[This Transcript is Unedited]



November 19, 2003

Silver Spring Hilton Hotel
8727 Colesville Road
Silver Spring, Maryland

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 160
Fairfax, Virginia 22030

List of Participants:


P R O C E E D I N G S (9:10 a.m.)

DR. ROTHSTEIN: Good morning. My name is Mark Rothstein, and I am the Director of the Institute for Bioethics Health Policy and Law at the University of Louisville School of Medicine, and Chair of the Subcommittee on Privacy and Confidentiality on the National Committee on Vital and Health Statistics.

The NCVHS is a federal advisory committee consisting of private citizens which makes recommendations to Congress and the Secretary of HHS on health information policy, including issues related to HIPAA. On behalf of the subcommittee and staff, I want to welcome you to the first in a series of hearings on implementation issues under the HIPAA privacy rule. I also want to welcome those who are listening on the Internet.

Before proceeding further, I would like to have introductions of the panel members and subcommittee and staff, and I would invite subcommittee members to disclose any conflicts of interest that they have at this time. So I would ask, Kathleen, if you would begin.

DR. FYFFE: Kathleen Fyffe. I am the lead staff to the subcommittee.

DR. ZUBELDIA: Kepa Zubeldia with Claredi Corporation, member of the committee and the subcommittee.

DR. HOUSTON: John Houston, University of Pittsburgh Medical Center, member of the committee and subcommittee.

DR. GIBSON: John Gibson, South Carolina Department of Health and Environmental Control, and representing the Council of State and Territorial Epidemiologists. I am testifying.

DR. BURT: I'm Cathy Burt with the National Center for Health Statistics, and I am here to testify.

MR. FANNING: I'm John Fanning from the Office of the Assistant Secretary for Planning and Evaluation of the Department of Health and Human Services.

DR. GREENBERG: I'm Marjorie Greenberg from the National Center for Health Statistics, CDC, and Executive Secretary to the committee.

MS. HORLICK: I'm Gail Horlick from the Centers for Disease Control and Prevention, staff to the subcommittee.

DR. HARDING: I'm Richard Harding from the Department of Neuropsychiatry at the University of South Carolina, member of the committee.

DR. COHN: I'm Simon Cohn, the National Director for Health Information Policy for Kaiser Permanente, member of the committee and subcommittee.

DR. ROTHSTEIN: I would invite members of the audience now.

(Whereupon, introductions from audience members were presented.)

DR. ROTHSTEIN: Thank you, and welcome to everyone. And on the phone, Denise?

MS. LOVE: Denise Love with the National Association of Health Data Organizations.

DR. FYFFE: Denise, what state are you in right now?

MS. LOVE: I'm in Utah.

DR. ROTHSTEIN: Good morning to you out there in Utah.

MS. LOVE: Thank you.

DR. ROTHSTEIN: The subcommittee has scheduled six panels over the next day and a half. The first two panels this morning will be on public health issues. After lunch there will be two panels on general testimony from the health care industry and consumers. Tomorrow morning we will have two panels on the issue of research. Additional hearings on other topics will be scheduled after the first of the year.

Besides the invited testimony, any member of the public is invited to testify for up to five minutes this afternoon from 3:45 to 4:45. The public testimony slots are on a first come, first served basis, and if you are interested, please sign up with our staff in the front of the room.

During our hearings in 2002, one of the issues that caused the subcommittee great concern was testimony that a misunderstanding of the HIPAA requirements, and concern about sanctions were leading to defensive practices by those in possession of protected health information. Among these practices was a reported decline in public health reporting, both reporting mandated by state law and permissive under state law, but in either case permissible under HIPAA. Now that the privacy rule has been in effect for about seven months, we believe it is time to revisit this issue.

I would ask the witnesses today to please keep in mind the purpose of the hearings and to adhere to our time limit of ten to 15 minutes per witness. After each witness, I will ask the subcommittee members if they have any questions of a clarifying nature. After all the witnesses of each panel, we will have time for broader questions and discussion. Witnesses may submit additional written testimony to Marietta Squire within two weeks. I would request that all witnesses and guests please turn off their cell phones. Finally, if witnesses will speak clearly into the microphone, that will be greatly appreciated by those listening on the Internet.

So if there are no other preliminary matters? Kathleen.

DR. FYFFE: Should the witnesses need to be reminded of our time frames, I'm going to hold up a three-minute warning, a one-minute warning, and a zero-minute warning.

DR. ROTHSTEIN: Yes, and I also have a lever for a trap door up here. We would like to begin now with panel number one, our first panel, dealing with the issue of public health. Two of them are present with us, and Dr. Love is going to chime in by phone. So I'd like to invite Dr. Burt to please begin.

Agenda Item: Panel 1: Public Health

DR. BURT: Thank you. Good morning. I'm Cathy Burt, Chief of the Ambulatory Care Statistics Branch at CDC's National Center for Health Statistics. I want to talk today about how HIPAA has impacted our operations and what suggestions we may have.

CDC conducts a family of health care provider surveys known as the national health care survey. The survey collects data from providers on patient encounters in order to make national estimates of utilization. The encounters are sampled from a broad range of service areas, from doctor visits and hospital discharges to nursing home residents. While the surveys are authorized under the Public Health Service Act, which assures confidentiality in law, the newly effective privacy rule of HIPAA sets further standards for providers, that is, covered entities, when disclosing protected health information for research or public health purposes.

For our family of surveys, the rules and provisions in the regulation, some are applicable for some and others are more applicable for others, based on the kinds of health provider information that we collect. The surveys differ with regard to that.

The specific rules of the regulation that we want to talk about deal with, providers must have a general privacy notice to go to the patients, patients in general authorize disclosures for protected health information, but they can be disclosed without authorization under several provisions. If you are only collecting a limited data set and you use a data use agreement, if you are a public health authority, if you are conducting research with IRB approval of a waiver of patient authorization, and if you are only collecting de-identified information. Other aspects of the rule that are directly related to our surveys deal with the fact that providers must account for the disclosures that are made, unless there is patient authorization, a limited data set, or they are only providing de-identified data.

The national health care survey comprises three components, one of ambulatory care, of hospital and surgical care, and one of long term care. We contract with data collection agencies to actually go out and induct providers into the surveys, and sometimes they actually collect the data as well and give the information back to us at CDC.

So in terms of making modifications to our procedures to deal with the rule, for some of the surveys where only limited data set information was collected such as birth date, encounter date and zip code, something like that, then we could go with a data use agreement. So we developed a data use agreement to cover those situations.

Other surveys collected in additional to that collected medical record number from the hospital. This was considered to be something that was directly identifiable, therefore in terms of modifications to the survey procedures, they decided to no longer collect that information, so they could go with a limited data set and therefore use a data use agreement.

The long term care surveys collect -- in addition to indirectly identifiable data, they also collect directly identifiable data such as social security number, Medicare I.D., and patient name, so that they can do followup.

One of the initial thoughts that we had when we were discussing what we were going to do with all of this was how the providers or the covered entities would see us; would they see us as a public health authority collecting public health data, or would they see us as doing research. So we decided we would cover all bases. We would say yes, we are public health, but if you don't like that, yes, we have IRB approval for doing research.

In the case of the two surveys that I run, the national ambulatory medical care survey and the national hospital ambulatory medical care survey, these two surveys had always been exempt from a full IRB review because we didn't collect new data; it was already data that was collected in the medical records.

So the first thing we did was to create a full protocol and go for a full IRB approval with a waiver of authorization. I'm sure you will hear more about that this afternoon among the research persons, but here in public health, we also felt that that was an important base to cover.

Some of the materials that we modified or created including those accounting documents, data use agreements. We modified our introductory letters to the hospitals and physicians and nursing homes, et cetera, to say that we were covered under IRB approval, to say they could still participate, they could still give us information as they had in the past, that the rule covered that.

We had to create special questions and answers to answer any questions that they may have. Because the people who were out there directly talking with the providers are in the case of our surveys Census Bureau field representatives, they do not necessarily have a health background, nor do they know or care to know anything about HIPAA. So we had to train them on what they could talk about to the physicians and to the hospitals without sounding totally ignorant, but yet not giving them more information than they need to know. We didn't want doctors to come to them and think, this person knows about HIPAA, I'm going to ask him all the questions about the privacy rule, because that wouldn't work.

We also created a lot of additional provider materials, including respondent websites or participant website that a physician or hospital staff could go to to find out more about our surveys, to see our IRB approval letters, to see the data use agreements, these questions and answers. We also created a flash presentation on the website that allows physicians to find out more about how they are able to cooperate with us under the HIPAA privacy rule.

Other modifications were a little more minor. We postponed a research study as part of the hospital discharge survey that was going to be in the spring, and was going to straddle April 14. So we postponed that to this fall to give the hospitals time to get used to HIPAA. But that was kind of minor.

In the review and approval process, we spent several months in the interpretation about what was applicable, what was not applicable, what we could do, what we couldn't do, what we had to do, what maybe we didn't have to do. These discussions involved people from the Office for Civil Rights, from NCHS' policy office, and from CDC's Office of General Council. In fact, the counsel had to approve all of the procedures, all these modifications, to make sure they were in line with the rule.

Some of the parts of the rule that became problematic for us is this notion of, when Census Bureau go to induct the hospital physician, the physician says they are too busy to abstract the data. The Census Bureau staff has been instructed to say, we will do that for you. You pull up the medical records and we will do it.

Well, in the process of their doing that, they may see the patient's name. This is not something that we collect, but if they see it, according to the rule, it is a disclosure. Therefore, a lot of the accounting practices are required when you are disclosing that information.

For a data use agreement, the patient name is not on there. If they do it themselves, we can come under the data use agreement, but if we do the abstracting for them, that no longer applies because the name has been disclosed. Therefore, we have the accounting requirements, and that places extra burden on the physicians to keep the accounting documents for six years. We were afraid that we would get a lot of problems from physicians or hospitals not wanting to have to do that extra step.

The other problem with the accounting was the notion of the accounting for multiple disclosures for the same purpose. If a doctor gives us 30 records in a year for the collection, is that disclosure for the same purpose, could that be covered with one general accounting document. We felt that the regulations didn't really imply that, so that meant that the physician needs to keep an accounting document for all 30 of the records where the Census Bureau has done the abstracting.

These rules about, if they accept the data use agreement or they want the field representative to do the abstracting, made for very complicated charts that we developed for the field representatives to help them go through and make sure that the provider was doing all that he or she had to do to be compliant with the rule.

So what effect has this had? We are very happy to say that there has been little effect on response rates. We expected there to be a lot of problems. Between the first quarter and the second quarter of this year, there was no difference in the national ambulatory medical care survey, which is the survey of physicians, and in the national hospital ambulatory medical care survey, which is the sample of hospital emergency and outpatient departments, there was only a slight difference in response rate. But when we queried the field staff, they indicated that none of the reasons that the hospitals refused was because of HIPAA.

There were some effects on survey costs. We had to develop all these materials. We had to develop training. There was extra time in the induction to explain all of this to the physicians and the hospitals, so it did increase -- at least in the case of the NAMSCS and the NHAMCS the annual survey costs about two percent more than it was in the past. But we felt that the careful planning that we did in the development of all these materials, and the time that it took to give careful training to our field representatives is what really helped keep our response rates high.

I would invite any of the committee and the audience and the people on the Internet and phones, if they want to see any of the materials that we have developed, to go to the website, www.cdc.gov/namcs. You can see all the materials we developed for the physician survey, and if you go to www.cdc.gov/nhamcs, you will see the materials we developed for our hospital surveying.

We do feel that the jury is not out on this. We will continue to monitor the response rates over the next year or so to see if there is any change.

Thank you.

DR. ROTHSTEIN: Thank you. Let me ask the members of the subcommittee at this time if they have any clarifying questions. Let's go now to Dr. Gibson, please.

DR. GIBSON: Good morning. I'm Dr. James Gibson, state epidemiologist and Director of Disease Control for the South Carolina Department of Health and Environmental Control.

As state epidemiologist, I served on my health department's HIPAA working group to assess our hospital confidentiality vulnerabilities and to plan out our policy changes and staff training to deal with them.

I am also representing the Council of State and Territorial Epidemiologists, CSTE, the national organization representing state and local practicing public health epidemiologists. We are really grateful for this opportunity to present our experience in these challenging issues.

I will focus my report on the effect of the HIPAA privacy rule on disease surveillance. It is on reporting, investigation and preventive response to acute communicable diseases in general, and also on surveillance of potential bioterrorist agents, including the syndromic surveillance systems that are being piloted for early detection of these agents.

The HIPAA legislation has had a wide set of influences on acute diseases surveillance and control, we think. Our consensus experience is that it has strengthened the security and confidentiality of state and local public health data, although there appears to be very little evidence that this had been dangerously threatened in prior years.

Two aspects of the HIPAA privacy rule have raised substantial concern about their potential to reduce the effectiveness of disease surveillance. First, uncertainty among covered entities -- I would assume the committee knows the special parlance of HIPAA -- about the interpretation of the rule's exclusion of disclosures to public health agencies. Second, the requirement that covered entities account for or track disclosures, including the public health.

For that reasons, my bureau and CSTE's staff recently conducted two e-mailed surveys of all state and territorial public health epidemiologists, and also of all CDC bioterrorism grantees responsible for disease surveillance and response. About 110, 115 surveys out altogether.

The survey asked for their experience with the impact of providers' concerns about confidentiality and privacy on their acute disease surveillance systems. The second survey asked for more detail on the influence of bioterrorism and syndromic surveillance. I'll just describe briefly the response to these surveys.

The survey on syndromic surveillance systems was done first. It included nine questions, encouraging open-ended responses, and yielded responses from 35 jurisdictions, including over half the states and cities known to have such systems. In 11 of the 31 with significant experience, 35 percent, stated that in reporting organizations, concerns with HIPAA privacy had caused obstruction or delay in disease reporting. They reported needing to take special new regulatory or legislative actions, repeatedly having to provider detailed letters of explanation or having to reduce the level of reporting detail that they needed.

Two states' quotes seem to exemplify these problems. They are not highly atypical. Quote: Even our routine investigations of outbreaks have encountered roadblocks. Many people in the trenches don't know enough about HIPAA, and therefore err on the side of not releasing information that we used to obtain routinely. Moreover, they are much less likely to give us information beyond the absolute minimum, unquote. In the second one, quote, almost every hospital we have approached has raised the issue of their compliance with HIPAA regulations when providing syndromic data.

The first issue always addressed is the public health exemption under the legislation, unquote.

We asked also about the effect of the requirement for covered entities to account for disclosures to public health. Twenty-five percent, a quarter of the respondents who addressed this question, said that this was a significant problem for their disease reporters. Statements included, quote, these could be issues of feasibility or cost of tracking disclosures to public health, or of how such tracking could be accomplished, unquote. The second quote, there are issues arising from this misconception, questioning the doability of disclosure tracking, or the limit to aggregated data only.

Unfortunately, it is not clear who has the authority to correct this misinterpretation of the rule. Providers are caution. It is not clear what we could provide to reassure them that a general accounting, rather than transaction-specific accounting, would work. End of that quote.

The excellent Centers for Disease Control and Prevention guidance on HIPAA of about a year ago was very valuable. It does suggest that documentation of individual disclosures is not necessary for public health, but just what method is accountable is not clear. It is clear to at least some counsels of hospitals and public health agencies that that guidance is not sufficient for them to decide on a more general system of accounting.

Our other survey on confidentiality concerns for general surveillance yielded an additional eight responses from state health departments. Seven of these said it was severe or somewhat severe problem. Comments included this from a state epidemiologist: We have almost weekly examples of people refusing to give us routine or outbreak related surveillance data, citing HIPAA concerns as their reasons for refusal. So far we have been able to argue our way through them, but it has consumed several hours a month of my time or that of my staff. The two most recent examples were yesterday. There were data on a varicella outbreak and a group of hepatitis-C cases.

Several respondents said they were routinely or often asked to provide a signed release from the patient before the covered entity would disclose the information, obviously impossible for a public health agency. In my state, in South Carolina, two different health district epidemiologists, the first two I asked, said independently that 20 or 30 percent of investigations of reported diseases are obstructed by HIPAA privacy concerns.

For example, physicians have said to us, quote, this is my license at risk, unquote, and refusing. Usually a detailed explanation or a written statement from our department's counsel will solve the problem, but occasionally the information just isn't forthcoming.

Note that incomplete reporting of surveillance data requires the public health staff to make a second request of the provider. That takes time, which is in short supply during a communicable disease investigation.

So I draw five conclusions. First, no respondent questioned the impact of the privacy rule in causing public health agencies to examine and strengthen their confidentiality protections. That is happening, although several question the need for that.

Second, it appears that misunderstanding or ignorance of the true requirements of the privacy rule are widely present among covered providers, and their reaction is sometimes to reduce required disclosures to public health.

Third, while explanations, educational brochures or letters are helping reduce these refusals to disclose disease information, the burden on public health staff may be substantial. Most of this impact is on diseases that we ask providers for. We could find very little information on the extent to which providers may have simply stopped sending acute disease reports, which we might therefore not ever know about.

Finally, it is not clear how to find an authoritative federal source to state, for example, thoroughly and publicly the details of an acceptable process to satisfy the disclosure accounting requirement without specific documentation of each disclosure.

So our recommendation is that an authoritative source, that means Office of Civil Rights, prepare and proactively disseminate to public health providers a clear statement of policy in the areas of greatest uncertainty. For example, the simplest process acceptable for a covered entity to account for routine disclosures to public health surveillance and investigation.

In conclusion, state and local public health is where the rubber meets the road for acute disease control, and our ability to rapidly collect essential data mandated by state law should not be compromised.

Thanks for the opportunity to comment. I'll be very happy to answer questions.

DR. ROTHSTEIN: Thank you, Dr. Gibson. I'm sure that members of the subcommittee have lots of questions for you at some point, but are there any immediate questions of a clarifying nature that people need to have?

We'll go now by phone to Denise Love. Denise, are you still there?

MS. LOVE: I am.


MS. LOVE: Thank you. Good morning.

DR. ROTHSTEIN: Good morning.

MS. LOVE: Thank you for allowing me to testify by phone from Utah. This is an important issue for all of NAHDO's members and organizations that collect and use health data, so we appreciate the opportunity.

My name is Denise Love. I am the Executive Director of the National Association of Health Data Organizations, or NAHDO. I am testifying on behalf of both NAHDO and its members and stakeholders. The National Association of Health Data Organizations is a nonprofit membership and educational association. Our mission is to promote the public availability of health care data and improve health care data systems. Our members represent collectors and users of statewide health care data systems which serve as the major source of population-based health care surveillance data to monitor health care cost, quality and access at the state and sub-state level.

Increasingly, the state health care data systems are supporting national initiatives such as the Agency for Health Care Research and Quality's health care costs and utilization project, or HCCUP. These data sources are increasingly providing health care marketing and policy indicators, for instance, that will support the national health care quality and disparities report. State health care data also support other national research and community assessment initiatives, and assuring continued access to these data and expanding emerging data sets is essential to measure and improve the health of populations and the health care they receive.

NAHDO recognizes that data sharing and data exchange have always been complicated. In some cases, institutional policies, local IRB rules, as well as local state and federal laws and regulations, and now we have the HIPAA privacy rule.

NAHDO believes that the HIPAA privacy regulations recently implemented throughout the country have provided a much-needed national framework for the protection of individually identifiable health information. These regulations are not perfect, and it will take time to sort out the issues and make refinements so that these opportunities are identified.

NAHDO considers the regulations as the price ticket to the electronic information age, and we commend today's subcommittee hearing for sorting out some of the problems that we have identified.

The regulations have significantly strengthened the ability of patients and consumers to understand and control what happens to their health information, and has established boundaries and limitations on when personal health information can be used and disclosed. The regulations have also attempted to strike a balance between people's claim to privacy of health information and their public responsibility to contribute to the common good by allowing the use of their information for important community purposes such as public health.

NAHDO is especially grateful to DHHS for responding to our earlier concerns about the original rule, and the modified privacy rule reflected those concerns by permitting the use of a limited data set, which has helped extensively in our members' daily work.

We have been asked today to provide testimony to the subcommittee on the impact that these regulations are having on public health and health data organizations. I wanted to start by saying we strongly believe that the privacy regulations are having a profound effect on the ability of public health agencies and others responsible for insuring the health and safety of the population to have access to health information and to carry out their responsibilities.

The first topic I would like to touch on today is overall designation of public health agencies under HIPAA privacy. There is initial confusion in public health and a lot of time and energy was spent sorting out covered entities' status or reporting status. Most public health agencies across the country have taken those necessary steps, decided what type of entity they are under HIPAA privacy regulations. Some have identified themselves as non-covered entities, others as covered entities under HIPAA, and a third group has made its decision to consider themselves as hybrid entities.

It is important to recognize that even those public health agencies that consider themselves non-covered entities under HIPAA are still impacted by the privacy regulation, and some special concerns about those entities in which a center for health statistics or public health authority is located in an organization with Medicaid, and that entity either considers itself a covered entity or a hybrid entity. There is still confusion and questions around how to operationalize these designations within the context of public health.

For instance, a hybrid entity in a public health agency might find it difficult to distinguish a source of request for individually identifiable health information, whether the request is for public health purposes, coming from a non-covered component of the hybrid entity, or for health care operation purposes, of a covered component within a hybrid agency, and again, what does it mean to have firewalls between those organizations within the same agency.

So we strongly recommend that the Department develop additional guidance and provide sample models that explain how specific HIPAA privacy designations affected these public health agencies.

The second issue that I would like to talk about is the impact on the ability of public health agencies to obtain health information from covered entities. We believe that the most significant impact that the regulations have had on public health has been the ability to agencies to continue collecting health information from covered entities.

We felt there was some initial over reaction, hypersensitivity, after the rules were in place. Many of our members feel they are getting past this, which is good news. We feel that covered entities are understanding the rule better, and we are seeing a more rational approach to data release and disclosure. Yet there are pockets of difficulty that still persist.

While the regulations clearly establish specific permitted disclosures of protected health information for purposes of public health and other related important community purposes, many covered entities initially delayed, reduced and in some cases considered stopping the provision of public health information to public health agencies. Again, many of these agencies have worked through the concerns.

One example is registries or other data reporting mechanisms that may have been established voluntarily in a state or local area, with support and collaboration between providers and the public health entity. With HIPAA, the legal basis for these reporting systems may be challenged, forcing the public health authority to mandate the reporting or give up the reporting altogether.

In some states, implementing mandates are politically difficult, so we feel that some of these data flows could be jeopardized. We believe that this is an unintended consequence of the regulations, and primarily due to three factors: misunderstanding of the permitted disclosure by the covered entity, fear on the part of the covered entity of inappropriate disclosure and lability implications, and required additional documentation and processing of the requested information on the part of the covered entity that gets to the disclosure accounting requirement.

