The training program has been developed on the web.
Our work team is divided quite simply. We have a central oversight committee. I’m responsible for security rule and all administrative simplification. Leon Goldman, who is our Compliance Officer, is responsible for privacy and the templates, consultation and training around that.
HIPAA, for us, is not an IT project. HIPAA is a consortium project involving legal, human resources, information technology, medical records, appropriate individuals throughout the clinical community with a great interest in balancing privacy and patient care. We know that you can protect patient privacy but compromise their care if the balance is set too strictly.
We also recognize that health care is ultimately a local phenomenon. This means that there may very well be local IT systems, local organizations or infrastructures that do require some customization of those centrally mandated plans. Although everything I’ve mentioned to you we handle at a central CareGroup level, we also have some local committees that are able to give that local flavor, the local spin, work through some of the work processes and procedures at local community hospitals, and then report back to the central location how implementation of our standard policies, procedures, guidelines and materials have progressed.
As was also stated by the last group, we are challenged by the fact that the security has not been formalized. And yes I have during that long winter night six months ago sat down in front of fire and read the entire Security Rule in it’s nine point type from end to end and was disappointed with such recommendations as: Firewalls are good. Encryption is good. In general you should audit.
Well, this a bit a Mom and apple pie since there’s absolutely no specificity to the rule. I can create a firewall that’s useless. I can create encryption that any MIT graduate student in two hours can break. In fact, for us, since the rule is not finalized and not specific, we had developed what I consider our own best practices. It’s a matrix, in effect, of 60 criteria that I took from both my experience, from For the Record. Some best practices are implemented across the nations in other IDNs (integrated delivery networks) for authentication, role-based access control, auditing, etc.
In effect, what I’m going to call this, because we’re in Boston today, is something that will pass not the security rule necessary but the Boston Globe test, which I think is actually even more severe. Would a well-informed member of the public look at this matrix of 60 criteria and say that we had done a very credible job in attempting to protect confidentiality with appropriate security?
That’s really what these 60 criteria do. It means I can sleep at night knowing that we have created a moat, if you will, around all of our IT systems that guarantee the privacy rule could be enforced by having appropriate security measures.
Ultimately what I do is I remediate the worst offending systems. We know the rule is not final; the rule is not specific. I do the very best to have to pass this Boston Globe reasonableness criteria.
I’ll summarize my comments by saying we’ve done administrative simplification as a region. It has saved millions of dollars. Partners has experienced a $20 million savings; CareGroup a $10 million dollar savings. Overall administrative simplification has really improved work process. Together as a consortium we’ve done this rapidly, at low cost, with great savings.
The privacy rule is just good business. Our patients depend upon us to protect their privacy and confidentiality. It’s hard, but we have to do it. The security rule, we desperately want to be