From the public health agencies' perspective, agencies have faced challenges from covered entities as to the purpose and authority to collect certain information. Many public health agencies have had to develop and provide additional clarification and documentation to support data requests that for years have been in place and functioning appropriately. As I said earlier, several states are going back to state legislatures to strengthen their data reporting mandates.

The voluntary reporting systems that rely on local health care providers and health plans might be the most impacted right now. Also impacted are the way local boards of health, which are important components in the tracking and surveillance of disease systems, have reported some difficulty in getting providers to report to them. It is especially difficult now, they believe, under HIPAA.

Local physicians providing immunization data voluntarily to the public health authority now believe they must account for every disclosure related to this reporting. This is a perceived or added burden that hinders continued reporting under a voluntary reporting structure. The administrative burden that those local providers perceive to account for every disclosure may in fact be a barrier to a local community effort.

So a recommendation. In light of these difficulties, we strongly recommend that DHHS develop a comprehensive educational strategy targeting providers and health plans on the importance of public health reporting, and the ability under HIPAA regulations for covered entities to continue reporting health information to public health agencies. This comprehensive educational strategy should include case studies for specific public health data initiatives, such as the ones listed later in this testimony.

The other area I would like to discuss today is the impact of sharing of public health information between government agencies. Another significant impact of the HIPAA privacy regulations has been on sharing of information between government agencies, federal, state and local. Many of our members report that in some agencies, there seems to be a chill in sharing and providing of data to other programs for program uses or for research. HIPAA privacy regulations are often blamed, but the problem is usually deeper.

Due to real and perceived restrictions and limitations on data sharing imposed by the regulations, compounded by a lack of understanding of permitted disclosures and verifiability, we have witnessed greater resistance to data sharing across public health agencies. Especially problematic in many areas is that a state Medicaid agency may resist sharing data with the public health authority, and this will prohibit or limit the emerging of patient level information to support specific public health programs such as WIC, newborn and child health programs.

The effect of health data organizations, or the effect of the HIPAA rule, I think overall could be summarized as, even data agencies that have mandates and are exempt from the privacy rule are taking a more conservative approach to their data release policies. We are seeing many state health data organizations revising their data release policies. They are revising their public use file. They are instituting more data aggregation, masking, suppression, and adding data use agreements. These are all positive, as long as the agency can work through these and get to a data release policy. It is not positive when these policies are taking a year or more to work through, thus limiting the data flow.

Some of these issues also apply to data exchanges between state and local health and federal and state systems. On this last point, states have noticed a significant shift in how CMS is handling the exchange of health information with states. Both Medicare and Medicaid data are important population-based data sets for state health statistical and public health purposes. Several states report that CMS is non-responsive to their requests to negotiate data acquisition for these populations, be it limited data set or other.

As outpatient data systems are developed, states are looking to augment their inpatient reporting systems with payor claims reported data, and this is a particular problem for those states when approaching public payors to participate in these reporting systems.

DR. FYFFE: Excuse me, Denise. This is your three-minute warning.

MS. LOVE: We strongly recommend that DHHS institute a culture of data exchange and sharing within and across federal agencies. Development of messages and models for transparent and appropriate data sharing practices will build public trust and set an example for state and local agencies. This culture can be promoted by providing an ongoing guidance to federal, state and local agencies, how they can continue to share health information for program operations and evaluations. Example, in case studies on data sharing can be very valuable.

CMS leadership is essential to state Medicaid programs in interpretation of the privacy rule, encouraging proper use of the data by public health. One good example is the work that CMS Medicaid office provided to state programs around EDI and electronic data reporting. We would like this effort to be replicated for data sharing and use. CMS needs to recognize the importance of Medicare and Medicaid data to public health research and quality initiatives.

We would like to see expanding and enhancing of research and training efforts to help database stewards mask and code and encrypt data sets without losing granularity and specificity needed to conduct statistical analysis. Federal-state partnerships should be expanded to build these local capacities for interagency and public use.

We also would like considering of testing of various data models that facilitate data linkage and sharing, perhaps an honest broker model, in which a third party holds the key to identifiable data and encrypt the data for two other agencies to use to create linkages for public health tracking and statistical analysis.

We also recommend that DHHS and the Data Council consider developing a novel data sharing agreement for the exchange of data between government entities. In the past, CMS, CDC and HRSA worked on a similar type of agreement with guidelines for local public health agencies on how to share the data. We believe that is an excellent effort that should be revitalized.

The last area I would like to touch on briefly, government agencies and federal, state and local public health agencies receive requests for health information for external data uses. With respect to these disclosures, we strongly support the approach used in the regulations permitting the creation and use of limited data sets and their release and the use of a data use agreement. Nevertheless, we still find government agencies are severely restricting access to otherwise available data that has been in the past used for program evaluations, blame HIPAA. NAHDO as an organization has been impacted by these resistance for data release.

DR. FYFFE: Denise, this is your one-minute warning.

MS. LOVE: A recommendation is, public health are essential to societal good if used appropriately. We strongly recommend that DHHS develop additional guidance for federal and state agencies that clarify when and how they can disclose health information for other purposes such as policy development, program analysis and evaluation, so not specifically research, but also important functions.

The last area is also the accounting of disclosures. I'll try to shorten this, but this has become an important burden for public health, and in some cases a deterrent for covered entities to continue disclosing and reporting to public health. This has affected voluntary reporting, as I mentioned earlier, to immunization registries, and there are concerns in some states about the reporting of abuse and neglect cases to social service agencies. These disclosures are permitted under HIPAA, and in many states, usually the provider is protected by confidentiality requirements imposed on the social service agency, but the HIPAA accounting of disclosures requires that the provider also report these cases and document this disclosure, which technically could be accessed by the patient, creating a disincentive on providers to continue reporting these suspected cases of abuse or neglect. This needs to be worked through. The states felt this was a priority area.

We strongly recommend that DHHS conduct a formal evaluation on the impact that the accounting of disclosures is having on public health and other related reporting. To the extent that this requirement may dissuade public entities from reporting important public health information, it should be re-evaluated and considered for an exception. Also, DHHS should provide further guidance to public health agencies so that they can be provided to covered entities reporting to them on the documentation of accounting disclosures. We need to simplify and reduce the level and burden created by this requirement on covered entities.

There may be a misconception around what data needs to re reported for purposes of accounting of disclosures, and maybe multiple time disclosures done to the same person or entity for a single purpose do not need to be reported on a per-case basis.

There are a number of other public health activities worth noting in this testimony. I don't know that I have time to go through those, but they are bulleted in my NAHDO testimony.

Concluding comments. We believe there is a significant need for general education in the area of HIPAA privacy and public health. A system of coordinated special technical assistance and guidance is needed for states and public health agencies to help them implement these regulations in a more efficient and effective manner.

One of the recommendations that came up is, OCR should develop a glossary of privacy terms applicable to public health data so that we are using the same vocabulary when we are talking about HIPAA. We feel that expanding CDC's work with states to define small cell sized definitions and rules, important work has been started with the CDC's EPO office. NAHDO and NAPCS have been involved. It needs to be expanded. This is a priority area for many states and data dissemination activities.

We also believe an important -- there is an important opportunity here to establish a mechanism for the public health privacy officers, not just privacy officers in a state, but public health privacy officers to convene and discuss best practices and practical approaches to resolving implementation issues. They will sort through some of those issues and identify priorities, but they need to be convened, and it needs to have an emphasis on public health, not as we have seen with the state privacy officers.

In summary, we strongly believe that the HIPAA privacy regulations are having a significant impact on the ability of public health agencies to carry out their responsibilities. The Department should undertake in the short term a more formal comprehensive assessment of this impact. NAHDO stands ready to continue to work on these issues with the subcommittee and other industry partners to assess public health sectors' work as we sort through these issues associated with the implementation of these complex regulations.

We believe that we have much work that needs to be done. Much progress has been made, and we commend the work of the subcommittee in this area.

Thank you for this opportunity to provide testimony.

DR. ROTHSTEIN: Thank you very much. First, I want to ask the members of the subcommittee if they have any questions of a clarifying nature for Denise Love. If not, the floor is now open for discussion from the subcommittee, questions for any members of the panel, and I'm sure that there are many.

DR. HARDING: I'll start. Thank you all for very excellent testimony starting out here early in the morning. We appreciate that.

Maybe I could ask Dr. Gibson, I know a little bit, not as much as you do, about all of these things. But I know that there is currently a migration going on between hard copy reporting and electronic reporting of epidemiological data from the field. Being in the midst of that, do you see any advantages or problems as that gets rolled out? I think it is one of the early states to do that actually. I just wondered if you had any thoughts about that, that would be helpful to us.

DR. GIBSON: Yes, that is a big topic. The whole United States is currently undergoing a -- maybe revolution is not too big a word, in how we do acute disease surveillance, and in fact, how we collect information in the future to monitor the health status of our population.

What is happening is that acute disease reporting has been a paper system and a telephone system since the end of the 19th century, for over a century, and this system is not only terribly inefficient, slow, incomplete, doctors have to fill out cards, laboratories have to send in paper copies of tests, but is also not very secure. There are pieces of paper sitting on fax machines and on peoples' desks, and being sent through the mail in a big bundle of mail. They open them up, and there are peoples' names and sensitive information about them.

This is being moved with the help of the Centers for Disease Control and bioterrorism funding, and some other funding, to electronic systems, where a provider, a physician, an emergency room doc, a laboratory can bring up a secure screen on a health department's website and key in the reporting data with a lot of guidance, pulldown screens for diagnoses, so we don't have as many issues as what you mean by what you write, and enter this data electronically. So the system is not only easier, faster and more timely, but it is more secure.

There are about six or seven states that have been doing this on their own for the last five or six years. It is a slow process with all the risks of a major IT project, which failed frequently, but they are making slow progress. Most of the states have chosen to go with software and a whole system that CDC funded for several large contractors to write. We were one of the first three states to implement that system and beta test it.

It will make reporting a lot easier and more secure. I could go on for hours about it, but I won't.

DR. HARDING: Thank you. Can I ask one more question?


DR. HARDING: To both of you, or all three, all of you mentioned subtly the issue of doctors or covered entities referring to their liability in their reporting. This is my license and I don't want to go to jail and so forth.

Where does that come from, in your opinion? Or how should that be addressed? As a physician, you do get consultants coming around who say you are going to go to jail unless you follow up on MTALA properly or you do the HIPAA thing. How is that dealt with? Or is it a reality and we have got to tell them that they will go to jail if they don't do the right thing?

DR. GIBSON: I'll start. I hope Denise will come in on this, too, or Dr. Burt.

The HIPAA privacy rule does provide for sanctions for violation of the rule. These sanctions include fines and criminal prosecution. They have a basis for this, it seems to me, and the problem is, it hasn't been very clear what the interpretation, what the criteria are for how big a violation leads to criminal sanctions.

The problem is that decisions are made in a hospital about how they report by the hospital's counsel and the risk manager. Their first responsibility is to protect the institution. So when they don't see a clear interpretation, and they feel that in their very complex system in their hospital, somebody in the records room may send the wrong information, they have to protect the institution.

They also have to protect themselves from financial risks. Their first interpretation was that every time they report a case of meningococcal disease or a child with measles that we are trying to eradicate in the United States to the health department, they have got to make a record in that patient's chart.

Now, that is probably not true, but the clear proactive statement to all of those people making those decisions around the country that there is a simpler way to do it and here is exactly how you do it legally hasn't happened yet, so they assume the worst.

That is a little bit on the subject.

DR. BURT: I will say that we do have cases where when the Census Bureau field representative goes to induct the physician, the physician says, talk to my attorney. It does happen. It may be even happening more now than before, but I think our field staff seem to indicate that these are people who probably would not have participated, anyway. So that is why our total response rate hasn't changed. They are saying, talk to the hand, talk to the attorney, but prior to that they would have said, we don't have time to participate in it, anyway.

DR. ROTHSTEIN: So HIPAA has just provided them with a new excuse.

DR. BURT: Oh, absolutely. Our response rate in our physicians' survey is only about 70 percent in general, any additional excuses are not going to help.

MS. LOVE: I wanted to echo what Jerry said. The question is, what is driving it. The lawyers are driving a lot of this, and there is not a lot of case law; there is a lot of fear. I think people initially when the rule was enacted and effective, we had to remind our members and others to remind their legal staff in the public and private sector about the provision of reasonable and appropriate. That seemed to be overlooked sometimes.

I think the message needs to be carried forward through several conduits. We need a multi-pronged educational intervention. We need to get the message out that public health societal good, that reporting is necessary for those reasons, that it is permitted under HIPAA. They don't go to jail. I think we need some public health leadership at the local level to discuss these public health functions and the importance of them with the covered entities.

I don't want to just blame the lawyers and the private sector. I want to say -- I hope it is okay -- I think there are lawyers in Medicaid agencies and some government agencies that are also closing the barn door to data, because it is easier to just say no than to try to work through how a data exchange outside of the agency is going to work.

DR. ROTHSTEIN: Thank you. John Houston.

DR. HOUSTON: A couple of questions. I guess one question is, has there been any public backlash at all, or complaints regarding this type of reporting? Is there anything that you have heard from the public that says this is something you shouldn't be doing under HIPAA, or we are concerned about your practices?

MS. LOVE: I think I don't see any concerted backlash, but I think awareness has been raised by HIPAA, the general public awareness.

DR. GIBSON: From my state and from our membership, state and territorial epidemiologists, I have not heard any examples of backlash in the sense I think you are referring to, of people citing examples of being concerned about release of health data. It must be happening, but I haven't heard of anything prominent.

What we do hear about is the reverse. Our news media requesting, demanding, identified information on cases and outbreaks, which we have to refuse to release.

DR. HOUSTON: It would be interesting if OCR had any filed complaints regarding public reporting on these types of activities. I wonder if we can ask somebody from OCR whether they actually have heard of any questions or complaints in that regard.

DR. GREENBERG: Would you speak up?

DR. HOUSTON: I was just saying that I think it would be helpful to ask somebody from OCR whether they had fielded any questions or complaints specifically related to public reporting or these types of activities, see if there is anything coming from individuals regarding these things.

DR. ROTHSTEIN: Maybe we can get that information either by our next subcommittee hearing or certainly the full NCVHS committee meeting in March.

DR. HOUSTON: I do have a second question. Have you attempted to get assistance, either from OCR or from other agencies, and found that the assistance was lacking? You have all talked about needing to do education and training and provide additional materials to help clarify HIPAA especially to the covered entities, but have any of you tried to actually seek out information, and were you successful, or were there issues?

DR. BURT: Well, I don't want to say anything too negative here, but we needed to have information very early for our survey procedures, because they started in January. So I was frantically trying to get help in November of last year, so that we could finalize these materials, and it was -- OCR was still trying to figure it out. Everybody was trying to interpret it. Every government agency I talked to interpreted it a different way. So it was very hard at that time.

I think after that, like after January or February, help was more forthcoming.

DR. GIBSON: Yes, both before and after the implementation of the privacy rule last spring or so, our agency and I have heard in conversation with a number of other states, sending in e-mail or sending questions about specific issues to OCR, and it has been -- the replies have tended to be very focused and in language that limits their applicability.

For example, on their website they have posted several responses in their Q&A's on the website that do deal with one of the biggest issues all of us have talked about, of accounting of disclosures to public health, but none of them really come out and say clearly, here is what you can do to not have to account for every record, or to do detailed accounting of every disclosure, but instead in a feasible way to be able to account for a standard process, and general statements of why they report to public health and during what time period.

The statements have not been clear enough for the hospitals or our own attorney to say, we can go public with a policy statement to hospitals saying it is okay for you to use this simplified method. The attorneys have not felt that there was enough from OCR to make that statement.

MS. LOVE: One other issue that has come up that I will raise, I don't know if it is an OCR issue or a CMS issue, but there seems to be some firewall when we are talking to states about Medicaid data that CMS is responsible for implementing and enforcing the transaction aspects of HIPAA, OCR with the privacy rule aspects, there seems to be that firewall in CMS, so that may be a hindrance around some of the data disclosure issues for Medicare and Medicaid.

DR. ROTHSTEIN: Thank you. Dr. Cohn.

DR. COHN: Good morning. It is a little after seven in California right now.

I was hearing two things, and I couldn't decide whether one problem is 50 percent and the other is 50 percent, or whether we are dealing with an 80-20 situation. I was curious about your views, and Denise, yours also.

I think what I am hearing is, A, there is an issue around education and clarification, all of that related to trying to help providers understand how to do this easily, or assuming there is a way to do it easily. Then there is the other piece, which I think is the hassle factor related to tracking disclosures, which we all know is a hassle.

I remember as we looked through our recommendations historically on privacy, I think we started out initially with our first set of recommendations as a set of fair information practices, that I don't believe required a lot of tracking of disclosures or otherwise. Obviously it has evolved to more disclosure tracking at this point over the years as the regulation has come to fore.

One piece is education, the other piece is disclosure tracking. Is this just an education issue and a clarification issue from OCR? Or does there need to be something done, some minor or moderate modification made to the disclosure rule to make this happen easier? What is your sense of this?

DR. GIBSON: I'll start out.

MS. LOVE: I'm on the phone, so I can't read verbal cues.

DR. ROTHSTEIN: Okay, you will go second on this. First Jerry is going to speak, and then you'll get your response.

DR. GIBSON: The next one you go first. Again, we have sought comments from the other 50 states, D.C. and large cities, on this kind of question in the last week or so. One comment I have heard from several states is, since TPO, since treatment practice and operations disclosures do not need to be tracked under the rule, why do disclosures to public health need to be tracked? It didn't really seem clear what public benefit there was to accountability for public health disclosures, since they are mandated by state law, so far as I know, in every state and territory.

But yes, I think we want to say that it is first of all an issue of clearly educating the thousands of covered entities who have to provide this information to public health in a timely manner, with sufficient detail for public health to act on it, and by the way, it is important to point out that for acute public health response activities, we have to have identified or identifiable information. You can't back to the contact, in the case of meningococcal disease, with antibiotics within a day unless you know who they are.

Same thing for a case of measles or a potential bioterrorism outbreak, or for a new person with HIV who needs to be linked to services and get educated about transmission. You have got to be able to find them. You can't link one data set to another, which is vital to understand the relationship of HIV cases to tuberculosis or many other problems, unless you have got identifiers.

DR. ROTHSTEIN: Excuse me. John, you had a question?

DR. HOUSTON: What prevents you from going back to the covered entities and indicating to them that they need to contact those patients regarding HIV or therapies or whatever you need to do?

DR. GIBSON: Because they don't, they can't, they won't. As a prior practicing physician, I understand why. They don't have the time. When you are an emergency department, when you are a hospital, and the perception of hospitals is that they are in a competitive business with tight profit margins to stay afloat, and they are not going to take on a substantial other activity which belongs to public health of doing the public side of prevention, of going out to the contacts to offer them preventive services. The providers just aren't going to do it.

This has been a practice for a century, of public health doing the public side of going to the contacts, to the external people affected by a disease, and providing them with preventive services, or linking them to treatment services.

Let me get back to the -- I'm trying to think where we were in this. Let me make sure I've got the question straight for this now.

DR. ROTHSTEIN: It was about accounting for disclosures.

DR. GIBSON: Yes, accounting. I think the first need is to educate the many providers who see the requirement to account for disclosures of reporting data to public health on the simplest way that they can do it, in a way that their attorney or risk manager will feel is comfortable to commit to.

We will be happy to disseminate it, that is, state public health, if we can get a clear unequivocal statement in everyday language of just what is an acceptable method of accounting in a general accounting of routine blocks of disclosures, so that it is clear we can say, you do not have to account for individual disclosures, and here is language from OCR that makes that clear.

DR. ROTHSTEIN: Denise, before I ask you to comment on the accounting issue, I'd like to ask a followup question, and I'll let you have the first response, and you can choose to answer either question, or just give a statement.

That does relate to the accounting issue. As the rule currently reads, there is a requirement that individuals, that is, covered entities, account for disclosures to public health and other disclosures that are not pursuant to an authorization. However, there is no requirement that there be an accounting for disclosures pursuant to an authorization, the theory being because you have signed the authorization, you should know that there may be disclosures.

One of the things that we have talked about in the past, but has not reached our recommendation stage, is to suggest possibly that these two actually be reversed. In other words, I think you could make an argument that there should not be a requirement to account for disclosures to public health that are mandated by law, because that would be part of the notice of privacy practices that you disclosed to individuals. Here are practices, we have to report these. There is a law that does that. That is what was done for many years before HIPAA. On the other hand, I think one of the values of reporting, notifying an individual that there has been a disclosure pursuant to an authorization, is because when you sign your authorization, you have the right to revoke it. If you are now notified, I signed this and I didn't realize they were going to send it to 12 different marketing people just because I signed this one thing, I'm going to sign a revocation and not let them do that anymore. You can't revoke in the public health context, because it is mandated by the state. So I was wondering, this is probably not the only panel that we need to explore this with, because I have an idea what your view on this would be, whether you would like to comment on the possibility of perhaps amending the rule to change these accounting requirements.


MS. LOVE: I strongly agree. It came up in our member call, that very thing, that there needed to be some way of perhaps globally identifying those public health reporting mandated by law in general, and that would suffice for the accounting of disclosures.

So I agree with the statement that you made. It would be consistent with the members on the call and the discussion that we had.

DR. ROTHSTEIN: Thank you. Cathy or Jerry?

DR. BURT: It seems odd to me that a covered entity has to keep a report of public health disclosures, number one. But I don't like to see things tied too closely to the privacy notice that they have given to the patients, because we don't make it our business to doublecheck whatever the providers' privacy notice said or didn't say. The privacy notice may not say that they -- they may choose in their privacy notice that they gave to patients to not say that they will be given out for research or public health purposes, and they just keep it to TPO.

But we made it our business that we are not going to check up. That is up to the provider. We are still going to go in and ask. But they have to match things back to what their authorization said, and what it doesn't say. If the patient signed something that said they were going to give their data for public health, that is just too much --

DR. ROTHSTEIN: The only thing they would sign is that they received it. It is not asking for their assent or anything.

DR. BURT: At any rate, we don't want to make it our business to get involved in whatever those privacy notices say or don't say. But in general, I believe that for public health purposes, no accounting of disclosures should be necessary.

DR. COHN: Just a point of clarification. My understanding of the rule at this point is not that there is a duty to sign the fair information notice, but a duty that the provider sends it out, or has a duty to try to get people to sign it if at all possible.

DR. HOUSTON: It is just an acknowledgement that they have received it. It doesn't have to indicate that they have read it, agreed with it. It just acknowledges that they have provided it.

DR. COHN: Thank you.

DR. ROTHSTEIN: Make a good-faith effort. Gail.

MS. HORLICK: It is also important when discussing disclosures to public health to recognize that we have been talking about public health disclosures that are mandated by law, and to bear in mind that many disclosures to public healths that now have to be tracked are voluntary disclosures and not mandated by law.

DR. ROTHSTEIN: I think that is a very good point. We would still need to address somehow the issue of permissive disclosures for public health purposes.

Let me ask if there are any other members of the committee -- Russ.

MR. LOCALIO: I want to apologize to the committee that I was late, courtesy of Amtrak.

I want to thank Richard for bringing up the point of the fear of liability. I do want to ask those who are presenting testimony today to go back to their members and ask them to please report those instances.

I know of one report of an instance in which legal counsel gave advice that was in conflict with the rules, and that was my report. It had to do with legal counsel from my institution saying to us that a limited data set required an accounting as a disclosure. That was confirmed by a special counsel downtown. Yet, when I called HHS to report that, the comment was, please tell those attorneys to read the regulations.

So I think that if there are instances that are obvious like this, and your members can report them, it is much better to hear specific examples of specific cases with the facts than to hear general testimony, to say, this is a problem, and the attorneys are giving advice that is very conservative. I think we all know that, that that is the role of a risk manager, to be as conservative as possible.

There is no downside risk to giving advice that errs against public health. There is no downside risk. The only downside risk is giving advice that may cost the institution some money. Thank you.

DR. ROTHSTEIN: Dr. Zubeldia.

DR. ZUBELDIA: I am trying to think out of the box here. One of the common threads has been the burden enforced on the providers to account for disclosures. That has been a common problem.

Is it feasible or reasonable or possible for the public health authority to give the provider a report of disclosures it has received, to help the provider in the accounting for disclosure?

DR. BURT: That is what we do. We give them a notification that they can keep for a patient that we abstract the data for. In the case of hospitals, where we collect a lot of data, we give them a document that says how many records they have disclosed.

DR. ZUBELDIA: And names of the patients?

DR. BURT: If it is more than 50, you don't need to keep individual accounting.

DR. GIBSON: This is what a number of state health departments and probably some urban ones are attempting to do. It is because most surveillance reporting data goes into an electronic registry of some kind that is highly protected.

We would like to say that yes, we can help you with accounting, because we have a record of what you have reported to us. The problem is that it isn't as easy as it sounds, because there are so many different data flows.

I'll give you one example. There are reports of syphilis tests. That is how we find out about syphilis cases, and go out and offer a contact prevention. Some of these come in and are not entered in the registry because they are out of the range where they are likely to be real disease. It would have to be a lot of new data systems for us to provide a complete accounting to the reporters.

Also, what evidence does their risk manager have that we really are going to provide this when the chips are down and they have to account to a client who asks?

So yes, we are trying to do that, but it is not 100 percent reassuring to the reporters.

DR. ROTHSTEIN: Finally, Dr. Harding.

DR. HARDING: A quick question, I hope. Are either of you aware first hand or second hand of HIPAA hindering the assessment or the containment of an outbreak such as the hepatitis-A thing in Pennsylvania, SARS? I guess SARS was before April, but do you have any knowledge that HIPAA has hindered that kind of thing?

DR. GIBSON: I'll go first and let Denise come in, too. I can give you one example to my mind. I don't know of a lot of them. The problem again is that we don't know what is not reported to us.

I had one example a minute ago. There are not a lot of examples of this. We could ask for them.


MS. LOVE: I'm not aware of any specific -- I only heard part of the question; hindering assessment or outbreak reporting?


MS. LOVE: I have not heard of any specific non-reporting due to that. I think in theory, there is some concern about certain sensitive or reportable conditions that in theory the patient would be notified of such reporting and who reported. But that is theoretical, and it is just a concern that has come up.

I wanted to say one more thing about the accounting. My experience on one IRB is that some of these accounting procedures from public health are ranging from putting a letter in the patient chart to batch reporting. So I think we are seeing various practices all over the place, so maybe some guidance as to what is efficient and works well.

DR. ROTHSTEIN: We want to thank all the members of this panel for their testimony. That was very, very illuminating, and I'm sure we will be discussing it throughout the next day.

We will take a break now and resume with Panel 2 at 10:50.

(Brief recess.)

DR. ROTHSTEIN: Our first panel member witness is Gail Horlick from CDC, former lead staff to the subcommittee and currently a staff member to the committee, who is going to be presenting some information about immunization.

I want to alert the members of the subcommittee that there is a written document from CDC, a more general testimony in your packets, so Gail's remarks will be limited to immunization registries.

Agenda Item: Panel 2: Public Health

MS. HORLICK: Good morning, Mr. Chairman, and members of the subcommittee. My name is Gail Horlick, and I am a public health analyst at the Centers for Disease Control and Prevention in the national immunization program for NIP. Thank you for the opportunity to testify on the impact of the HIPAA privacy rule on reporting to immunization registries and the sharing of immunization related information.

For the past several years, I have closely monitored the potential impact of the HIPAA privacy rule on immunization activities while serving as the point of contact on the privacy rule for NIP's 64 immunization grantees.

Initially there was much angst about the implications of the privacy rule among public health officials and covered entities, and there were many misconceptions about what was permissible. There were numerous reports of providers refusing to disclose information to public health authorities as they had traditionally done. Through a variety of proactive efforts, CDC has informed its partners, including state and local health officials and health care providers, that HIPAA permits disclosures to authorized public health authorities without individual written authorization. These concerns have largely, but not completely, dissipated.

My remarks today reflect the experience of practitioners in state and local health departments. To assess the current situation, I requested information on the impact of HIPAA on our grantees in every state, the District of Columbia, five urban areas and eight territories. This testimony was reviewed by those that provided substantial input to insure that it accurately reflects the comments that are received.

I will describe three areas where NIP has successfully addressed many providers' concerns about sharing information with public health under HIPAA. One, disclosure to immunization registries; second, site visits to provider offices to assess vaccination coverage levels and for accountability purposes, and finally, provider disclosure of perinatal hepatitis-B case information to public health. I will also discuss the disclosure of immunization information to schools, an issue that still concerns many public health practitioners.

First, with respect to immunization registries, immunization registries are confidential computerized systems that collect vaccination histories and help insure collect and timely vaccinations for children and in some cases adults. Some states have laws or administrative regulations authorizing a registry. A few of these laws mandate reporting to the registry and others permit reporting. In addition, several state laws address the sharing of immunization information without specifically authorizing a registry.

Even before the publication of the final HIPAA privacy rule, practitioners at the state and local level reported that many providers were questioning whether they could continue to report information to immunization registries. To address this concern, I gave several presentations at national conferences, hosted conference calls for state and local immunization program staff, prepared updated information for our website, and responded to numerous e-mails and phone inquiries on the potential impact of the rule and permissible disclosures. I frequently referred to the guidance documents prepared by the Office for Civil Rights, OCR, and more recently to the frequently asked questions on their websites to response to other registry related questions.

For example, information in the December 2002 OCR guidance document and a subsequent FAQ alleviated concern about whether registries and providers could continue to send reminder recall post cards to patients. An example of how Massachusetts used this information to educate providers is included in your packet. I along with other CDC staff collaborated with HHS to develop a guidance document, a HIPAA privacy rule and public health guidance from CDC and the U.S. Department of Health and Human Services, as a special supplement to the MMWR. This document is an extremely valuable resource, and many states have used it to develop educational materials for providers and other partners.

As a result of these efforts, I no longer hear reports that providers are refusing to disclose information to immunization registries because of HIPAA. However, in Tennessee the department of health staff reports that some providers request a signed authorization to disclose immunization information to the health department, despite the HIPAA guidelines that they have prepared and faxed to provider offices. As a result, patients spend more time in providers' offices and more health department staff time and resources are devoted to obtaining the information.

With respect to provider site visits, since 1993 public health department staff or their contracted agents have conducted site visits to provider offices to perform a quality improvement process called assessment, feedback, incentives and exchange known as AFIX. AFIX is a public health strategy to raise vaccination coverage levels and improve standards of practice at the provider level.

The vaccines for children program known as VFC is a federal entitlement program that provides vaccines at no cost for children in certain eligibility groups. In both cases, staff from the health department or their agents review randomly selected records in the provider office. During AFIX visits, immunization coverage levels are assessed and providers receive feedback on their immunization practices. The purpose of VFC visits is to assess compliance with the VFC requirements, including appropriate vaccine handling storage and ordering, and proper documentation of children's VFC eligibility status. AFIX and VFC visits may be done separately or at the same time.

In a number of states, health department staff informed CDC that because of confusion about HIPAA, some providers would not permit them to review their records for an AFIX or VFC site visit as they had traditionally done prior to HIPAA.

I worked with the CDC ATSDR branch of the Office of General Counsel and CDC's privacy rule coordinator to develop a HIPAA fact sheet and a memo on HIPAA and public health site visits. The memo states that covered entities may disclose protected health information without authorization to public health authorities that are authorized by law to collect such information for public health purposes.

These documents, which are included in your packet, were sent to all of our immunization grantees and to the Association of State and Territorial Health Officials, the American Academy of Pediatrics, and the American Academy of Family Practitioners, with a cover letter from Dr. Walter Orenstein, Director of the National Immunization Program.

These materials have been extremely effective in correcting misinformation and insuring the continuity of AFIX and VFC site visits to provider offices. In fact, one public health official told me that she and her staff always carry this information with them.

While we have resolved most issues relating to disclosures to public health, a concern remains regarding access to non-immunization related information during the site visit. In Hawaii, some providers in a large managed care organization are concerned about how to insure proper access to the required immunization data while limiting the improper disclosure of other information in the chart, particularly when an electronic record is involved. They are considering requiring an authorization if limited disclosure cannot be insured. Similarly, state health department staff in Hawaii experience delays in adopting AFIX and VFC site visits while they waited for clarification on procedures to follow then provided with the entire patient record.

I will now discuss the sharing of perinatal hepatitis-B case information. Several states have reported that providers are unclear whether protected health information needed for perinatal hepatitis-B surveillance and followup of case contacts can be disclosed. Laboratories identify pregnant women who are infected with the hepatitis-B virus and report this information to state or local health departments for further followup.

In order to insure that infants born to these women did not become infected, the health department opens a case file that contains information on the mother, the infant and any household or sexual contact. The health department must insure that the infant receives the hepatitis-B immunoglobulin, and the first dose of hepatitis-B vaccine within 12 hours of birth. It must also insure that these infants receive the remaining two doses by six to eight months of age.

NIP receives an average of one or two reports a month from state or local health departments that physicians, primarily pediatricians, do not want to release information on the administration of subsequent doses of vaccine and post-vaccination testing because of HIPAA.

Misperceptions about what is permissible under HIPAA were particularly problematic during an acute hepatitis-B outbreak in the intravenous drug user population in Montana. A public health nurse encountered a four year old boy with no recorded hepatitis-B vaccination history. His mother was an intravenous drug user. It was important to confirm whether he had received his hepatitis-B vaccine series as an infant.

A nurse in Montana called her counterpart in a neighboring state where the child had supposedly been vaccinated for the immunization information. Staff at the state level said they could not release the information because of HIPAA, and they referred her to the county health department, where they refused for the same reason, and referred her to the Indian Health Service.

Staff at the Indian Health Service said that because of HIPAA, they would not be able to release the information without a signed release from the mother. They also wanted the authorization mailed to them so they would have the original signature.

Fortunately, the nurse in Montana was able to locate the mother and comply with the request. The child's records were then mailed to the Montana nurse, as the Indian Health Service staff believed that faxing was not permissible under HIPAA.

Efforts to educate providers about permissible disclosures under HIPAA have largely been successful. One state reported that providers do not always follow CDC guidance if they receive different advice from their legal counsel. Another state reported that legal advisors in their state health department and their administration hold different views on the interpretation of the law, making it difficult for them to proceed.

Several states have expressed concern about the impact of HIPAA on the disclosure of immunization information to schools. Providers can disclose this information for treatment purposes. However, in most cases school nurses need the information to assess compliance with school entry laws. In many states, they cannot disclose this information without a signed HIPAA compliant authorization. In some states, the health department conducts covered functions and the school can no longer access the child's immunization record to verify the vaccination history without the authorization.

It is clearly the parents' responsibility to obtain this information from the provider and bring it to the school. However, this frequently does not happen. In some cases, the parents don't know which provider has the history, and in other cases they are unable to get to the provider to sign the HIPAA compliant authorization. Consequently the children are re-immunized. A nurse in New Mexico reported that she frequently hears comments from parents, go ahead and just give him the shot, I can't take time off to sign a paper. The time involved to obtain the record varies, but the practical effect of the HIPAA authorization requirement is that some children receive duplicate immunizations and there are delays in school entry for other children because they are excluded from school until they show up to date vaccination status. And because the nurses must spend time obtaining records, there is less time available for health education and clinical care. Concern was expressed about what is perceived to be an additional barrier for overtaxed parents with limited resources and limited access to health care.

While this is a very important issue in some states, it is not clear how many states are experiencing this problem. Not all states require an authorization to disclose immunization information to schools. In a few states, the school is a public health authority, and the definition of a public health authority is included in your testimony. In Massachusetts, for example, schools can collect and receive this information to comply without an authorization.

In other states, public health laws specifically allow a patient's immunization record to be shared. South Dakota has such a law, that allows sharing with schools, and a copy is in your packet. In some states, a public health law authorizes the information to go to and from a registry, and some of these laws permit schools to disclose information to and from the registry. It is my understanding that in these states, they are not requiring a HIPAA compliant authorization for entities to disclose information to schools.

CDC NIP staff refers practitioners to legal counsel in their state for interpretation of HIPAA and the relationship of HIPAA to state law. In the absence of a legal interpretation supporting disclosure to schools without authorization, the CDC NIP advises that a HIPAA complaint authorization be obtained.

In conclusion, I would like to express my appreciation to the Office for Civil Rights for the excellent guidance documents and the FAQs on the website. They have been invaluable in our efforts to educate public health practitioners and providers and to facilitate the continued flow of information to and from public health that is so essential for a healthy population. CDC looks forward to collaborating with the OCR to develop additional guidance for our immunization grantees and partners on the disclosure of immunization information to schools.

Thank you.

DR. ROTHSTEIN: Thank you. Any questions? Mr. Orren, please.

MR. ORREN: Good morning, Mr. Chair and members of the subcommittee. My name is Dave Orren. I am a data practice coordinator for the Minnesota Department of Health. I am also a lawyer. The earlier testimony reminded me of the musical Damned Yankees. I think the HIPAA musical is going to be called Damned Lawyers, but we'll see how that works.

I want to thank you very much for the opportunity to discuss the impact of HIPAA on public health practice. We have had years of anticipation and now seven months of actually dealing with it, and there is certainly plenty to discuss here today.

Before I get to the meat of my testimony, I want to quote the Congressional mandate regarding public health and HIPAA. It comes from the act itself. It states, and I quote, nothing in this subpart shall be construed to invalidate or limit the authority, power or procedures established under any law providing for the reporting of disease or injury, child abuse, birth or death, public health surveillance or public health investigation or intervention, unquote.

I know that even if HIPAA was entirely transparent or a pass-through for public health, there would have been all of the burden of the transition phase. I'll talk about that only a little. We would have had to study it, we would have had to learn it, we would have had these bumps in the road, but I do believe that there are ongoing structural things that you can deal with.

I want to mention also that Minnesota Department of Health is not a covered entity under HIPAA. We are separate from our Department of Human Services. We did the analysis. The huge majority of our programs are clearly public health and clearly not covered by HIPAA. We had to do a more careful analysis of three of our programs to determine that they were not covered by HIPAA, and we did that. However, even though we are not covered, we are indirectly affected, significantly indirectly affected, by HIPAA on public health practice.

In Minnesota we have had strong patient privacy laws and patient rights of access for many years. I don't think HIPAA will make a big difference as far as patients are concerned, other than the huge load of paper it will get with their notice of privacy practices. However, one good thing that has been caused by HIPAA is the attention to privacy. This has led to additional training and much better awareness of privacy. So I think that is laudable.

In general, we still get much of our data that we need for public health. Like I said, there have been bumps in the road, and there are problems to resolve. The biggest one has been mentioned again and again, but I'm going to bring it up again because it is the biggest one that I see, and it is disclosure tracking.

Disclosure tracking creates a disincentive for providers, certainly for voluntary reporting, and I think also for mandatory reporting. It is extra work and resources needed to track those disclosures, and that makes providers try to avoid that. This has been mentioned. Some providers and plans have interpreted disclosure tracking to mean that they must annotate each patient record whenever a routine or non-routine public health disclosure is made. That is burdensome.

DR. HOUSTON: Did you say that was the biggest issue?

MR. ORREN: I think that is the biggest issue.

DR. HOUSTON: Thank you.

MR. ORREN: The disclosure tracking and the disincentive that it provides.

The requirement to track disclosures has a big impact on voluntary immunization registries. We have a voluntary registry in Minnesota. The law permits the sharing of immunization data between the provider, between public health, between schools, and there are a couple of other entities listed there, but it is voluntary.

We have had some providers ask patients to sign authorizations as a way to avoid disclosure tracking. I can see how this would reduce the amount of information getting into an immunization registry, because it is one more hassle for a parent to have to do, so they are not going to do it. But my conscience is clear, because I can't see how this would protect privacy any better. I don't think it is a good idea to ask them to sign an authorization, because I don't think it would protect privacy because we have an excellent record, looking forward and backward, on protecting privacy.

We are working on a couple of public health studies, where health plans have asked the department to use a limited data set and a data use agreement as a way to avoid disclosure tracking. I don't see how a limited data set would protect privacy any better than the privacy practices and privacy laws that public health has to operate under already. However, I do see that this reduces the amount of data that we have to analyze, and it increases the burden of getting the data, because you have to go through the procedure of promising not to disclose. We are already under penalty of law in Minnesota to not disclose these things.

The last point on disclosure tracking is, if it is interpreted to mean annotating each patient record, it will seriously limit provider and plan participation in voluntary hospital discharge databases, and in health care billing databases. Those type of databases are huge amounts of data, and if each record had to be annotated, that would basically kill a voluntary program, because the plans would not be able to do that.

So part of what we are talking about are educational materials for providers and plans. I believe in your packets -- I don't think they were available for handout, but we had a couple of brochures that we have done at the Minnesota Department of Health. One is on communicable disease reporting in HIPAA, and the other was on sexually transmitted disease reporting frequently asked questions. Both of those tell the provider that they can give it under HIPAA. I think that has been pretty much resolved. They know the chapter and verse that allows reporting to public health, whether it is mandatory or discretionary.

We also include information on that about a general disclosure tracking that they can do, the first and the last. It is an interpretation of the disclosure tracking, the general tracking in HIPAA. But it is not well known, and truth be told, a lot of providers have said we are not so sure that that is legit, that we might have to do more than that. We don't want OCR or whoever enforces this to tell us that we are wrong in retrospect.

I also want to show you -- and this is also I believe in the subcommittee members' packets -- a notice of patient rights that we do in Minnesota. It is a one-page Cliff Notes version of the fact that patients' records can be disclosed without their consent. In Minnesota the word is consent, in HIPAA it is authorization. That is another small bump in the road, the different terms.

But with that, we have a link to our website where we have a nine-page listing of statute by statute, that allows non-consent disclosure release of patient health records. I would say that this is a mature draft of the document, in other words, not too many revisions, but it is not a final draft. In looking it over and preparing for this testimony, I saw a couple of things that I would add to it.

So the reason that I bring this up is that it gives you some idea of what would have to be done, and what you would have to put into the general disclosure tracking to notify patients if you are going to allow this general tracking, if OCR was going to come out with the advice that you make a clear statement of what the general disclosures are. Then that would be enough to inform patients. I think this document would have to go through another several drafts as we learn from providers what wasn't included in here.

So while testimony earlier said you just have to have OCR say this, the word just in front of it is not appropriate. It is a huge undertaking. I think it is possible, but again, it is not that would be de minimis. So keep in mind, this is what you are looking at, at least as a starting point, for this general tracking that providers can give. So if I went in and asked for disclosure tracking, they would list probably zero that remain otherwise, because almost all of these trackings that are required are for this type of thing. This includes not just public health, but all the other ones under the statute that we found, the fire marshal or the department of education or victims of serious threats of physical violence, and so on. But it is a starting point.

If any person in the audience would like these, I can give them copies. If they want educational materials or that type of listing, if they want samples of that, I can certainly give them to them.

We have done some mandating of public health reporting where it was voluntary in the past. We have issued commissioner's orders, where in the past we did not have to do that to make it mandatory, so that HIPAA wouldn't get in the way. We have also adopted rules to make things mandatory where they were discretionary in the past.

One other thing. The public health staff at the department, working with the sharing of immunization data, have asked me to raise this issue with the subcommittee. The attention to HIPAA has shined the spotlight on the federal family educational rights in privacy act, otherwise known as FFERPA.

I know that FFERPA is not today's topic, but this is a problem. Most states have mandatory student immunization laws, along with requirements for schools to monitor student compliance with these laws. In fact, students can't come to school if they can't show that they have been immunized.

An efficient way to monitor student compliance is an immunization registry. Yet FFERPA, while it would allow data to go to the school, doesn't allow data to come from the school to the registry. Schools don't have the lion's share of the data, but they do have a significant amount that would be very helpful to get back into the registry.

So as far as that goes, I think disclosure tracking is a structural thing that needs first an interpretation. It is not just education; that question was asked earlier. I think it needs a clear interpretation by OCR or whoever, and then it involves education. My interpretation isn't anything that a hospital is going to follow if their risk manager says, I don't know, OCR hasn't said that. So the interpretation should be there, then it will involve education.

I have listed a number of bullet points on the bumps in the road that we have encountered. We have encountered the hepatitis-B mother or pregnant women who gave birth, and the hospital did not want to report it, would not report it until we twisted some arms, because the baby has to get prophylaxis within 24 hours to prevent transmission of the disease, this chronic disease, to the baby. That is a function that we have done for quite some time in Minnesota. HIPAA got in the way of that. But I think that is a bump in the road; that is something that has been smoothed out, and I think won't occur anymore.

I want to also say that we endorse the comments made by NAHDO. I reviewed them and participated in the phone call that was involved in drafting them.

Bottom line. Public health has gotten access to very sensitive health data for 100 years, and for 100 years we have protected that data. We have done an excellent job of protecting the privacy. I think any recommendation you make as to how this disclosure tracking is done should have that in mind, that it is not going to be a wholesale release of records if disclosure tracking is adjusted to allow for public health practice to continue as it had.

So again, my conscience is clear. I think a change would not impede or infringe on anybody's privacy. I think a change would actually help public health to get back to where it was.

I want to thank you all for this great opportunity. I have talked about these things to the wind before, but now -- and to many of my colleagues, but now you have a chance to actually do something about it. So thank you.

DR. ROTHSTEIN: Thank you. Now you have found a whole group of people who have been talking to the wind.


DR. ROTHSTEIN: Dr. Larson.

DR. LARSON: Chairman Rothstein and distinguished members of this Subcommittee on Privacy and Confidentiality, I welcome the opportunity to appear before you today to discuss the impact of implementation of the regulation which everybody here seems comfortable to just call HIPAA of 1996 on certain public health activities, specifically the medical screening of newborns.

As presently senior physician and former medical director of the New England newborn screening program, I am involved in the testing, reporting and tracking of medical screening results for newborns. The New England newborn screening program, considered a hybrid covered entity under the HIPAA guidelines, presently provides state mandated newborn screening and testing services for babies born in Rhode Island, New Hampshire, Vermont, Maine and Massachusetts and effective January 1, the state of Pennsylvania.

Annually, approximately 150,000 newborns right now are screened by the New England newborn screening program. Additionally, the New England newborn screening program provides a comprehensive newborn screening program for babies born in Massachusetts, which includes testing, reporting screening results and tracking that includes short, long and what I call medium term, which is not well defined in the literature.

As background, I would like to review some of the current practices and principles of newborn screening. Presently all newborns in the United States are offered newborn medical screening, though the conditions screened for vary from state to state.

Determining disorders that are appropriate candidates for newborn screening requires careful consideration of there fundamental aspects. First, the natural history of the disorder must be such that there is an early pre-symptomatic or latent phase during which clinical detection of the disorder is not routinely possible, and in which a later or delayed diagnosis adversely affects the outcome of the individual.

Secondly, there must be a high throughput test available which is safe, precise, reliable and sufficiently sensitive to detect the presence of the disorder in the presymptomatic phase. Finally, there must be an available intervention that when applied earlier as a consequence to screening detection of the disorder, leads to improved outcome for the identified affected newborn.

Because target disorders are rare and the signs of the disorder are not readily apparent during the latent period, newborn screening is necessary and therefore makes sense to be universally available. That is, the entire newborn cohort should be screened. Insuring access to testing, diagnosis evaluation and treatment has been a public health endeavor since 1962, when it began in Massachusetts. The newborn population presents unique challenges for universal public health initiatives.

Newborns face many changes in the first days of life, including dynamic hormonal and metabolic adjustments to the extrauterine environment. Multiple medical providers, obstetricians, midwives, neonatologists, pediatricians and ultimately the primary care providers in their medical home may even face the challenge of name changes frequently in that newborn period. While these changes are occurring, there is a limited window of opportunity for detection of newborn screening target disorders.

The growing list of target disorders currently tested for in our program includes many disorders that can have adverse outcomes in the first days to weeks of life if not promptly recognized and treated. Insuring an efficient mechanism for collecting specimens from all newborns which can be promptly transported to a testing laboratory, and insuring communication of laboratory results to the medical home, and ultimately appropriate early treatment interventions has required the development of systems for both tracking both incoming specimens, outgoing results, and tracking treatment.

There are several reasons to consider newborn screening a public health mission. One is access to screening and subsequent testing and interventions. Another is the potential benefit to society of early identification and treatment for disorders, which if later detected incur high chronic societal and familial medical costs.

Additionally, then a new epidemic occurs, be it infectious or genetic, for example, screening may provide an early opportunity to identify the source and extent of the epidemic, and to possibly provide valuable information which may protect the public health.

Nonetheless, there are costs to testing and followup such that as a public health program, the potential benefits must be weighed in the context of the expected gains. Because only a few diseases fulfill completely the requirements to be considered appropriate for newborn screening, there is judgment and tradeoff involved in finalizing the target disorders and the screening strategy.

Some states have relied on advisory committees to guide policy on newborn screening. The details of such process are well documented in a publication of the process that Massachusetts went through prior to expansion in 1999. The relevance to this committee is this: it was pre-HIPAA, but it caused many of the same types of discussions about privacy, because as you all know, the HIPAA guidelines were put forth in '96, so the fact that we were expanding in '99, even though we weren't going to be asked to be in full compliance until a later date, was relevant.

I have been asked to discuss with this committee some of the challenges encountered by the public health newborn screening program since implementation of the HIPAA privacy rule. Generally, perceptions and misconceptions about the impact of the HIPAA privacy rule -- we are not the first to say that -- are not the rule itself. There seems to be this misconception as the primary challenge.

Fear of noncompliance with the privacy rule has led to instances of over compliance, which can jeopardize the quality of newborn screening and impede best practices in newborn screening. By incorporating continuous quality improvement standards and refining screening algorithms, public health screening programs offer the opportunity for improving the public health and the health of individuals by allowing this timely identification and appropriate intervention for newborns.

As additional types of screening tests and technology become available which further the implications of test results for an individual in the context of a larger circle of individuals, hereditary or geographic, for example, we should seek to preserve the public health mission with respect also for the issues of individual privacy.

Efforts can be made at this important juncture to develop working models for integration of public health testing within a framework that recognizes issues of individual privacy, and makes reasonable efforts to protect those.

To the extent that newborn medical screening can be considered an example of this complex interface, I would like to provide a few examples I have encountered in the past seven months while working at the newborn screening program. I am only giving you examples of the newborn medical screening, not the system activities, because that wasn't my charge to this committee. Some of the strategies our program is using to improve the education and understanding about HIPAA privacy rules that relate to best medical practices.

The most commonly encountered scenarios relate to, number one, verifying that the appropriate medical provider receives an out of range result in a timely manner. Number two, obtaining information from the health care provider about diagnostic confirmatory test results and other types of information which directly relate to the tracking and outcome measures at the Massachusetts Department of Public Health, also a hybrid covered entity under HIPAA, has expected our program to collect and analyze and report on as part of continuous quality assurance and improvement. I have cited the regulation on the Massachusetts side for the testimony.

Some provider offices have responded when I contact them that they do not want to accept an out of range results, that it is not their patient, that I might need to give them an authorization so that they can even accept and intervene. This has happened twice within the past month, and I'm not sure if this is an atypical example or not.

it happens most commonly in the context of providing cross coverage when the primary care provider is not available. With appropriate education and more phone time for me, I am usually able to convince the provider that the out of range screening results could represent the presence of a time critical disorder. it has been possible in most cases to involve the providers in participating and making appropriate plans for the next steps in evaluation. I have had instances where the providers have refused to accept it, and demand that I be the person to contact the family and pursue the next steps in medical management.

This issue is possibly related more to the covering health care provider's lack of familiarity with the complex screening results associated with rare disorders, and may not specifically relate at all to the privacy protections. I don't think it would be the first time that someone would cite a new and poorly understood regulation as the reason that they are encountering difficulty in doing what you are asking them to do.

The New England newborn screening program continues to utilize a medical model for its screening program, employing physicians who are available to give consultative guidance in the interpretation of screening results, and recommendations for the next steps in testing and evaluation. This model could be applied to other systems, but it is possible.

While many health care providers continue to provide the necessary followup information, some have questioned whether individual consent is needed. Our program, which is part of the University of Massachusetts Medical School in collaboration with the Massachusetts Department of Public Health, prepared a memorandum entitled Disclosure of Information for Public Health Purposes. The memorandum is provided to health care providers to assist in educating providers about the specific mission within the HIPAA privacy rules that the rules were not intended to affect public health reporting authorized by law. HIPAA allows a covered entity to disclose protected health information to a public health authority or its agent when the public health authority is authorized by law to collect or receive such information.

Receipt of such documentation has mostly been effective. One of the more unusual instances I have encountered following HIPAA implementation is several specialists, not even in the same practice, who indicated that without specific written consent, they would not provide written information about whether or not and/or how a diagnosis had been confirmed or excluded, or if appropriate treatment had in fact been initiated, because it would be in conflict with the HIPAA privacy rules. However, the specialists offered to disclose by telephone should I be able to reach them by phone, all of the information that I should want.

This inconsistency between written and oral disclosure suggests that the providers of medical care can be conflicted about balancing privacy issues and best medical practice. To date, most providers with additional education have complied with the public health reporting, though additional New England newborn screening program staff time, energy and effort have been devoted to providing this type of education, and they come at a cost. They take time away from other endeavors that are also valid and previously pursued by the program.

It is my hope that as health providers and individuals become more educated about the implications of this landmark privacy rule, the efficiencies of public health newborn screening can be enhanced.

Thank you so much for this opportunity to speak with this committee. I have taken many notes, and I really appreciate the learning that I am doing today, and I look forward to further questions and discussions on these issues.

DR. ROTHSTEIN: Thank you. Any immediate questions? If not, then we will go to Miss Van Tosh.

MS. VAN TOSH: Hi. First I want to welcome everybody to Silver Spring. I live here, and I am glad that I am one of the last speakers before you have lunch. We are undergoing a revitalization here in Silver Spring. You probably have noticed all the great new restaurants and the theater, so I hope you enjoy. I don't work for the Chamber of Commerce, but I thought I would just let you know that we have a great new community that is being developed and under way.

I also want to say by way of introduction that I love HIPAA and I like lawyers, and I hope that the two will meet and hopefully support patients' rights over time.

Finally, just one other quick introductory comment, I often testify in Annapolis, representing people with mental illness and mental health issues. Usually the subcommittees there and the chairman and staff don't like people to read their testimony. In fact, I have been one of many that has been thrown out of the room because I actually read my testimony. But since many of you did, I will go ahead and read my testimony, knowing that I will probably not be tossed out of the room. At any rate, I will still also try to be human as I convey my message here.

Good morning. My name is Laura Van Tosh, and I am a mental health policy consultant specializing in public sector mental health issues and consumer issues. I appreciate the opportunity to present my perspective on the implementation of the HIPAA privacy rule. I am pleased the subcommittee is hosting this hearing, and of your interest to gather information about the regulation and its impact on individuals.

While implementation of HIPAA is still relatively new to providers and consumers, it is important that you and others continue to closely examine barriers to compliance and best practices for implementation. My testimony today will focus on the needs of people with mental illness, many of whom are unfamiliar with their rights in general, let alone their new rights under HIPAA.

For too long, people with mental illness have been perceived as incompetent and incapable of participating in the process to determine their own treatment, and unfortunately they are often shuffled from program to program to have basic needs met such as access to housing, employment and health care. Stigma within and outside of the mental health system has perpetuated these misconceptions, keeping consumers shrouded in compliance and passive roles. I suppose this phenomenon is still common, since so many consumers are forced to use bundled services where for example access to housing is contingent upon the receipt of clinical services.

In Montgomery County, Maryland, where I live and work, people with mental illness are just beginning to recognize that recovery can be within their reach. Hopefully in the not-too-distant future, providers of mental health services will also see that recovery is possible as well.

A few blocks from where we are here today is one mental health program where the glimmer of empowerment is starting to shine through the eyes of people with mental illness. Recently I facilitated a forum at this program to gather input from consumers about the design of a proposed consumer operated program, where peers will support peers to access housing, jobs and social supports.

I was impressed with the energy and flow of ideas coming from the consumer participants. Many of the consumers indicated to me that they had never been asked what they thought about programs and services provided by Montgomery County, and I suspect the same would be true for the implementation of HIPAA.

Most consumers I have spoken with were unable to identify the rights under HIPAA, but they did recall signing new forms in order to obtain nursing home services. Consumers reported that in order to be seen by a therapist or doctor, they would have to sign the forms, and none were given much of an explanation. I believe some of this goes back to the issue of, quote-unquote, incompetency and being unable to determine one's care. Most of these consumers did not know that they could examine or amend their records, for example, and how doing so could enhance their empowerment and improve mental health outcomes.

People with mental illness, no matter the extent of disability, have an opportunity to become empowered by using HIPAA to increase their own knowledge of mental health services and thereby improve individual mental health outcomes. This is why I became so interested in the regulations as they were being developed. If I could look at my own health record, I could participate in determining my own care. This is so basic and intrinsic to my own recovery process.

I am very pleased the Federal Center for Mental Health Services at SAMHSA has identified HIPAA consumer education activities, and has embarked on a modest educational program to inform consumers of their rights and responsibilities under HIPAA. CMHS has developed a unique education card titled Privacy Rights for Mental Health Consumers. The education card succinctly summarizes key aspects of HIPAA in lay terms. The CMHS education card has clear and relevant information for people with mental illness, and is designed to accommodate persons with basic reading skills.

From what I understand, the education card is still under review at SAMHSA and may be released sometime early next year. This will be a valuable resource to all mental health consumers, and hopefully the card will be distributed to waiting rooms and public sector mental health programs soon. Moreover, the education card is a template of sorts for inpatient consumer training, perhaps provided by existing statewide consumer organizations that are located throughout the United States.

Recently CMHS staff and I joined forces to design an interactive training module to guide mental health consumers through key aspects of the HIPAA privacy rule. We are planning a statewide training in January of 2004 for consumer members of On Our Own of Maryland, a large consumer organization located in Baltimore. One-time training programs are useful and encourage consumers to be better informed about HIPAA as well as the benefits of consumer and patient involvement. However, a larger investment is needed to insure that consumers who are new to the mental health system are in fact educated early about their rights. This is similar to some of the comments made earlier today about prevention for other populations.

In my estimation, providers of mental health services are concerned with practical HIPAA issues such as communication challenges between other social service and mental health agencies. While these impediments are understandable, we must be certain that the beneficiaries of the rule are informed as well.

I know of no other training program that targets people with mental illness than the education card produced at CMHS. Clearly, more education and monitoring of consumer needs for evaluation is necessary if we are to realize the potential for HIPAA as a tool to improve mental health outcomes for persons with mental illness. Successful implementation of HIPAA must be measured to the extent that consumers are empowered and informed.

Thank you very much.

DR. ROTHSTEIN: Thank you very much. I want to thank all the members of the panel for giving us still more issues related to public health that we need to consider. The floor is now open for subcommittee members with questions. Dr. Houston.

DR. HOUSTON: Thank you. I'm just trying to think of some of the ways to mitigate the impact of the reporting and having to account for disclosures. As David Orren had spoken, I was thinking a couple of thoughts, so I'm going to throw them on the table and ask your opinions of them.

Would it be helpful as a way to avoid dealing with this disclosure issue to develop some sort of certification process, whereby a public authority or somebody who was collecting information, or to whom mandatory reporting was required to go to, could go through a certification process whereby somebody could see they were on a list of people that information could go to, and that there was no issue as to whether there would be a violation of HIPAA by reporting to this organization? That was one thing I was thinking.

The other was, is there some other process or certification an organization would be willing to go through to demonstrate that it had met certain privacy safeguard requirements, almost becoming a covered entity, although under HIPAA you couldn't be a covered entity necessarily.

What are your thoughts on those types of programs to maybe mitigate the impact of reporting?

MR. ORREN: Well, to answer your first question about certification of a public health authority as a public health authority, I think that would be easy for departments like the department of health at the state level, and probably for most county public health departments.

I think it is a closer question than a matter of interpretation for other entities. One of the things that we thought would allow reporting to schools for the immunization stuff was that it was an interpretation that they were a public health authority for that purpose. In some states, I am guessing that they are declared a public health authority by their state law. Our state law doesn't say that, so we had to interpret HIPAA that it had a responsibility for public health by law, which was to monitor immunizations and to hold kids out who hadn't proven immunizations and so on. So it took that interpretation. They could certify that they were, but it would basically be saying, their lawyer or their person who is looking at the law --

DR. HOUSTON: Is it practical to develop a short list of agencies within a state, organizations within a state would be considered an agency -- or whose collection efforts would fall under public health reporting?

MR. ORREN: It may. I think that is happening in every covered entity's office right now. They are working through whether they can report it. So I think their normal reporting, whether it is to the state department of public health or the local board of public health or to the school for immunization registry, they are going to work through that. Once they have resolved that, it will be resolved forever.

So I think that is more of a bump in the road rather than a structural problem. I think those would be addressed because the need for information is so strong that the entity that wants it will push the issue until they get it.

DR. HOUSTON: By the way, would that be a way, if you could come up with some type of certification program, you could go back and say, so long as there is certification, we wouldn't require some type of accounting? I'm trying to think of a way to avoid having to do an accounting, and how you could put something in place to --

MR. ORREN: If you put it like that, it would definitely be worth the effort. That would then be something that is there for them to look at, and it would then deal with the disclosure tracing requirement.

I look at this also though as a patient. I might want to know what the disclosures are. So perhaps the list of statutes and rules and other authorities to disclose might be something that I need. I can still then connect the dots. If I have had a gunshot wound, I can know that that has been reported. Or if I have had a sexually transmitted disease, I can know that has been reported.

But yes, that may hear fruit, to have a certification that if they report to the certified agency, --

DR. HOUSTON: The accounting requirement may be alleviated.

MR. ORREN: Perhaps, yes.

DR. ROTHSTEIN: Dr. Larson, do you want to comment on that?

DR. LARSON: Yes. One of the things that we have talked about with trying to get the disclosures back to us of information was whether or not we wanted to be very up front and document many of the specialists that see the parents and the child with their recommendations. I have encouraged them, if they are providing the information to me, that they at least for a trial period document that it is coming directly to me.

That has been going on now for more than a year with one of our sites, Children's Hospital, maybe even two years. We have had zero patient complaints as a consequence of being explicit in where that exposure is going. The other sites that we deal with have been reluctant to implement that.

Another strategy that we have looked at is, we are doing our own internal privacy training of staff, and trying to keep them informed about what are the best practices. We also just made a Massachusetts health mental health data consortium, where the privacy officers meet to hear their concerns.

One of the things that was interesting at their meeting, which was the Friday before this, Massachusetts is actually having a lower documented complaint rate compared to other urban centers of a similar size, according to the OCR person who gave their presentation. Not at all clear why. It may just be a lag factor, because people don't feel comfortable yet making those complaints. I think your earlier question about finding out about public health has been specifically a target.

The other thing that was very interesting to me was that the OCR is willing to educate us. Early violations are considered an opportunity for education. This is something that is probably going to evolve, privacy and public health.

DR. ROTHSTEIN: Dr. Harding.

DR. HARDING: One of the things that we have recommended in the past is the attempt to initiate very clear recommendations from -- or interpretations from various groups.

I was intrigued by Miss Van Tosh's testimony, where she was talking about the Center for Mental Health Services having a consumer education card that would be small, clear, in basic English. I was thinking that that probably would be very helpful for a number of groups, not just the mentally ill. I haven't seen that. I don't know if you all have seen it.

MS. VAN TOSH: I have a draft. I can find out if I can get a draft to you.

DR. HARDING: We wouldn't want you to do anything illegal or whatever, but that would be very helpful, to see how it was framed and so forth, and hopefully be used for other groups of patients also, not just the mentally ill, because that sounds like it would be very helpful.

MS. VAN TOSH: It is applicable I think across patient groups with some minor editing. Quite a bit of time was spent on making sure that it was readable, yet in line with the HIPAA rule.

DR. ROTHSTEIN: Miss Van Tosh, while you are at the mike, I want to ask you a question. I thought you made a very interesting point that we don't normally hear about. That is, the benefits of HIPAA are normally considered to be abstract. That is, we protect the dignity of people, we protect their psychological benefit, et cetera. Yet, a point that you made was that HIPAA actually could lead to better health outcomes among people with mental illness, because they would have access to their mental health records, and you saw that as having some direct health benefits.

Are there any other aspects other than access in the states that didn't provide for access prior to HIPAA, any other provisions of the privacy rule where you see direct health benefits?

MS. VAN TOSH: I think being able to participate in determining one's own treatments in mental health is key and critical and not often done in our system of care right now. Although the President's new Freedom Commission on Mental Health, which is available on the web, focuses on that idea as being a benefit to people with mental illness in terms of supporting the path towards recovery.

As far as I can tell, I don't believe there is any other specific item in the rule, except I think if people feel they can make complaints and not have that complaint or the act of making a complaint impact on their care and treatment, is a different issue for people with mental illness than people who are involved in the general medical community.

People with mental illness unfortunately in this country are treated very differently. I think just to give you a direct blunt example here, I am a person with mental illness. I have been in the public system. I've been in a state institution. I have been in the private sector as well. My doctor's office, not too far from here, general medicine, internal medicine physician's office, used to put on my record on a sheet that is paper clipped to the record as I come in what my psychiatric diagnosis is, even though I may have been coming into the office for a general medical checkup, or just a blood pressure screening or what have you.

So whenever I went into the office, and this is pre HIPAA, that was blatantly displayed on my record for all to see, the LPNs or the nurse practitioners and then of course the physician. So I was often embarrassed by that, and even said something about it, but it continued. Once HIPAA came into reality for all of us, that is no longer on my record when I come into that doctor's office.

I usually don't even go there for psychiatric issues. I have another doctor. But that was placed on the record, and extremely humiliating each and every time I went into the office. So now that it is gone, I feel a whole lot better and I don't have to explain myself.

DR. ROTHSTEIN: The only other issue that I would ask you about, where I could possibly see some tangible health benefit is that if you felt in your working with various organizations for people with mental illness, if layering another privacy level on top of what already existed in terms of professional ethics and so on might further encourage people to seek professional help for mental illness, or where they might be reluctant because of privacy concerns. That is the only other area where I could see that.

MS. VAN TOSH: Yes, exactly. I think that is why I made my point about people who are entering the system for the first time.

One of the findings of not only the President's Commission report but also Dr. Satcher's Surgeon General's report on mental health, is the high incidence of mental illness in general, but also the fact that many people don't seek treatment because of stigma, because of the kinds of things that I just mentioned, about having a label or a diagnosis on a health record, not even a mental health record.

So I think HIPAA is fine in that regard. There are some provisions of HIPAA such as not being able to look at your psychotherapy notes, I think some exceptions that are explainable that could be done through training, but by and large I see only benefits. You may hear differently from the health care industry this afternoon, but I see a lot of benefits for all patients including patients with mental illness, to participate in their care, to look at their record, to recommend new and old treatments that may not have been provided before, and just to be engaged in developing a treatment plan which is actually required now under managed care.

Most consumers now sign off on their treatment plan, have little involvement in what is in the treatment plan, and I think through HIPAA patients of all kinds can be more involved in identifying their treatment. Again, I believe that that helps health outcomes and increases satisfaction and could lower complaint rates.

DR. ROTHSTEIN: We'll go to Dr. Zubeldia.

DR. ZUBELDIA: This is for Dr. Larson or maybe somebody else can help. Have you looked into the epidemiology of these outbursts of HIPAA fear? When you mentioned five specialists of different specialties, where do they get their information from? Is it from the lawyers, is it from the specialty association, from the medical society? Where is it coming from? If we try to find the source of this, we may be more effective in getting the right education to the right places.

DR. LARSON: I appreciate the question. I need to clarify my testimony. I said several, and I didn't give the precise number. The majority have come from one subspecialty; metabolism is their field. In newborn screening, the types of conditions that we presently screen for are metabolic, endocrine, genetic, which most of the metabolic are too, but also cystic fibrosis disease, infectious toxoplasmosis, and in New York screens for HIV.

So there is a wide range of specialists that we have an interface with. For whatever reason, it has been dominant with the metabolic group that has faced this. So I do wonder about that epidemiology, whether or not if in their society meetings people are talking about this as a concern.

Most of the endocrinologists and the cystic fibrosis centers, we up front gave them our document that I mentioned and said you can continue reporting to us according to best practices, and you will not be liable for following the law in Massachusetts. Interestingly enough, I interface with these other states as well. I go to regional meetings and other such things. Even within a state, you will find -- Southern Maine -- totally different philosophies in those two places. Now, Maine tends to have isolated geography and populations, too, so they probably don't interact at a lot of conferences. So probably those things are happening.

We have been encouraging the American Academy of Pediatrics and other respected bodies, the American Medical Association, to try to cooperate in their newsletters and other mailings. I do know in Massachusetts we are insured by Pro Mutual Insurance, and when HIPAA came out, one of my CMEs that I did right away, I was pleased to see a question on my own insurer that asked very good questions about HIPAA and healthy populations.

DR. HOUSTON: One followup question to Miss Van Tosh. You had indicated some trepidation in going into your physician's office because your diagnosis information was displayed on the chart pre HIPAA. I am a little concerned. Even under HIPAA there is this treatment exception that says information can be shared for the purposes of treatment. Do you have concerns about mental health illness information being available throughout the range of health care potentially under this treatment exception, where it may not necessarily be directly related to the treatment you are going to the physician for? You said for screenings, blood pressure, things like that.

The reason why I ask that question is, this is something that has come up within the state of Pennsylvania where I am at, where there is thought about developing a regional database containing depression information. One of the concerns I had was, if I had depression, I might be concerned that physicians have access to that type of information.

So I would want your input as to how you feel about that, and especially with regards to the HIPAA treatment exception.

MS. VAN TOSH: Well, mental illness is not -- my experience of mental illness is not sitting in that chair; it is connected to who I am, and mental illness is that way I think for a lot of people. Unfortunately, there is so much stigma on that that I harbor with myself, stigma that may be self stigmatizing issues that I share.

I believe there are many people who have that same problem or concern, that just talking about one's mental illness all of a sudden sets up this fear factor, basically. I do think though that mental illness should be considered part of the whole -- I believe in mental health parity, which as you know, maybe all of you, we don't now have parity of benefits and parity of insurance and therefore parity of access to mental health treatment because of stigma and what people perceive as higher costs.

So I think that until some of those barriers come down, we may be -- people with mental illness may be left on hold, because it just seems to me that until this society changes its perceptions about people with mental illness working, people with mental illness driving -- there are some states in this country where you cannot get a license to drive if you have a history of mental illness. I think we have so many barriers now that the treatment exception is minor.

I think most people believe that if there is any way or any benefit to coordinating care, that again most patients with mental illness would support the idea of coordination with care and the ability to share information, as long as it is appropriately stored, appropriately utilized and not slapped on the cover of a health record.

DR. HOUSTON: Do you want to make that decision though, as to whether this information is available? Or do you think it should be available by default, I guess is the other question I have. If you were a patient, would you want to opt in or opt out?

MS. VAN TOSH: I think what I am more concerned with would be who would be using the information and for what purposes, and what the benefits and what some of the impacts would be if there would be any negative outcomes, or what the benefits would be to share information. I think there is more information that all of us really need.

I got -- and many of you probably did, too -- a free sample of Claritin. I haven't taken Claritin for years. I take something else now. But we often get something in the mail that we wonder, gee, how did they get our name. I think that applies to everyone, not just to people with psychiatric histories.


DR. COHN: I want to go on the record saying I did not get a free sample of Claritin.

I actually want to go back to some other issues that we were talking about earlier. They are probably a lot less exciting, but I still find myself a little -- I'm talking about disclosure and how to make disclosure tracking easier, and whether there is any appropriate lines to draw. I can't quite decide based on the testimony that I am hearing.

One of the questions I am having is, within the rule of public health, there is a lot of mandated reporting requirements. Dave, you made a distinction in your testimony between mandated and voluntary, such as immunization registries and things like this. But is that a useful distinction to make, if we were to make recommendations between things that are mandated versus voluntary about what ought to be tracked or not? Or does that fall apart when we look at it closely?

Dave, maybe I'll start out with you, and we can ask the others.

MR. ORREN: I think the voluntary ones are as important or more important. They are around the edges of public health. Last year SARS was a new disease. It wasn't listed in our mandatory reporting diseases, but we had very good voluntary reporting. That was last year.

This year, to take care of that, we did a commissioner's order. We haven't had that question, but some of that was to provide cover for the providers so that they could give us information about SARS. What is the next disease? We don't know. We have something where we encourage voluntary reporting. I don't have the words with me, but I would call it odd things that happen that a provider comes across, because those are usually the first signs of something that is a new disease.

Under that, we got the reporting on -- I think it was a tissue transplant for a knee surgery, where we found that there was a tissue provider from somewhere in the country that was giving us diseased tissue. That created a shutdown of that provider, and we only found out about it because there was an unexplained death. It was a voluntary report.

So I think these voluntary reports are hugely important, and we don't want to provide any disincentives for them.

MS. HORLICK: I think one thing that might be helpful, and I don't deal directly with the disclosure requirements, but any type of sample form, a sample business associate agreement, anything that would provide specific guidance to the people that have to follow the requirement might be helpful.

DR. LARSON: Addressing the question of mandatory versus voluntary, I think that is something that -- when Massachusetts went from nine to ten disorders that we screen for, mandatory, and offered somewhere in the magnitude of 20 other disorders, metabolic and cystic fibrosis. Our advisory committee thought long and hard about the distinctions between mandatory and voluntary or what we ended up calling supplemental pilot program.

Terminology is always problematic, especially when it is new and people are using it to mean different things. I'll take a minute to explain what that meant. Parents were given a choice. They were not given the same level of choice for the ten mandatory disorders. Those ten mandatory disorders fell into our routine practices for tracking and followup. We didn't want to jeopardize that routine public health mission, because nothing can change about the importance of testing for those conditions.

The other two categories of conditions, parents could opt out of one or both of those testing services. We went through an IRB protocol, and we have to maintain IRB status. I think that actually makes good sense, and I think it makes good sense to periodically review what is mandatory and perhaps patient deaths ought to be mandatorily reported when they are unexpected and unexplained.

MR. ORREN: Yes, patient deaths are mandatory, but this patient might have lived, and there were other reports that we got.

DR. LARSON: There is always going to be a --

MR. ORREN: But it wasn't an unexplained patient death. We don't get all patient deaths. We get unexplained ones. If it involves discretion, it is mandatory, but how unexplained can it be? I'm serious about that; how unexplained can it be? People do die unexpectedly in hospital settings.

DR. ROTHSTEIN: And there could have been infections that didn't result in death, that were reportable.

DR. LARSON: Just as a followup, that is actually the area where -- the tradeoff that I am planning right now. I have a backlog of things I would like to get into the medial literature on privacy. I am doing a hand-holding of providers to handle these new diseases, how do you intervene, how do we do this.

My case reports for all those things that you are talking about, which I do think the medical literature is a good place to put them as well, and timely in the review process. But they are a part of it, and that is a tradeoff that is taking place right now. I think you can talk about transition. You might want to work towards the goal of mandatory versus voluntary.

DR. ROTHSTEIN: Dr. Harding, for a brief --

DR. HARDING: Do any of you have any thoughts about, is there a tremendous upsurge in requests for disclosure accounting? We are doing all of this, we are making sure that we can account all the --

DR. ROTHSTEIN: We might want to ask the next panel, the health care providers. Gail, did you want to comment?

MS. HORLICK: I was just going to say that I haven't heard anything, but that doesn't mean they aren't occurring.

DR. HARDING: During our last full committee meeting I know we asked that question, about whether there had been any questions or issues about accountings, and there really hadn't been, as I recollect.

DR. ROTHSTEIN: I want to thank all four of our panelists for some very interesting testimony. We accept your kind invitation, Miss Van Tosh, to sample the fare of Silver Spring. We will resume at 1 p.m.

(The meeting recessed for lunch, to resume at 1:00 p.m.)

A F T E R N O O N S E S S I O N (1:00 p.m.)

DR. ROTHSTEIN: Good afternoon, everyone. We are back with our third of six panels, discussing key aspects of HIPAA implementation. I want to welcome the listeners on the Internet, as well as those of you who are here. I want to thank our panelists for being here.

A couple of announcements. First, we still have some slots left for the public comment session at 3:45, so if you are so inclined you can sign up in the back on the list there.

The other thing I would ask before we get started on today's panel, if there are any of the four panel members who have transportation travel problems so we need to adjust the order or anything? Okay, good, thank you.

This morning we heard two panels discussing issues related to HIPAA and public health. We are going to change focus this afternoon to talk about more general perspectives of people from the health care industry as well as consumers. We will begin with Janlori Goldman.

Agenda Item: Panel 1: Health Care Industry Representatives

DR. GOLDMAN: Thank you, and good afternoon. Thank you very much for inviting me to testify this afternoon on a subject that, as I was just saying to Mark Rothstein, -- you could launch this law and wish it well and watch it do all the good work it was supposed to do. It seems there is a never-ending series of, what does the law mean, how does it work, is it working, what more do we need to do. I appreciate the chance to be here and try to help the committee try to address some of those issues. I also appreciate very much the work of this committee since its formation, in not only addressing privacy and confidentiality in the context of HIPAA, but in making recommendations to the Department on how the law is going and on areas that could be worked on.

Before I get into the core part of my testimony, I want to reiterate that when HIPAA was mandated by Congress and when it was issued as a regulation, it was a landmark in the privacy area. We didn't have any kind of comprehensive law to protect medical records. Congress had struggled with it for years. The state laws were for the most part not comprehensive, not adequate. The goal of the law was to improve access to care, lower barriers to access and to improve the quality of care by strengthening the bond between doctors, their patients, other health care providers and their patients, encouraging people to get care without worrying that they might lose a job, might suffer stigma, might lose benefits, and that the information might be used in some unauthorized fashion or without their knowledge.

So I think the fundamental goal was to try, as we were developing the national health information infrastructure which we were developing in a formative stage in the late '90s, and now is really taking off, that we needed to build privacy and security in up front, at the outset. It is not something that should be episodic, not something that we are going to build in after the system is in place.

What Congress had in mind and what the Administrations have had in mind in putting this law in place is that as we are developing health information networks, as we are developing systems, there needed to be a fairly uniform set of privacy rules, security rules, and practices that are built into those systems when they are designed.

I have emphasized that now two times, because my experience has been prior to HIPAA that systems would be developed, and people would then say uh-oh, we need to do privacy or we need to do security, and then go back and try to retool and redesign systems, which was terribly expensive and not very effective, that initially happened after a breach or after a horror story, and there was already cleanup being done.

But the way that HIPAA was designed, the administrative

simplification section, was that all three of the regulations around privacy, standards and security were intended anyway to go into effect together and be developed hand in hand. So there was an acknowledgement that this was the right way for things to go forward. I think while to some extent there has been more of a staggered implementation around those three regulations, I think there is still an opportunity to do it together.

Since the April 14 date, after over two years of the regulation having its implementation phase, there has been some good news. But I think early on there was a tremendous amount of misinformation, confusion, misinterpretation around the regulation. Either that was the case, or that was what the press focused on. But I think it is fair to say from my own experience and from the experience that I'm sure many here on the panel have had, either institutionally or personally, it got off to a bit of a rocky start.

We could look at a number of reasons for that. Possibly OCR could have been more aggressive in two years of the implementation phase in getting information out, doing technical assistance, providing resources to the covered entities. The professional and trade associations certainly could have been more active and played a much more aggressive and helpful role and useful role with the covered entities.

At that stage, people were struggling; what is an business associate agreement, what needs to be in it, what is the notice, what are the elements, what should it look like. Of course, each of those pieces of paper needs to take into account the state law issues, but there could have been templates early on to provide people with at least a starting point, a checklist.

Unfortunately, many covered entities, particularly the smaller providers, relied on consultants, very expensive consultants and lawyers, who gave them conflicting information, and who really scared people in order to drum up business, but scared people about what could happen if they didn't follow this, that and the other in the law, some of which was in the law and some of which was not. I think some of the problems around misinterpretation and confusion had to do with -- I think Mary Greeley used this at the Senate hearing in September, I think she used the term over interpretation. I'm not exactly sure I agree with the term, but I think it captures the flavor of what happened.

What we did with the health privacy part, we did a number of things to try to address this. We put together an instant facts document which is on our website and attached to our testimony, to try to highlight some of the most glaring and common of the misinterpretations, and to try to set the record straight with language from the regulation, not our own view, not our own opinion, but using the language from the regulation, from the preamble, from the OCR's website, the frequently asked questions which has gotten quite extensive, and I think are quite helpful.

The other thing that we did was to develop a know your rights document, which is on our website and is available in hard copy. It was a way to try to remind people, both providers and plans as well as consumers, that this law is not just a bureaucratic quagmire. This law was not just put in place to create another piece of paper and another thing to sign and another pain in the butt for people when they go to the doctor or enroll in a health plan.

But unfortunately, that is how people perceive the law in many situations. I can't tell you how many times I have had the experience, and I'm sure you all have, where you either walk into a doctor's office or a hospital or you sign up for a health plan, and the people in these offices apologize for the notice. I'm sorry, I have to give you this form, the law requires it. There is this new HIPAA rule. The privacy word sometimes doesn't even come in there. There is this new HIPAA rule. You've got to sign it, I'm sorry, can you please sign it. So people are presented with the form as though it is just this pain. It is a hassle, they are sorry for it.

It is unfortunate, because I think in many instances, what health care providers particularly could convey and what health plans could convey is that this law now requires us to limit the disclosure of your personal information to your employer. The number-one thing that people care about is their employers finding out about medical conditions and treatment. So if it could be presented up front as, this law requires us not to submit this information or share it if your employer asks for it. It limits who we can share it with. It should give you trust and confidence in how we are going to handle your information. We now have built privacy into our practice. You now can get access to your records. Of course, we would have given you access before, but the law now requires it in a particular period of time. It could be presented again as a benefit and as a positive, as opposed to something which is contentious and brings conflict into the doctor-patient relationship.

So the know your rights document was intended to do that. We are also developing another document, a brochure, which is intend for use by health care providers in their offices as a substitute for the apology. It explains what the notice is. What is this notice? Some people think the notice is a consent form, they misunderstand. Patients misunderstand, and even some health care providers present it as a consent form. Maybe it is because they always had people sign consent forms, and this is just a substitute for that. But the notice is just that. It explains peoples' rights. People aren't signing away anything when they sign the form; they are acknowledging that they got noticed. So we are trying to put together a document that can then be shared in doctors' offices that can accomplish that goal.

Some of the big myths in facts that we addressed, which I think have begun to percolate and spread in the health care community. There was initial concern about sharing information for treatment, and you heard stories about people having heart surgery, information couldn't be shared from one hospital to another, these life and death stories, 911 dispatchers who couldn't share information. I think some of that confusion and misinformation has died down. Certainly the calls to our office, and as Director Campenelli testified in September, the calls to his office have really died down. But I think it is still worth being clear that you can share information for treatment without consent, that the next of kin and directory opt-out is just that; it is an opt-out, not opt-in. If the hospital wants to have an opt-in, that is their choice, but it is not HIPAA. So we just need to be really clear that people can go beyond the rule with their practices, but let's be clear about what is HIPAA required and what is not.

E-mail between doctors and patients or between doctors and other health care providers, a critical development and a critical innovation that we want to see in health care not prohibited by the regulation as long as there are safeguards in place.

The lawsuit issue is a nutty issue, since you can't bring a lawsuit under the privacy regulation. We think it is a weakness in the regulation, but nonetheless, the concern about lawsuits was drummed up by some of the consultants and was overstated.

I want to say in fairness to OCR that the agency did step up guidance after the regulation had been in effect for a few months. I think it was critical that it did. The site now contains really extensive frequently asked questions which are really useful. We use them, we send them out when we get calls, but it really came late.

I would just encourage OCR to be even more aggressive, not only in providing the guidance on the website, but in reaching out with technical assistance, with resources, and being helpful in that way. I also want to urge again that professional and trade associations do the same, and do more.

The last thing I want to close with -- actually, two final things. On enforcement, one of the things that I think is a problem and is going to continue to be a problem is that OCR is very clear that it will rely pretty much if not solely on receiving complaints and deciding how and to what extent to follow up on the law.

I think that is an inadequate word. Many people don't know how to file a complaint, don't know that they can file a complaint, and are unclear what happens when they do file a complaint. It is just not a really effective way to oversee the law. I would urge OCR to get out there on its own initiative and look at particular kinds of covered entities, not for punitive reasons, not with a heavy law enforcement arm certainly, but to work on implementation, to do a report card almost, an assessment of how implementations are going, and to get feedback.

Maybe this is happening and I'm just not aware of it, or maybe it is in the works and I'm just not aware of it. But I think that is critical, that you can go to a number of different sites, even if they are not named, and say here is an early assessment of implementation efforts. It gives you, OCR, a good sense, and NCVHS, as to what some of the weak spots are.

There was a recent survey that Phoenix Health Systems did that showed that 76 percent of covered entities report they are in full compliance with the privacy regulation. That is very positive, 76 percent. But then when they are asked about their business associate agreement or something very specific, the number drops more to 55 percent, which is fine; it is just shows that perceived compliance may not be full compliance, and we should get more information on that.

I am also very interested in OCR doing more to publicize both the number and the nature of complaints that are received, so we the public have a sense of how the implementation is going and where some of the weaknesses might be.

There were a number of complaints that were referred to the Department of Justice, which OCR has testified about. I am very interested, as I assume others are, in knowing what the nature of those complains are. There is confidential information there, but what kinds of cases have been referred to the Department of Justice for possible criminal action?

In terms of going forward, we have so much to do in terms of implementation, oversight, enforcement. I realize that my final statement on weaknesses and gaps in the law may be premature in terms of either Congressional will or executive branch action, but I think it is really important that we not lose sight.

This law took a couple of big steps to protect privacy and to provide people with greater access to their records, but it didn't go far enough. It doesn't directly cover employers and others who directly collect information from individuals in terms of delivering care. I think that is critical in terms of providing certain kinds of benefits. I think the scope needs to be enlarged. I think that people should have the right to sue if they believe their rights are violated. I also think that the executive branch has the authority to strengthen the law. The two items I just mentioned, in terms of private right of action and scope are obviously within Congressional purview, but in terms of strengthening the law, the executive branch could and I believe must strengthen the marketing section. I think that what the Administration did early on in removing the safeguards to tell people when they are receiving material that was paid for by a third party, that was generated by a third party, that they would not have consented otherwise, and giving them a chance to opt out, that those two safeguards are critical and should be put back into the law. I think the law enforcement section particularly now needs to be strengthened, and we need to have a Fourth Amendment-like standard for access to medical records.

I appreciate again the chance to speak, and look forward to answering questions. Thank you.

DR. ROTHSTEIN: Thank you very much. Any pressing questions? I'm sure there are many questions when we have our discussion. And now, Mr. Hughes.

DR. HUGHES: Thank you. I'm please to be here this afternoon to give you the hospital's perspective on the implementation of the privacy rule since April 16. I brought along with me Pam Lomesselli, who is sitting at the end of the table here. She is the vice president and chief privacy officer at Emerson Hospital in Concord, Massachusetts. It is a small community hospital with about 145 beds. I asked her to be here to help respond to questions that the panel might have, because I think she can offer a very special perspective on what implementation concerns are out there for small community hospitals. So feel free to direct questions to Pam as well.

From the hospital's perspective, we think that privacy of course is something that is incredibly important, and we have always been very supportive of protecting our patients' privacy. For the most part, with the changes made to the rule in August 2002, we think that the rule balances strong privacy protections for patients with reductions in the unnecessary paperwork that might have been imposed upon providers as part of the original rule.

But our experience also suggests that there are some areas of the rule that are still not working well. They are creating unnecessary burdens with very little benefit, or they are continuing to create confusion in the field, and could use some clarification directly from OCR. I have submitted some written testimony, and I will just highlight some of the points that we are making in that testimony.

I think one of the biggest concerns that hospitals have is the whole burden associated with the accounting of disclosures requirement. This burden requires that hospitals, even if they haven't received any requests for accounting, to create an enormously burdensome paperwork system to be prepared to respond to any accountings.

While we certainly support the need and the importance of getting information out to patients about where we disclose information, particularly in the public health arena, we think that there are some easier, less burdensome ways to get out the same level of information that would be beneficial to patients.

We have actually put together a proposal that we discussed a number of times with folks in HHS and OCR to reduce the paperwork burden associated with the accounting of disclosures requirement, and that is attached to my testimony, which you can read as well.

What it happens to do is a result of the AHA's efforts to respond to what OCR has indicated to us as the goal of this accounting for disclosures requirement. It is meant to carve out and make detailed information available to patients about the kind of disclosures that affect their interests specifically and as individuals, rather than more general kinds of public health disclosures.

Those more general kinds of disclosures could easily be handled right up front by letting patients know about the kinds of disclosures that are required under state law, or as part of public health surveillance systems that are important to participate in, but you can let patients know about that right up front as part of the privacy notice, without giving all the details about the date, the specifics of what was listed. It makes it pretty clear and pretty easy to figure out the kinds of information that would be disclosed under those state laws. So I think it would be much more helpful and much more up front to go ahead and give that information to the patient before as part of the privacy notice.

Another area of concern for hospitals, and it is an enormous burden, is the burden of trying to negotiate and deal with folks who are requesting that they become business associates. It seems like everybody under the sun wants to be a business associate, largely with the mistaken impression that by becoming a business associate, that gives them the opportunity to get information and use it in multiple ways that are prohibited under the privacy rule.

This is something that hospitals have to deal with on a daily basis. It is a process of education and needs some guidance directly from OCR, some sort of official sanction. I think others who come to hospitals with requests to sign business associate agreements really don't believe what hospitals are telling them. So they need some sort of backup in educational materials coming directly from OCR that would help them in addressing those kinds of mistaken impressions about business associate agreements.

I think there is also some need to reconsider the need for business associate agreements among and between covered entities. Covered entities themselves are already subject to requirements of the privacy rule. They have to protect patients' information whether they create it or receive it.

The redundancy of having business associate agreements between covered entities is an enormous burden. It requires a lot of resources that could better be put to patient care, and I think it is about time that OCR reconsider the proposal that AHA had put forth before, to eliminate the requirement for business associate agreements between covered entities themselves.

In addition, I think that OCR could go further in helping to streamline this whole business associate process by developing some sort of certification process for business associates. This is also a proposal that AHA put forth earlier, and I would defer the committee and OCR to our early comments about the certification process. While it may not be appropriate to adopt the exact proposal that AHA put forth, I think some sort of effective alternative certification process would be very appropriate in this circumstance.

I think there is also an amount of confusion that is created by emerging kinds of conflicts between hospitals and other providers' obligations to protect patients' privacy and to meet other kinds of goals like improving patient safety.

I think the example that I have included in my testimony and that was brought specifically to AHA to highlight the problem occurs when you have a health care worker who comes to the hospital for treatment. The hospital discovers that this worker has for instance a drug abuse problem. Getting the information from the provider side of the house to the employer side of the house is simply not possible without violating the privacy rule. But it is very important to be able to take action against health care workers in the context that we are talking about in order to preserve and protect and improve patient safety.

When those workers create a safety hazard and you know about it, your obligation is to do something about that. So I think it would be helpful if OCR would give us some sort of guidance about how to deal with those sorts of conflicts that may be arising. I suspect that there may be other kinds of conflicts that may also occur that need to be addressed as well, and guidance from OCR would certainly be helpful in that context.

We certainly appreciate the responsiveness that OCR has to addressing issues and concerns and questions that folks have about the privacy rule and its implementation. I think however at this point in time, it is really important to move beyond the method of using this general frequently asked questions kind of approach to responding, and get really into more specific detailed operational level information about what is required in terms of compliance. I think that is certainly something that hospitals and other providers are looking for. If we could have more detailed guidance about specific aspects of the rule to help us understand what is required, what some best practices are, other kinds of things, I think that would be a helpful approach.

The frequently asked questions are useful. I think at this point in time there is enough information though that we can structure this information to be targeted to specific audiences for specific purposes, perhaps put in a more user friendly fashion. It is very difficult to navigate through all the different frequently asked questions that are related. So pulling things together with a specific purpose and with a specific audience in mind and making sure that it is widely disseminated would be very helpful to providers and to others in knowing exactly what is required under the privacy rule.

I think it is also important, and I would agree with Janlori, that it would be helpful to get information from OCR about what is going on in the enforcement arena, not just knowing the nature of complaints that are made, but since OCR is using a voluntary approach to helping organizations come into compliance, to share the kinds of approaches that are used to address specific issues, not in the sense that you want to specifically identify organizations that might have complaints filed against them, but more general information that would be helpful to all.

This is part of the process of education, a role that I know OCR has adopted in terms of moving forward with compliance on the privacy rule. Where we are having this kind of information from that level of action, it would be very helpful to providers. It is very detailed, it is very educational, and very helpful.

With that said, I thank the committee for inviting us, and we'll turn it over to the next speaker.

DR. ROTHSTEIN: Thank you, Mr. Hughes. I'm sure we are going to have a number of questions for you. Any burning ones? Kepa.

DR. ZUBELDIA: Yes. When you mentioned the relationships as business associates between covered entities, what are you talking about there? Like between a provider and a clearinghouse?

MS. LOMESSELLI: We are talking about two different kinds of situations. Emerson Hospital is a 145-bed hospital, and I have calculated that we have approximately 800 business associates agreements that we need to do, based on my attorneys and my reading of the situation. Each one is taking me about four hours, so if you multiply that out, that is about two years. So I know I can't possibly fit two years in between now and next April 14, but I am trying very hard.

I estimate that about 300 of those business associate agreements are between us, the hospital, and members of our medical staff. We have gotten certain attorneys' opinions, and this is why clarification would help. Certain opinions have been given to us, that if our physicians are performing functions for us, if there are physicians performing immunization review, emergency room physicians that we contract with that come in, if certain physicians function as chairs of our committees, do peer review for us, function as outside experts, these are physicians that are covered entities as well. So for me to sit there and work with 300 people to fill out business associate agreements when they are reviewing the care of our patients, doesn't seem to me to be a good use of my time, quite frankly.

There are about 25 business associate agreements sent from insurance companies in the health care environment. As a hospital, sometimes an insurance company asks us to perform utilization review on their patients. If I have Harvard Pilgrim insurance and I am a patient in the hospital, even though Emerson Hospital is taking care of me, Harvard Pilgrim wants Emerson staff to do a utilization review.

So in that scenario, we are doing what is called delegated functions of Harvard Pilgrim Health Care. So Harvard Pilgrim Health Care wants us to fill out a business associate agreement because in that situation they believe we are a business associate of them, which doesn't make any sense, because they are our patients in the first place, if you know what I mean.

So it is very convoluted, and quite frankly I'm not sure where this is really adding to the patient. So some clarification definitely would help.

DR. ROTHSTEIN: Thank you. Other burning questions? If not, we will go to Mr. Hill.

MR. HILL: Good afternoon, and thank you for the opportunity to speak with you. My name is Mark Hill. I'm the Director of Compliance with Principal Financial Group compliance. Principal Financial Group is a company that sells financial products and services worldwide. The reason I am here today is, we also sell group health, disability and business insurance, provide coverage to approximately 1,600,000 members in 50 states and other jurisdictions.

I am representing today the newly combined AAHP and HIAA, which has 1,300 members, providing health, voluntary care, vision, disability and supplemental coverages to more than 200 million Americans.

First I would like to say that the association and its members supports confidentiality in health information, and have done so for years. Using this information to further the interests of our clients is the lifeblood of our operations.

I'm going to speak about two topics here today. They are all fairly well interrelated. First I'm going to talk about the challenges we faced in implementing the rule, and then I'm going to speak about some continuing challenges that still exist.

I have been accused of stating the obvious, and I am going to do it again today. This rule is a very difficult rule to understand. It is law, it has had many changes during the course of implementation. It is full of terms of art that are not readily accessible and that have meaning only within the rule itself. The proposed rule, final rule, proposed modification, final modifications take up 648 densely-packed pages of the Federal Register, and there are in addition 214 and counting questions and answers from the OCR.

Our greatest challenge, and I am speaking for the principal right now, our greatest challenge to the implementation of this rule was coming to grips with the rule itself and figuring out what it was we had to do. We are a very sophisticated compliance operation with lawyers and compliance professionals fully connected to the trades. I would just say as an aside, from attending the WIDI conference here this week, there is still not consensus on many of the critical components of the rule among various industries that are governed by the rule.

After coming to grips as we could with the rule, we then conducted an inventory of where we are getting PHI and how we are using it. We developed intricate and detailed policies and procedures to implement the rule. We reviewed and are in the process of amending tens of thousands of business associate agreements. All of our authorizations had to be changed, even those that were used by non-covered lines of business. We developed training, which was particularly difficult on the line level because of the complexity of the rules.

Finally, tens of millions of privacy notices have been sent by the covered entities which I represent. Principal alone sent 1.6 million notices. All of this took staff time and money. One of our member companies estimates it cost $2.5 million to do this. I don't think it would be remiss of me to say that every dollar that is added to the cost of the system translates to an increase in the number of uninsured.

Now, for a company like mine, the number one challenge in implementing HIPAA -- because we are a company that does business in 50 jurisdictions -- is determining at the end of the day what is the functional law that affects us in any given jurisdiction. For each state law we have to ask, is this state law contrary to HIPAA, in which case HIPAA pre-empts it, or is the state law stricter than HIPAA, in which case it pre-empts HIPAA.

Attached to my testimony there is an incomplete list of state laws, but it is very long. I might add that these state laws also include not just privacy laws, but laws involving guardianship, personal representatives, the rights of parents, which were all modified by the courts in those states sitting at law and at equity. This is a very complicated process.

Now, for my particular business, the group insurance business, it is more complicated yet, because we have to determine for each state law, is the state law -- is it what we call resident applicability or contract state applicability, which means, does it apply to the state where a member is residing or does it apply based upon the state where the member's contract may have been issued. In much of our business, the contract will be issued in one state. A member who is part of that employer group may be in another state.

Our conclusion has been that in a number of these laws, you may actually have applicability of three sets of laws, federal law and two state laws. We have to do this kind of pre-emption analysis across all three, which is an extremely complicated and time consuming process, where there is really no certainty as to the result.

On top of this, the state laws are changing. Last year 232 proposed laws were introduced in 43 states; 43 of those laws were enacted, so this is a constantly changing landscape, where there really is no certainty. AAHP and HIA believe that consumers would be better served by one coherent well thought out law.

The next issue I'd like to speak about are the privacy notices that member companies have sent. Really, this is a derivation of the earlier issue. The OCR has opined that these notices must include information about state or federal laws that either prohibit or materially limit the sharing or use that HIPAA allows without authorization.

As I think I have alluded to earlier, this is an extremely long and cumbersome analysis and would require authorizations that are also very long and complex. Not only that, but these notices would have to change as the law in the states change. I would remind everyone that we sent out 1,600,000 notices, and we might have to do that yearly.

Our recommendation is that this interpretation either be changed or we have included language in our presentation which we would like to see adopted, which says basically in the notice, our use and disclosure of health information and your rights may be affected by other federal laws or state laws of your state. Information on these requirements may be obtained by contacting, and then a contact number, so that the notices wouldn't have to change all the time.

We too have seen confusion in the contracting issue, the BA issue. Our member companies have been asked to sign BA agreements by government entities and other entities that aren't covered entities, where they are assuming we are their BA, rather than they being our BA. It is a very confusing situation, and we would second the opinion that has been voiced here that there needs to be more clarification from OCR on this point.

We would also, from our interaction with providers, either providers giving us information or stories we are hearing about providers giving one another information, recommend that there be more guidance on when the information can be shared between providers and providers and carriers.

Finally, I think one population that is subject to these rules which really has not had much of a voice in many of the presentations are those at the ERISA health plans. April 14 is the date when the smaller ERISA health plans are going to have to be in compliance with this law. They don't have the resources of any of the entities here, the insurance companies or the big provider groups. They are woefully behind the curve on preparing for these rules, and they very much need assistance from OCR in knowing how to go about compliance, and simplification of the rule for them would be wonderful.

We have another issue involving the authorizations. We believe that there should be a different standard applied to authorizations between when a person is asking for their information to be released to a third party on the one hand, and on the other hand when a third party is coming in and asking for an individual's information, that some of the technical requirements that the authorizations be relaxed, when for example I am asking that the entity share my information with somebody else, or the request is emanating from me.

In conclusion, we fully support privacy. We would like to see clarification from the OCR of some of these points and modification of some of the interpretations.

DR. ROTHSTEIN: Thank you very much. Any immediate questions, or can we hold them? Dr. Kibbe.

DR. KIBBE: Good afternoon. It is a pleasure to be here and see some of you again. I believe this is the third time that I have had the opportunity to do testimony for NCVHS for these issues --

DR. ROTHSTEIN: And still coming back.

DR. KIBBE: -- and still coming back, right. My name is David Kibbe. I am the director of a new division within the American Academy of Family Physicians called the Center for Health Information Technology.

I think the major issue that we are here to discuss, or at least that I would like to do in representing the small and medium-sized practices that predominated among our 90,000 members of the Academy is, is personal information better protected than before the rule.

I think the answer to that question is undoubtedly yes, particularly from the point of view of the small practices. I'm not sure that it was a terrible problem in most providers' offices before the rule, but there is no question that we have a greater awareness than we did before, and that there have been real significant improvements in some of the security and privacy issues in some of the doctors' offices since the rule was passed.

Let me explain a little bit about my role at the Academy. I am the co-author of a book called The Field Guide to HIPAA Implementation, which was published by the American Medical Association and now is in its second printing. Starting over a year ago with the American Academy of Family Physicians, HIPAA was really my beat. I wrote most of the articles that appear on the website and were published in Family Practice Management. I gave most of the talks at the assemblies for our organizations as well as giving talks across the country at our sister organizations on a fairly frequent basis. We have provided materials on our website. We have provided tools in our Family Practice Management and other journals.

I think that one of the things that I want to address here is that if indeed we are protecting health information than we did before, what was the pain, what was the problem? I am the person at AAFP that gets the questions about HIPAA and has done so for over a year now.

The reality is that there have been strikingly few problems reported to me or anyone else in the AAFP organization around HIPAA, particularly around the privacy and implementation. I can count on two hands the number of e-mails that I have gotten around HIPAA and its complications or problems since implementation of the privacy rule. I have well over 8,000 e-mails dealing with electronic health records alone as a subject, so I am in daily contact with many hundreds of our members.

This is a real opportunity to try to reflect and try to understand why there are so few complaints and so few problems with the implementation of the privacy rule among our 90,000 members, 60,000 of whom are in active family practice. Mostly it is small medical practices of five or fewer physicians.

One of the things was that we got it about right. We did a great deal of education. We did a good deal of preparation. I think the sister organizations, the other medical specialty societies including the AMA, ACP, the others, worked with us fairly effectively over a period of time to get the important details about how to implement the HIPAA privacy rule to medical practices.

I also think that one of the reasons for this going so smoothly has to do with the fact that while there may be -- and I certainly understand from the hospital world and from the health plans world -- an enormous amount of activity associated with for example business associate agreements.

In small doctors' offices, there are pieces of HIPAA that really haven't been digested yet, and haven't really been worked on, and therefore may not have come up and caused pain and suffering yet. We may be seeing that the business associate contract issues, that I would certainly second as being potentially very, very difficult for small medical practices, do become a problem in the future. But I think I have gotten one or two e-mails about this business associate contracts to date from our members. This, despite the fact that we have published very detailed documents about how they should avoid for example high-priced consultants, and work with their state WIDI and SNP organizations to understand how to get business associate contracts, like the one we did in North Carolina, which was vetted by several legal organizations in that state. It provided essentially a template of the business associate contract that a small doctors' office could use.

The problems that I have heard about -- and again, these are very few -- have mostly dealt with over interpretation of the HIPAA privacy rule on the part of other entities with which small providers, physician organizations, physicians themselves must deal with in the course of providing care.

So for example, a physician who found that when she called her pharmacist in town, a patient in the office requesting narcotics, never seen the patient before, small town, called the pharmacist and said, could you provide me information about this patient who I am seeking to treat with regards to his or her use of these controlled substances, was told, we now have a policy throughout our pharmacy chain that we can't give you any information over the phone about any patients. Hospitals that have stopped faxing certain kinds of information to their doctors' offices because they felt that that was a violation of HIPAA.

Those are relatively minor problems. They grate when they happen, and to a large extent they may be outside the purview of the practicing physician or even the AAFP to deal with them. But those are the ones that I think are most likely to have come to my attention.

I think that in general, most family physicians have taken a pretty practical approach to the implementation of the privacy rule, grumbling and mumbling that this is costing extra money, and it is not really all that helpful to us or our patients. I would love to see more family physicians take the approach that Janlori recommended, very positive. We really presented that as the way to do this, but in reality I think that hasn't occurred very much.

I think one of the reasons that so many physicians in small practices have been apologetic to their patients about the notice is that the patients don't know very much about it, and they weren't really prepared for dealing with the privacy rule. There have been some instances in which patients thought this was a violation of their privacy, and then wouldn't sign, so it backfired. But I think overall, those are fairly minor problems that went away rather quickly.

I do think that we are in need of -- and I would hope that we would be able to do this in the next coming months and perhaps year to year and a half time frame -- think through what the best practices are for small and medium sized medical practices with regard to the HIPAA implementation, and do the same thing for hospitals where those doctors practice. I think we are missing that information right now. Many of us have wiped our brow and said, we're through it, it's over, it has been implemented, let's get on to other things. So when you ask the question, is there a model or best practice for a small and medium sized practice with regard to HIPAA implementation, I would have to say that there are several out there, but I don't think I know which is the best one.

There is no question that family physicians around the country are much more aware of the privacy issues than they were before. They are implementing not only the privacy rule, but they are also implementing the security rule. Every time they purchase new information technology for example in their office, practice management system computers, electronic health records, they are aware that those systems must be implemented in a way that are in compliance with a security rule that get at the same issue of protecting the patient's privacy and making sure that the health information is not disclosed inappropriately.

My last comment would be that we probably are going to see problems with the business associate contracts, along the same lines that the folks representing the hospital industry have seen. We have argued that it really doesn't make sense from our point of view to take the smallest unit of the health care system, the small medical practice, and make him or her responsible for being a guardian of all these business associate contracts. An average medical practice could easily have 20 or 30 business associate contracts to work with, and this is potentially a large expense to those practices in legal fees, and quite confusing.

I don't think we have seen that problem occur yet, because quite frankly, I don't think that many medical practices and physicians who own and run them are even aware that they have a business associate contract obligation. So in that way, I think that the hospital industry is ahead of us in feeling that pain.

Thanks for the opportunity to talk with you again.

DR. ROTHSTEIN: Thank you, always good to hear from you. Are there clarifications for Dr. Kibbe? Hearing none, the floor is open now for discussion. Let me suggest that we will go to 2:30 and then take our break at that time, so we should have ample time for questions. I've got 20 or 30, I'm sure. So Russ, do you want to go first this time?

MR. LOCALIO: I will address my question to anyone who wishes to respond. I will give you a scenario and ask what went wrong.

Last spring I was at church, and the priest announced that all people who were about to go in the hospital would have to notify the church in advance that they were going in the hospital if they wanted a priest to be able to visit them. I heard it again the following Sunday.

Now, I knew this to be an outrageous interpretation of the privacy rules, but the archdiocese of Philadelphia is a large organization. It has its own health care institutions, and it has many people who belong to that archdiocese. How could an organization this large become so confused? What went wrong?

DR. GOLDMAN: It didn't just happen in Philadelphia with the archdiocese. I think many of us had an experience where the directory of information in the next of kin sections of the regulation were, I would say, not over interpreted, but misinterpreted. Just a plain misunderstanding that it was an opt-out that was required, not an opt-in.

The question is, more importantly, seven months down the road, how does the archdiocese now interpret the regulation? Do they continue to have that interpretation, or have you been so persuasive with them as to explain the regulation to them?

MR. LOCALIO: No, I haven't said anything to them. But I have heard no retraction to that statement, so I would ask, is it that the information didn't get out? Should OCR have been explaining to more of these entities and have a lot of members as to what was going on?

The reason I point it out is, from the interpretation of the people in the congregation, this was interpreted as a terrible intrusion of the federal government on their ability to exercise their religious preferences. This is a serious problem. But what went wrong? I don't know.

DR. GOLDMAN: As I said, it is not uncommon that the law was misunderstood or misinterpreted. My understanding is that -- and there were a lot of press pieces in Pennsylvania that related to this issue -- that hospitals in many places explained to clergy that that is not what the regulation required. So I do think that maybe what is necessary is another statement from the pulpit. We can do a whole HIPAA education through the churches. I can't believe I am suggesting it, but outreach is outreach.

But I do think that what went wrong is a tough question. I don't know what went wrong. I was surprised myself at some of the larger hospitals that just flat out misinterpreted the law. I don't understand why. Maybe my colleague to the left could help explain.

DR. ROTHSTEIN: Let me just comment on that, and then I'll ask if someone wants to respond. This point that you raise, Russ, it has sort of taken on urban legend dimensions. I have experienced it a dozen times over the last year, where people believe absolutely that this is the way the rule is, and isn't it an outrage that this would be the case.

So I'll allow Mr. Hill to respond, and then John.

MR. HILL: When I was thinking about my preparation today, the way I stated the obvious; I think this rule is an extremely difficult one to come to terms with. It is very complicated. It addresses divergent audiences with the same language. I think its complication and its pervasiveness lend itself to these kinds of interpretations.

You say it is a misinterpretation, but there are a lot of misinterpretations. There are a lot of different interpretations of this rule, which is why OCR really needs to step up to the plate and help straighten this out. It goes back to the complexity of the rule, I think.

DR. GOLDMAN: In all fairness, lots of laws are complicated, and this is one law that some people do say is complicated.

On the next of kin and directory section, it is straightforward. Anybody, maybe even my daughter, who is ten, could read that section and understand it. It is not a complicated section of the law. So I think that it is important to ask the question what went wrong, because I think it is a clear misinterpretation.


DR. HOUSTON: Just to follow up, I agree that it is a very complex law. I know I spend a lot of my time correcting people in my organization, which is a very large and complex organization. Even when someone in the HIPAA program office will say here is the interpretation, they will come back and say, no, that is wrong, you're wrong, and here is what it really means.

It is something that happens quite regularly. It is not that these people are dumb or unsophisticated. But the rule and its breadth and its size, sometimes -- if you aren't looking at every single section, and become an expert on every single section, sometimes it is real easy to slip up and make a mistake. You hear these urban legends at the same time. You get one person who gets it wrong, and somebody in the diocese believes they understand it, says something.

I am actually involved in a volunteer organization that provides emergency services, and there was a huge misunderstanding about the applicability of HIPAA, huge. I spent hours on the telephone with attorneys, discussing this issue through. It is something that is prone to misinterpretation. No matter how good OCR is, I think it is prone to misinterpretation. This is going to be a continuing issue that simply is going to have to be dealt with on a piecemeal basis. I hate to say it.

DR. ROTHSTEIN: Dr. Cohn and then Dr. Harding.

DR. COHN: I am inclined to suggest that maybe the problem is that they need a new lawyer, but I'm not a lawyer, so I can't comment.

I wanted to change the topic a little bit. I was looking at your testimony, and I had two questions for you. Number one is, I want a little more clarification of your testimony. You discuss the situation where hospitals are treating patients or employees of the hospital. You seem to be insinuating that prior to the HIPAA rule, patient care information was being freely commingled on a routine basis with employer information. Is this what you intended to say here, or am I misreading this?

DR. HUGHES: No, I think you are misreading it. I'm not saying that was commingled before. I just think that some of the conflicts have certainly been heightened by some of the changes in the privacy rule. I think people are trying to figure out how things fit together, and it is in trying to figure out how things fit together that I think these issues arise.

It is not necessarily an issue that requires a change in the rule. I think it is something that requires some additional information and guidance that would be helpful to organizations, to know how to respond to those kinds of conflicts that they see between objectives like improving patient safety and protecting patient confidentiality. I think those are conflicts that arise because of what is already there.

DR. COHN: Maybe we will come back to that a little later. You have a couple of page discussion about a proposal from the AHA about disclosure requirements. I was looking through this, and I couldn't decide if this was a solution to any problem, or whether it was just an interesting set of statements.

I'm not a lawyer, so I apologize if I may be misunderstanding some of it. But it seemed that -- is this a partial solution to a problem? Maybe your associate from Emerson can assist us with that.

DR. HUGHES: We see it as a solution to a problem that has been created because of particular requirements for accounting of disclosures in the privacy rule itself. While we certainly support the effort to get information out to patients about where their own information is disclosed, particularly in the public health context.

I think we are talking about something that as the rule is currently written and currently interpreted, requires an enormous amount of paperwork to be ready to respond to those requests for accounting of disclosures, even if you never get one. You have to make individual notations in patient records in order to prepare for this.

We think that the solution that we are proposing gets the same level of information out to patients, but eliminates this enormous paperwork burden that hospitals and others have to engage in right now.

DR. COHN: We heard from the public health community this morning. They were talking about the burden of disclosures. They were suggesting that maybe some of the public health disclosures should not be -- there should not be an accounting required.

But your proposal seems to be in a slightly different direction, in the sense that you are saying some of them should not be, but you are including individual identifiable, which I think are the bulk of public health disclosures, at least in my experience.

DR. HUGHES: We are talking about carving out, for the detailed requirements for an accounting of disclosures, to those type of disclosures that affect the individual's position, legal rights or obligations.

I'll give you an example of what we are talking about. When you disclose for example information to an agency because you suspect someone of engaging in child abuse, that would be something that you want to provide a detailed accounting about. But when you are talking about disclosures that are made on a mass basis, for example, for public health surveillance, particularly to look for bioterrorism syndromes or things like that, you are not disclosing information in the sense that it is about that particular individual that we are interested in disclosing the information. It is the general kinds of information for a group of people. The purpose is itself a group purpose.

This is something that I think you could easily let patients know that you do that right up front, rather than having to account for, on this date I disclosed this information to this agency for this purpose, in terms of general things. But we are not saying that there shouldn't be a detailed accounting for certain types of disclosures. We are just carving out a group of those.

DR. ROTHSTEIN: Mr. Hughes, I want to follow up on that. This morning at the public health panel, we were also discussing this problem of accounting for disclosures. The suggestion was made that it was having a negative effect on the willingness of providers to market these public health reports which we all deem to be very important.

I posed a possible solution to the problem for at least the public health people, which for reasons that will become apparent, they would support. I am interested to hear whether you in the industry would support that, and also, JanLori, whether you think this would be consistent with your view of the privacy rule.

As things stand now, accounting for disclosures is required for legally mandated disclosures such as public health reporting, but it is not required for disclosures that are not legally mandated but are pursuant to an authorization such as for marketing.

I asked the other folks if maybe the rule got it backwards, and what we ought to do is mandate accounting for disclosures pursuant to authorizations under the theory that if you sign an authorization, you have the ability to revoke your authorization if you think that these disclosures are leading to things that may be harmful to you, whereas you don't have that right for public health disclosures because they are mandated. What would happen would be, in the notice of privacy practices -- and I think this is consistent with at least some of your statements -- that the covered entities would put in there that we are obliged by law to report these kinds of public health things, infectious diseases, et cetera. Then there would not have to be any further accounting for those types of disclosures.

So as a possible solution, I'd be curious to see what your response will be.

DR. HUGHES: I guess my first reaction in terms of accounting for disclosures made under an authorization, presumably the authorization gives the kind of information that the patient would need to know that you are disclosing the information. So I'm not sure what --

DR. ROTHSTEIN: Well, that is the theory at the moment. But as a practical matter, you may not know how many times it has been done. You authorize one company to get access to your records so they can send you information about the latest orthopedic mattresses, and you don't realize how many other disclosures this company is going to make, or how many times it is going to be used for those sorts of purposes.

So let's leave aside that for a minute, because that is the other side. I'd like you to focus on this question of whether you think that a notice is sufficient in the notice of privacy practices, in lieu of the disclosure for legally mandated disclosures such as public health agency reports.

DR. HUGHES: I think that is fairly consistent with the kind of approach that we have outlined in our proposals to HHS and OCR.

DR. ROTHSTEIN: Janlori, what do you think?

DR. GOLDMAN: I don't think it is a direction we should go in. We already have removed the accounting for disclosure requirement for treatment, payment and health care operations to allow the information to move within the core health care arena.

I think the purpose of the accounting is that most people don't know what those mandated legally required disclosures are and to whom the information is going, and for what purpose of the accounting. So within that person's record they know where their information is going and when.

So it is not to discourage the reporting. The issue that some have raised, saying that the accounting for disclosure is a disincentive on reporting, there has been a problem with reporting for a long time in terms of spotty reporting, incomplete reporting. I'm not sure that this adds much of a burden to that.

But I think what is really important is that it should be in someone's record if the information is disclosed in an identifiable form. A lot of what I have heard about syndromic surveillance is that the information is not going to leave the hospital in identifiable form. Maybe there are different plans in place, but what I have heard is that many of the initial plans are that that information will leave in some kind of non-identifiable non-aggregate form. If there is something that gives people concern, then they report back to the place where the information was disclosed.

If it is disclosed in identifiable form under a legally required reporting requirement, people should know that. One of my concerns is that usually the accounting for disclosure relates to an entity that is receiving the information that is not covered by the privacy rule. So the public health departments, law enforcement, researchers, none of them are covered. They are not covered entities. They don't have business associate agreements, they are not covered entities under the law. So they are not bound by redisclosure, re-use, the purpose for which they collect it. They are not bound by the rule.

So I think it is important that if there is some breach, if there is action that is taken against an individual, the accounting for disclosure allows them to go to the record and say, you disclosed here, that is why this happened or that is why this action was taken, or that is why I got the knock at the door, whatever it is that is supposed to give people notice and help them stay informed about where their information is going.

DR. HOUSTON: That really doesn't change things, though, because if there is a required reporting -- if required reporting occurs, whether it be specifically documented within a record, or the patient came back and says this occurred, and you say here is an accounting of disclosures of your record, but oh, by the way, if any of these types of things occur, here is the types of reporting that we would have done -- victim of violent crime, gunshot wound, child abuse, whatever. I would think a reasonably informed person or even if they sat down with HIM staff and could determine whether any of that type of reporting may have occurred, if it really was an issue.

So I don't think that it necessarily changes the outcome as much as it changes the amount of burden it is on a hospital. I have to agree with Lawrence; working for a large hospital system, one of the things I asked about two or three weeks ago to all of our HIM directors was, have we had any occurrences of requests for accounting. I think there was one out of the whole system.

That is my concern, that we are feeling the burden of doing a lot of documentation of accounting, and I think we are finding that there really hasn't been much of a call.

DR. GOLDMAN: Do you find that there is any value to larger institutions such as hospitals knowing where information goes in terms of the integrity of the record? That the record itself contains information and accounting of where the information goes? Certainly internally you would have that record, audit trails and --

DR. HOUSTON: From an integrity perspective, I'm not as concerned about where the information goes as much as where it came from. These types of accountings, we have to do an accounting --

PARTICIPANT: We are required by law to do most of these accountings, where we submit birth records, death records, tumor registry. We already know where it is going, that is not the point. We already have an accounting. It is just in a different format and in each person's record.

I think from the education point of view, your proposal -- Janlori and I are trying to get to the same end result, which is education.

DR. ROTHSTEIN: I just want to ask the second half of my question. That is, Mr. Hughes was, shall we say, not wild about the idea of accounting for disclosures pursuant to authorization. My question to you, Janlori, is, is it worth it from your perspective, from a privacy standpoint -- would we gain anything by doing that? I understand the view that it would be burdensome. I want to know, is there any sort of payoff under which we might want to consider that? If there is no payoff, then obviously we don't want to consider it because it is allegedly burdensome.

DR. GOLDMAN: It might be shocking that I am not going to suggest that we continue to regulate. But I would say, in that area it is not worth it, my gut reaction. The authorization has to be kept in the record. I think when people are signing the authorization, that is the notice to them that they are signing it, that the information is going somewhere else.

My understanding is, the authorization needs to be pretty specific. Your example about the mattress company, it needs to be pretty specific. You are authorizing the disclosure for a particular purpose to a particular entity. If they then reuse it in some other way, you have got that authorization. Hopefully it was drafted in a relatively limited way.

I think the protections are built into that process. Maybe in a year or two I would have a different view, but that is where I am today.

DR. ROTHSTEIN: Last point on this, and then there are other people that want to talk about other issues, I'm sure. Dr. Kibbe.

DR. KIBBE: Let me just briefly point out that it is my experience that the public has not awakened to the new civil right that they have to gain access to their health information, comma, dot, dot, dot, yet. I think that we are building an informatics structure in this country -- we are designing one anyway -- that it is very patient-centric with regard to the information.

So absent that consumer desire to control one's own health information, we may not be able to answer the question of what value is there in an accounting process like the one that you are describing. If in fact I were in a world where I had control over copies of my health information, I might indeed want to know precisely where that information went, or copies of that information went from the providers that I have seen in my experience in the health care system.

But one of the really amazing parts of this whole process is that we haven't seen patients demand their medical records yet.

DR. ROTHSTEIN: Thank you. Dr. Harding.

DR. HARDING: Does anybody want to follow up on this topic?

DR. ROTHSTEIN: No, we have heard enough about that.

DR. HARDING: Well, things change from when you raise your hand and you get called upon. I was thinking about this issue of the political social times which we live in, and the fact that HIPAA came along during the time when unfunded mandates and Big Brother and all kinds of things were at the forefront. I think HIPAA does get things projected onto it sometimes that it doesn't quite deserve, for whatever political reasons.

But I wanted to get to business associates. You were mentioning in your testimony that you had 800 business associates at the hospital and 300 doctors and so forth, and those are covered entities. In my hospital, we have 1,000 beds and a bunch of doctors, but there are no business associate contracts with the doctors. We had to attend HIPAA compliance, from the hospital, and that was it. It didn't have that.

Which brings me to asking you all for a comment about subcontracting and using the example of the transcriptionist. In San Francisco, one of the major hospitals -- for those of you who don't know, just quickly, a transcription service with a major hospital in San Francisco contracted with a person here in the states to do that, subcontracted three times, I believe, and the final transcription occurred in Pakistan, with the person not being paid for their services, and making a threat via e-mail to an individual saying, unless the bill was paid, we are going to put information on the Internet about your health condition.

Now, I don't know exactly what the question is, but it certainly involves business contracts, and it involves subcontracting and business associates. I wondered if you all had any thoughts about that issue. Are we doing this too carefully or not carefully enough, and is there any condition about national as opposed to international contracting. I know many hospitals have contracted with international transcription services all along.

So pardon me for my long question. Any thoughts?

DR. ZUBELDIA: Pay your bills on time.

DR. HARDING: Pay your bills on time. Then you don't have to worry. Easy solution.

PARTICIPANT: Actually, I have gotten two attorney pieces of advice. One advises us to create business associate contracts with our chairs of our department, and the other one was going back and forth about the issue. So the reason I am here is, I am really hoping to get some clarification, so that will save me 300 business associates that I need to write. Maybe the privacy officer is in the same boat, so maybe they haven't gotten around yet to that.

In my point of view, I would much rather concentrate on exactly the problem that you are talking about. If I am looking at what is a priority in my hospital, I definitely want the business associate agreements with those companies that do transcription services, that see patient information. They are the ones I want to concentrate on, and the other ones I should be paying attention to, not 300 docs who are good persons, anyway.

I think for the purpose of protecting patient privacy, I think we need to have a priority level here. I would like to prioritize or see some kind of prioritization that it is the outside vendors and other people that get patient information. I'd like to spend my time contracting with them. So some clarification so I can focus on them would be very helpful.

DR. KIBBE: The underlying problem is that you have different classes of obligations. In an increasingly connected world, where copies of health information can exist in servers and multiple places and caches can be in various places, why is it the responsibility of the health care provider to guard all of that? Shouldn't we have a single law protecting health information that applies to everybody who handles it? That is a big change, but I think that is the problem. I don't think we are going to solve that problem by finessing these business associate contract issues. What we really ought to do is fix the law so that we don't have business associate contracts, because everybody must abide by the same rules with regard to privacy and security.

DR. ROTHSTEIN: So I take it that is a statement by the health care industry and at least one of the medical associations that you support expanding the scope of HIPAA?

DR. KIBBE: In that one regard, indeed.

DR. ROTHSTEIN: Mr. Houston.

DR. HOUSTON: Thank you. I have a couple of questions for Janlori. Do you have any specific complaints that your organization has fielded directly or been involved in?

And this is a followup question to that. You spoke of marketing abuses, and I am really interested in understanding. I haven't heard of any. I would be interested in understanding where some of those have occurred.

DR. GOLDMAN: You may be aware, shortly after the people were required to be in compliance back in April, we set up a complaint monitoring initiative at our site. It basically has a template of a complaint form. People can download it and just send it to OCR. They can send us a copy of it if they wish, and we keep it in a lockbox.

But our goal is not for us to investigate or do any -- that is my caveat.

DR. HOUSTON: No, I understand. You indicated that you had heard of it.

DR. GOLDMAN: Yes. We have received quite a few copies of complaints, and we have gotten lots and lots of calls. I'm not in a position to verify, because I am not doing any followup. I don't want to do the followup or want you guys to do the followup, or OCR to do it.

The complaints are all over the place. Some of them were about, I requested access, I didn't get access. I received something in the mail from a drug company; how did they know that I had this prescription filled. I received something from an employee assistance program recommending I switch drugs, does that mean by employer now has access to this information. Some of them are within HIPAA, some are outside of HIPAA.

We do know prior to the regulation going into effect about drug company access to prescription data. This was widely reported in the press throughout the late '90s and early part of this century. We do know about that, so we know it exists. This regulation does almost nothing to prohibit it. I think it is scandalous. It is one of the provisions in the regulation that I think is inexcusable.

DR. HOUSTON: I think when we met a few weeks ago, there were 5700 complaints out of OCR, if I'm not mistaken, and I think 60 percent of them had been closed in the course of initially responding. Maybe it was 40 percent.

DR. ROTHSTEIN: I think it was very high.

DR. HOUSTON: Maybe I'm wrong, maybe it was 2700.

PARTICIPANT: The percentage closed was not 60 percent. It was significantly lower.

DR. HOUSTON: My only point is that there weren't that many complaints. In the greater scheme of things I thought there would be a lot more. That was my first impression. I really am trying to understand what the sensitivity of patients is, because I'm not getting a lot of direct information back as to systemic issues that are still out there, and I just thought maybe your organization might be better suited to be able to comment on those types of things.

DR. GOLDMAN: We are not an oversight organization, we are not a watchdog organization in that kind of hands-on sense. But I want to say that to me, if there were ten serious complaints that were filed -- ten, if there were three that we know were referred to the Department of Justice, that is serious. It doesn't have to be systemic to be serious.

I think that the fact that we do know that compliance has been relatively comprehensive, that we do know there is a good faith effort being made to comply with the law. We also know that consumers are not educated about what the law entitles them to, so filing a complaint is a very ineffective way to monitor compliance with the law and where there might be breaches. That is one of my concerns that I stated in my testimony.

But I think the fact that there have been thousands of complaints filed within seven months to me says it is quite serious. It doesn't mean that those are all complaints that will be resolved and found to be accurate on the law.

DR. HOUSTON: Again, I think you are more patient-centric, or at least as a patient advocate as much as anything. I was hopeful maybe you would have some more direct insight.

DR. GOLDMAN: We do, but I am reluctant to rely on what we have received, only because we know people say they are not getting access to their records. There is a hospice organization in Florida, it was reported in the press, it is in our testimony, that had information shared within a software system on patients. There has been no followup from OCR yet. We have had next of kin problems, with hospitals refusing to let relatives see other relatives, with a reliance on HIPAA.

There have been problems. There have definitely been problems. We do have information about that. There have been quite a few complaints, both in writing and by phone. I am curious to hear from OCR, what is the followup, what is happening.

DR. ROTHSTEIN: We need to move on. We have one more questioner. Before I get to Kepa, I want to ask for just a quick answer to this question. One of the things that we had heard during our many hearings was what struck many of us as a Chicken Little forecast, that after the privacy rule went into effect there would be thousands of common law invasion of privacy lawsuits using HIPAA as the basis for that.

I want to ask Mr. Hughes and Mr. Hill, from your experience and the companies that you deal with and the institutions, is that the case, as far as you know?

PARTICIPANT: It is too soon.

DR. ROTHSTEIN: Thus far, have there been lots of lawsuits? Have you been sued?

PARTICIPANT: I think it is too soon.

DR. HUGHES: There are some lawsuits working their way through the system to test different theories, but has there been a flood of lawsuits that are using HIPAA and HIPAA standards as the violation? No. I think it is a test.

DR. ROTHSTEIN: Thank you. Kepa.

DR. ZUBELDIA: You made a recommendation that was kind of striking. That was to have OCR not just rely on complaints, but also have OCR conduct some sort of survey to see what programs are out there. How can that be done without being on the front cover of the Wall Street Journal and the front page of USA Today, and without this Big Brother police coming to check your records? Is that even feasible?

DR. GOLDMAN: My understanding, and there are probably other people in this room who can be more accurate on what HIPAA allows, but my understanding is, the law empowers HHS to conduct oversight, to conduct an investigation, compliance reviews.

DR. ZUBELDIA: I'm saying initially.

DR. GOLDMAN: I understand, but I don't think that -- my understanding of the way currently -- IG offices in many different agencies of the federal government regularly show up to oversee Medicare, Medicaid, other kinds of arrangements. They are not on the front page of the paper.

It is not to suggest that anyone is doing anything wrong, and I don't imagine that those kinds of reviews would attract media attention. I think what would attract media attention would be a serious breach, not that HHS is doing what it is supposed to and what it is authorized to do under the law, which is to see how compliance is going, to do an audit, compliance audits randomly, not picking on anyone, but to look across the health care spectrum.

DR. ROTHSTEIN: Last point.

DR. HOUSTON: For Dr. Kibbe I just had one question. Anecdotally, I have felt that small physician practice compliance has not necessarily been high. That is my anecdotal feeling. From your perspective, what is the level of small physician practice compliance with HIPAA today?

DR. KIBBE: We don't have any data, either. We haven't done any audits, and I don't know of anybody who has done any. I think among our members, my general sense is in talking to physicians around the country and having done these talks and so forth, is that they are complying at a minimalist level. The notices are being done, the acknowledge of the notice is being done, translation is being done in language that makes sense for those practices.

I have some anecdotal information about the business associate contracts, which leads me to believe that many of our members in small practices still don't really understand what those are. So I think that there is a heightened awareness of the importance of privacy and protecting it. I think they have changed procedures in their offices fairly generally. I think they are complying with the notice. I'm not sure if they are complying with --

DR. HOUSTON: The rule?

DR. KIBBE: Yes, it's just not clear. What seems to be clear however is that they are not getting a lot of complaints from their patients. If they were, I think I would be hearing about that. They are not complaining a lot about being hassled by anybody else most of the time.

So it is a real open question. I think we need to find out more about that whole issue.

DR. ROTHSTEIN: Thank you. Any further questions? Hearing none, we will take a break to 3 o'clock. I want to apologize to those on panel number four. You will get your full time. We will just take it out of our dinner break.

(Brief recess.)

DR. ROTHSTEIN: We are back on the record for our fourth and final panel of the day. I'm sure those of you who heard the last panel of health care industry representatives, you may have been mentally amending your remarks, quickly adding things you wanted to cover. But we will be happy to hear anything that you come up with. I want to welcome all three of you, and begin with Mr. Rode.

Agenda Item: Panel 2: Health Care Industry Representatives

MR. RODE: Thank you, Chairman Rothstein, members of the committee. Simon is not here.

DR. ROTHSTEIN: Yes, he is.

MR. RODE: I was going to say, Kepa, it is nice to be in front of you and not talking about that other subject, and to talk about privacy instead.

I'm Dan Rode. I am with the American Health Information and Management Association. For those of you who haven't dealt with us on the area of privacy, this has been a little bit of time since we last testified. We have 46,000 members who have been taking care of medical records for 75 years, and many of them in the course of that duty were also in charge of release of information. So as HIPAA privacy moved forward, something that we pushed very hard for, at the same time, many of our members became privacy officers, members of privacy committees. We now offer a certification in health care privacy, and also with HIMS offer certification in security as well.

It has only been five months since the rule came into effect, so it is a little early to look at the state of privacy. But we did entertain with our members, both at our convention about four weeks ago and through our Internet process, try to get a snapshot of where we are with regard to privacy, where we are with regard to the law, get past some of the news stories that we have heard. I don't know if any of you have had to deal with some of the press, but there has been like the story of the hour of this and that glitch, and how cold this be. I think the urban myth is probably going to become the new term here for a little while, because there has been a lot of that kind of process.

We are also very active with the process of going to a national health information infrastructure. So one of our very crucial concerns is the need to deal with these issues that you are looking at, make sure that we tie up the loose ends so that as we move forward into an electronic era, the public has confidence that the entire industry -- and I would agree with everyone else, even a larger group than that, will maintain health care privacy.

We came up with questions to our members. The one thing that I want to mention is, we did pretty well. It is another train that didn't go off the tracks. In the written testimony I have given you a number of things that are going well, not perfect, but we are seeing PHI limited. We have seen a recognition on the part of health care staff, if they didn't know about privacy and confidentiality down to the janitor, they sure do now. We have trained our volunteers.

I understand we have cut reports in some larger institutions. The surgery report doesn't go to everybody and their brother anymore, it goes to a smaller audience. People who got reports don't get them anymore, and are glad they don't. We have dealt with things like data in home offices, something that we weren't sure we were going to deal with before. A lot of good things have happened.

In addition, as our members implemented privacy over the last two years, we actually were able to look at processes and see other benefits. Some of the things I just mentioned to you, we have cut reports, we have changed the way we are doing business. So we have actually gotten some positive benefits tangential to the fact of just maintaining privacy itself. I think that has to be recognized as well and congratulated.

We need to do more. We plan to do more and a more extensive look at this, and give you more reporting in the spring. We are going to celebrate privacy week. We are going to issue a report. We think the industry ought to celebrate this as a milestone, not the end, but the beginning of ways to deal with this, and I hope we can give you some more.

We also came up with some challenges, and I want to just go through those very briefly. As you have this meeting and your next couple of meetings on this issue, I think we will get to look at some of these challenges.

The number-one challenge -- and I'm not going to do a top ten list, we've got a number one, however -- is accounting for disclosures. Sorry to hit you with that one more time.

DR. FYFFE: Hey, you are consistent.

MR. RODE: We are consistent.

DR. HOUSTON: We haven't heard that before, and we are interested.

MR. RODE: Good. We have heard it. We have heard it because it impacts organizations, especially if they go across state lines. It impacts larger organizations rather than smaller organizations. A large health plan down in Atlanta told me they have already spent $40,000 on this, and they can't even get close to figuring out how to make it work, because we are still primarily a paper-based industry. We know that some states have over 30 different laws requiring mandated reporting of one sort or another. That is not all reported out of a central medical record department.

We were asked by OCR last summer to look at whether there were triggering events that we could use to record reporting, and we found we couldn't do that. Some of the reporting is demanded of professionals, some is demanded of facilities. If you have got the combination of the two, they don't always necessarily match. There are some areas of accounting that create some problems. An accounting of an abuse case could be in a chart and have the abuser request an accounting. If we don't have the proper documentation, we could actually be giving information to someone who shouldn't have it, because they came through on the accounting end of it and not on the non-accounting end of it.

But we are putting a lot of energy and effort into it, a lot of cost into it. The question that continually comes up, or what? We think we have the solution. As I have listened to the testimony today, I would amend that solution, and maybe we can do that in the question and answers period.

But our original idea about addressing accounting was to change the requirement so that any release of information required by law would not be accounted for, similar to what you have heard before. At the same time, the notice of privacy practices would indicate that the organization would report as required by appropriate law, or I should say, appropriately report as required by law, and we were suggesting either a list that you post or an a attachment that you could give to indicate what those laws are, and that would allow you to list the state requirements for such reporting in English, not in the section and number that would be under that system.

Where I ran into difficulty as you all talked today is, I used to work in Minneapolis. We had six states that we dealt with. I didn't know if I could say it was required by law, because if I am not in that state, I couldn't remember off the top of my head if I was required or not required, and it gets a little complicated. But something on that order I think is necessary. So I would echo what you have heard today, that we need to address this disclosure process.

The second thing we heard most about was clinical trials and research. You are going to hear about that tomorrow. I'm not going to say much more than to say that what we have run into is the situation where we have institutional review boards, we have experts in the common rule, we have experts on HIPAA, we have hospitals and physicians, and we really think that group needs to get its act together, come together and figure out how to make this work.

We are not sure it is a problem with the rule; we think it is more bringing these bodies together to do the education. NIH and CDC has put some stuff together and put it on the OCR website, but we are not sure that everybody has gone to the OCR website to find it and to work through that process. We think through some education and maybe bringing some of the national groups together as you are with testimony, we might be able to work out those issues and come out with a response to it.

We don't see a need to change the rule necessarily at this point in time. But there is some conflict with the common rule and with HIPAA that is creating problems for our members, especially institutions that have research done.

A third challenge that we have noticed is, you have also heard this business of associate agreements. Same issues you have already heard today: who is a business associate, who is not a business associate, with essentially the same background.

There is clearly some need for more clarification. I think it is a matter of time more than anything else to clarify some of these issues, take them through the process and determine how we can through some mechanism let the public have a better picture of who should be or should not be a business associate agreement, who should it be done with.

In answer to Dr. Harding's question, we are going to issue a practice brief on outsourcing, to talk about what you should be looking for in a contract, not the business associate portion, which is fairly easy, but the other risks that may be involved when you don't know whether something is going to be placed overseas or not. So I think again, it is a time issue, a little too early to begin with -- and we are hearing the same response as you are from the standpoint of what is or what is not.

State pre-emption is an issue that we continually hear about, and is under current to a number of others. The more stringent rule has taken some life that we did not expect. We never were happy with pre-emption, but it has brought us to a situation for our members where many of them are now caught between the state and the federal law, and caught between various agencies who want to take the time to interpret one or the other.

I put some bullets in the written testimony of what some of the major comments are. We had one state government tell an institution they wouldn't make a decision unless the institution paid them to make a decision on which was more stringent than another. I thought that was an interesting way to go about it.

We have some states that do have laws about who you can talk to and who you can release information to, that are in conflict with HIPAA. So when we see in the press that so and so did not release this information, it wasn't because of HIPAA, it was because of a state law. One of the things that we discovered is that in some places, people didn't know what the state laws were. Now they know what they are because the state laws have been brought up and emphasized, where they were not known in the past. So we have a number of those things, which this committee really can't deal with, since it is a Congressional issue. But I hope when we have a little more experience over the side, we can begin to narrow into what are the major issues with pre-emption, and perhaps makes some recommendations for Congressional action, because it is going to take action, as you have already heard, and we think that needs to be clarified so that the Congress can understand what they should change or not change. I say that with the fact that we have always gone with a privacy ceiling, not the privacy floor that we have with HIPAA.

We have had some concerns raised that we have not addressed, all the conflict between HIPAA, federal rules and state rules. This seems to occur in behavior health. I don't know if we are going to spend a lot of time with behavior health at this hearing, but I think it is something that we would like to recommend to you, behavior health, substance abuse, drug and alcohol rules as they apply to the states and as they apply to HIPAA. There seems to be some confusion there, and a lot of conflict, but we weren't able to get enough input to give you anything better at this time, and this is an area we are going to work on. Anything I could give you would be anecdotal.

The release of information to family and friends I have already touched on. It seems to be related to either not understanding HIPAA, which we are working to help fix, I think, and secondly, because there are some state laws that spell out who can and cannot receive information in a family line.

Now that we are advertising what HIPAA is, a lot of people are walking in and saying, I know my HIPAA rule, you've got to tell me. Well, the state law says otherwise, and we get into some issues in that direction.

The same area occurs slightly for individuals. You already heard this from a couple of speakers today. Section 624 calls for a patient to be able to request a release of information, essentially, to themselves or through their attorney or to a third party. It says that the institution or the organization can request that in writing, which has been pretty much the practice for years.

It doesn't say what has to be in writing. So most organizations have gone over to Section 508, which is authorizations, and taken the language in Section 508. There are some little weird things in 508 that don't apply when it is an individual asking for their own information. We think that -- and we would like to propose in writing to you offline, taking a look at changing -- either make 508 optional when it is the individual requesting the information for themselves, or perhaps putting a little more meat into 524 that says, if you are going to require it in writing, this is the standard that you ought to use to get information when the individual is requesting it themselves.

I have seen some organizations do a real nice job in working through that process; I have seen some really weird authorizations, where the patient is promising not to disclose any information. This doesn't make any sense. So that is the second area we think you could change.

There have been a number of problems with court orders and subpoenas. Again, back to the state HIPAA process. I have worked on a couple of programs with the ABA. In many cases, non-health care lawyers don't know HIPAA. Our members are reporting to us, what they are essentially doing is sending them copies of the law, and letting them know what the HIPAA law is and what they have to do, and why the subpoena doesn't fit or how the court order works. But that conflict currently exists.

One of the things that is similar to that is law enforcement. You are I believe going to deal with law enforcement in the next set of hearings. The same issue; in some states there are more restrictions as to what law enforcement can receive than in others, but we now have law enforcement officers waving HIPAA, whereas the hospital attorney has to say no, I am still subject to the laws of the state of California or wherever it may be.

Directory requirements were another one that was an issue, not so much the ones you heard initially, but we do have some places that use non-chaplains to do patient visitation. There is a question of whether there would be a way to look at how we define chaplain to cover those religions that don't use ordained ministers to do that.

A second question that has come up is, if a patient does elect not to be on the directory, does that mean the institution has to return mail, flowers and other things that get sent to the institution. We have sent that as a frequently asked question, but apparently it happens more times than not. That patient may not want to let anyone know they are in the institution, but their family tells everybody else they are in the institution. They get these things delivered to the hospital, and they are starting to accumulate a lot of rotten flowers.

Two final things. One is clear rules and authoritative answers. We have discovered a situation, which essentially you have heard today as well. The rule is not that big, but it is in different pieces and sections, and a lot of people haven't been able to put the puzzle together.

The frequently asked question section has been wonderful. I think OCR needs to be congratulated. They have done a tremendous amount of good work in the last year with hardly any budget. But what we hear people asking for is, could we eventually write HIPAA so it could be understood by the public, and not the chapter and verse that we have in the law; could someone of authority translate this into English.

We thought as an association, we were an authority, and we have had several people say, if it doesn't have Tommy Thompson's signature on it, it is no good, because you are just one more person that has got your interpretation of HIPAA. The other guy said he knew HIPAA too, and he told me 180 degrees. But some type of public document that could have the Department's imprimatur on there if you will to say this is the rule, so that we can get beyond all the experts that are not experts.

Finally, one that has just come up this fall. I call it the freelance care option. Health fairs, flu shots, cholesterol checks, the whole thing. All of a sudden this fall we started these programs, and people were saying, do I need a notice? Whose notice? If I have got three hospitals conducting a health fair, whose notice do I use? Maybe we should destroy the information on who we gave the flu shots to, then we wouldn't have to give a notice.

I don't think we thought about this one. Again, we have sent that forward as a frequently asked question, but it is a situation where we have a community good, folks have come together to provide care and help the community -- maybe John has got the answer.

DR. HOUSTON: No, no. I know one thing. It is compounded by the fact, at least in the state of Pennsylvania, if a lab test is done, we are required to keep and track that lab test for some period of time, so you don't even have an opportunity to simply do the test and discard it. You actually have to track, which I think compounds that whole issue. So you just can't simply throw it away and say HIPAA doesn't apply, because we still have the report that we have to manage, too.

MR. RODE: That concludes my testimony. I won't ask for my time back.

DR. ROTHSTEIN: We can give you an extra 15 seconds. Thank you, Dan. Donna?

MS. MAASSEN: Thank you very much. I'm Donna Maassen. I am the HIPAA compliance manager and the privacy officer for Extended Care Health Services. We own almost 200 nursing homes and assisted living facilities nationwide.

I am here representing the American Health Care Association and the National Centers for Assisted Living, NCAL. So because I am a provider representing an organization, I am not a staff member of AHCA's team, I do have a written statement, and I want to stick to that, so I apologize if I am reading too much, but I want to make sure I am representing the AHCA organization as opposed to the extended care side of provider business.

AHCA and NCAL represent almost 16,000 nursing homes nationwide and assisted living facilities. We provide care for 1.5 million residents on a daily basis, and we are very appreciative to have an opportunity to speak to the subcommittee today, specifically on HIPAA, a very important issue to all of us.

One of the areas that we want to talk about is best practices. The question is, what is best practice for implementation of the privacy rule in long term care. AHCA has been keenly aware of the importance of HIPAA, and it played an important role in an entity that we created called HIPAA Long Term Care Consortium.

Back in March of 2001, a group of long term care providers got together. The purpose for the meeting was to decide, could we collaborate to implement the privacy rule, or are there are ways to make it easier for us to implement. We decided after a day and half of meetings that yes, indeed, there were a lot of ways and things that we could do together to collaborate. So we formed the HIPAA Long Term Care Consortium.

Since that time, we have met on a quarterly basis for two years now. We have monthly conference calls, and we have established many subcommittees specific to privacy. We have a policy procedure subcommittee, a training subcommittee, business associates, group health plans, therapy services, transaction standards and code set subcommittee, as well as our security subcommittee.

Throughout the process, each subcommittee developed tools relating to our own particular subject matter. Each tool that we created was placed on the AHCA website, and is now available to all AHCA and NCAL members at no cost.

What does that mean? That means that in every long term care facility, they have a HIPAA policy and procedure manual, sample forms, a sample notice of privacy practices. We also created a model business associate contract, a decision tree to help them decide who is a business associate, whether or not they need a business associate contract or an addendum to their current contract. We also created a business associate and family brochure to try to help educate our consumers about the HIPAA privacy rule. It is very confusing, as we have all talked about today.

We also produced a video for privacy training that is specific to the long term care industry. That video can be purchased through AHCA. We think that was a very collaborative effort to help our long term care industry.

I have a binder that I brought today that, if you are interested, has all of these policy and procedure and sample tools that we created that are on AHCA's website. I will leave it for the subcommittee, if you want to take a look at it.

Thanks to the members of the Long Term Care Consortium, the nation was able to work together to define best practice for long term care. We know that the regulation requires a lot of discussion and interpretation, and we spent many hours analyzing and discussing and debating what the privacy rule meant, and how were we going to implement the privacy rule within the structure of our specific business model, that is, caring for long term care patients, not in the hospital setting, not in the physician practice setting.

I think it is important right now to just step back and talk about best practice, and why we think it is important to define best practice by industry or by profession.

As we adopted or identified best practice within our organization, we always had to go back to our core values, providing good high quality care for our residents, and providing a home-like environment for our residents. We all want to provide good high quality care, but a home-like environment is very different in a long term care setting than it would be for a pharmacy provider.

The HIPAA rule is written the same, no matter what kind of provider you are. We simply could not implement a requirement of the privacy rule without first looking at our facility operation. I want to give you an example. For instance, what is the best practice for disclosing protected health information as it relates to the birth date of one of our residents? Clearly the date of birth of a resident in a nursing home is protected health information. But in nursing homes, we routinely publish newsletters that recognize the birthdays of any given month. We have birthday boards that display the birthdays, so everyone can remember and acknowledge a resident on their birthday. So is that an appropriate disclosure? Are we out of compliance with HIPAA? Are we going to stop this process? We didn't think we could.

Again, looking back at our core values, one of them is a home-like environment. We treat our residents as family, and as a family, we believe it is important to recognize you on your birthday. It is also important to recognize you on Mother's Day and Father's Day and Veterans Day. These are all things that are considered protected health information.

So how do we implement the privacy standards and continue to meet the core value of our organization? What we decided as a best practice in our organization was to explain this disclosure as health care operation within the long term care setting. So we put language in our notice of privacy practices, and I quote, we may disclose general information about age, birth date and general information about you in the facilities newsletter and activities calendars, and to entities in the community that wish to acknowledge your birthday or commemorate your achievements on some special occasions.

Again, it is just an example of why we think the privacy rule really needs to have industry specific settings and information. This type of information is part of our health care operation, but clearly would have no value to a pharmacy provider and wouldn't be in their notice.

I want to segue now to talking about some of the barriers to compliance. One of the barriers that we felt we have had difficulty with is limited direction from the Office for Civil Rights. We recognize that the Office for Civil Rights has a lot on their plate, and they have very limited staff. But we feel that in the long term care community, our regulations are state and federal, and they conflict in many ways.

The participation requirements that govern how we operate in long term care are based on the Omnibus Budget Reconciliation Act of 1987. This is a standard that we operate under and are surveyed under by CMS. OBRA and HIPAA conflict in many ways. HIPAA speaks to pre-emption and the conflict between state and federal rules, but it really doesn't speak to the conflict between federal and federal rules, other than in the preamble. There is nothing in the rule itself.

We know as an industry that the regulatory process to comply with OBRA is comprehensive and thorough. We are surveyed annually, and any instances of non-compliance can result in termination from Medicare and Medicaid. We have very little experience with what the HIPAA compliance process is going to be, so as we go through and determine which federal rule we are going to comply with when there is a conflict, we lean towards OBRA, because we know there are serious enforcement actions that will be applied immediately through that process.

I want to give you a couple of examples of the conflicts between OBRA and HIPAA. OBRA requires that survey results, that we call the 2567, must be made available to all residents. However, the CMS guidance that we have relating to this issue states that the survey results must be posted, which makes this information available to residents and to anyone coming into our nursing home. Survey findings document extensive PHI. Although residents' names are not identified, there is significant PHI, and the information is identifiable.

An example from a recent 2567 from one of my facilities, and I quote, resident number seven was admitted to the facility on 3/8/99 with diagnosis of cerebral vascular accident, depression and epilepsy. The document further discusses the resident's smoking habits and other identifying and personal characteristics. It would be very easy to identify who this patient is from this supposed de-identified information. So how do we comply with HIPAA? Do we comply with HIPAA and not post the survey? If we don't post the survey, we are in direct noncompliance with the OBRA rule. We know if we don't post the survey, we will get a citation on our survey under OBRA.

We had an opportunity back in March of 2003 to meet with OCR to ask them some of these questions: how do we resolve the conflict between OBRA and HIPAA. OCR committed to us that they would go back and meet with CMS, that they would work with them and try to come up with some guidance on how to move forward. As of today, we have received limited and conflicting guidance from CMS, and we have not received any feedback yet from OCR.

Again, we recognize that OCR has very limited resources, but we feel strongly that in order for us to implement all of the requirements of the privacy rule, that it is important for us to have a liaison for each major type of health care provider out of OCR.

AHCA and NCAL offered and will continue to offer our services in this area. Because of the Long Term Care Consortium, we have many individuals knowledgeable about HIPAA, and would welcome the opportunity to partner with OCR and CMS to define best practices and try to reduce the barriers to implementing privacy and the upcoming security rule.

One last example I would like to share with you happened two weeks ago. The situation again relates to our over survey process. As I indicated, we are required to participate in an annual survey conducted by CMS. During the survey process, the surveyors can access any and all PHI that they feel appropriate during the survey process.

In the consortium, we have debated for months and months and months, is the survey process health care operation or is it health care oversight. You can debate both sides equally well and come up with any opinion you want, and I guarantee you will find an attorney on both sides to give you the same answer that you would like as well.

During the CMS roundtable conference calls, OCR has come out with the position that it is health care oversight, and it is therefore a trackable disclosure. Well, we don't see anything on OCR's FAQs that would say that same thing, but they have in two different CMS roundtables made that position.

The most recent CMS FAQ that came out, specifically 2448, CMS says that the state survey falls under the definition of health care operation. Specifically it says health care operation can include conducting accreditation, certification, licensing or credentialling activities. Therefore, under the HIPAA privacy rule, a covered entity is expressly permitted to disclose patient records to state survey agencies for survey and certification activities. Nursing homes are therefore not legally obligated by HIPAA to account for the PHI used and disclosed in the survey.

The position of the Long Term Care Consortium is that we would agree completely with CMS, that it is a health care function, we have to comply, and therefore it would not be trackable. But here we have two branches of the Department of Health and Human Services giving us clearly opposite positions. We are in a position now where we are really not sure which way to go. We would like to go with the CMS position. They understand the survey process, but they don't have the enforcement opportunity under privacy. OCR has the position of enforcement, but really doesn't understand a lot about the long term care industry and specifically the state survey process. So right now, there is conflict between the two and even among the consortium conflict as to where we are going to proceed.

I just want to take one more second and elaborate on the pre-emption. I talked about the issue between the two federal rules, but it deserves some time to talk about the state pre-emption. ACHA is partnering with many other health care provider organizations, and we spent almost a million dollars to have a state pre-emption analysis completed on our behalf. And now, today, after spending a million dollars, we still do not have a clear picture of what the state laws really say. We feel that if it is so important, it really should be at a national level, not at a covered entity level, asking individual covered entities to determine the variations in state law.

Obviously we have all been operating under our own state laws. We are comfortable that we are interpreting them properly, but because of the diverse nature of health care providers, it becomes very difficult. We would ask that that be looked at again from the national perspective.

In closing, I just want to make one final comment. We all agree that the privacy rule has heightened the protection of health information in our industry. We think adding minimum necessary and rule based access and safeguarding to PHI was a very good thing for us. We feel that we have protected the information of our residents historically. We will continue to do that in long term care. We do think HIPAA and the privacy rule is a good thing, and we will continue to make sure that the privacy of the residents in our nursing homes is protected on a daily basis.

DR. ROTHSTEIN: Thank you. Any questions of clarification? Then we will go to Mr. Dombi.

MR. DOMBI: Thank you, Mr. Chairman. My name is Bill Dombi. I am Vice President for Law with the National Association for Home Care. Our membership is a diverse group of home health and hospice providers across the country, ranging from billion dollar operations down to small mom and pop farmhouse located home health agencies, where they may have a staff of one and a half people to serve the community that they serve. Hospice similarly, with some patient census of five to ten patients in a calendar year; that is how small some of them are, but as big as the large chain home health operations that have a billion dollars of services, 300-plus offices across the country.

That diverse population of constituents, we chose a path when HIPAA first came out of privacy regulation, of trying to teach them one lesson in the early stages, and that was that HIPAA was spelled with one P rather than two.

The reason we chose that was because over the last several years, particularly the home health side of health care has been deluged with change. They have undergone serious changes in Medicare program reimbursement, going from cost reimbursement to something known as the interim payment system, now into the prospective payment system. These are providers of services who were having difficulty getting claims out the door, getting cash in so they could pay staff, and just keep their heads above water.

From 1997 until 2003, Medicare certified home health agencies dropped from 10,400 to under 7,000. It was a dramatic time in the history of home care. When HIPAA came along, they said, when is the compliance date? So they said, get it done the weekend before. But we pushed them hard, and we pushed them with good information. I think we took on the role of a trade association, providing them with tools and education to bring about compliance.

As other speakers here have said today, I think I can assure you that the home care agency is 100 percent compliant in their belief of compliance. In terms of their actual compliance, my own personal experience is with physicians who believe they are in compliance; I just get into the doctor's offices and I leave without talking HIPAA, because I know I can create more problems for myself than I want.

But those other priorities have gotten in the way. When all that was happening, OCR and HHS and the Administration came along and they said, we are going to add some flexibility, we are going to add some reason, we are going to add some practicality to the way HIPAA is going to be implemented.

I have filed lawsuits against the Medicare and Medicaid programs, against health insurance plans and managed care organizations. I have looked at state and federal regulations over the years. So I am a cynic when it comes to regulations and how they can be interpreted and how they can be applied by administrative agencies. I'd have to say, this is one of the best jobs I have seen an administrative agency do.

Where we stand today is a natural and foreseeable effect. We are seeing an evolution into clarity, an evolution into practicality, an evolution into support, that we had not seen in other administrative agency efforts in my 25 years of practice. The Office for Civil Rights definitely deserves commendation, as well as HHS generally and the Administration overall for that.

As complicated a rule that this is, we still see a high degree of compliance. I think phase one is what we really look at here with this rule, from the home care and hospice perspective, was awareness; are the providers of services aware of their responsibility for privacy and confidentiality. They all claimed that they were beforehand, but this rule has brought a greater awareness.

Simple things go on in home care that you wouldn't necessarily see in other health care fields. The nurse goes into Mabel's home, and the first thing Mabel asks is, how is Mary up the street doing? Their community of contact is their neighbors, other patients of that home care agency. The agency is now aware that is not an allowable communication, to talk about, what were Mary's test results, and how is she doing with her ambulation exercises, unless there is authorization. Mary is probably not going to give authorization to nosy neighbor Mabel in that way.

But it ranges to other questions. We park our car in the driveway of our patient's home, and it has the name of the home care agency on the side. Can we do that? That is the level of awareness that they had, they were asking questions like that. We now advise them, hopefully correctly, that they can park the care in the driveway with the name of the home health agency on the side of the car. They don't have to park down the street and wear a hood over their head as they go to the patient's home.

But other kinds of things go on in home care where the awareness was increased. Nurses, therapists, even home care aides typically bring home records for the patient they are going to see the next day. Preparing to provide quality care, they are reviewing the records, as their spouse or significant other or neighbor is looking over their shoulder.

There was an incident that occurred in home care that we used to publicize the need for caution there. That was a home care agency I believe in Colorado, where a nurse brought the record home, and her live-in boyfriend looked over the shoulder and saw an identity that he recognized. It was the son of his former live-in girlfriend, who had gotten a temporary restraining order to prevent the abuse that was ongoing in that household relationship. She had escaped him, hidden from him, and now he knew where she was. He ended up, yes, going to that home and got arrested. The nurse has been fired, and it gave us a great lesson in home care, on why we have different kinds of issues of privacy and confidentiality than you might see elsewhere. So absolutely, HIPAA has brought about increased awareness in terms of privacy and confidentiality responsibilities.

At the same time, we have had to work on a balance. One of the primary components of home care services are family provided care. When we look strictly at the HIPAA rule, you have a standard for disclosing information to family members. As they did in the nursing home, we took an approach of saying, family members are directly involved in health care treatment. We are going to have disclosures available to them without having to have the opt-out opportunities, without having to put restrictions on it, because they are directly involved in treatment, as compared to the son who lives in another state, who might call in every now and then just to find out how things are going in that life. So some practical kinds of responses.

On to some of the concerns. I did an informal survey of our membership recently. I posed ten questions to try to pinpoint what I should be testifying to today. Every single one of the respondents came back with the same thing in one area: business associate agreements, who gets them, why do we have them at times, and how can we ever end up with one business associate agreement format rather than competing formats.

If the business associate is a hospital, the hospital attorneys say we have to have this agreement and this agreement only. If it is a financial management consulting firm, they are saying the same thing. If it is a staffing company or whatever, they are all wanting their agreement to be the agreement. So there is the provider of services caught in who and how the agreement, too.

The model was very helpful, but I don't think anybody uses only the model. There is room for tailoring, but some limitation in terms of that. We would recommend as I did in my written testimony that OCR also create some expedited process for answering what we think should be a very simple question: who is a business associate. We are finding, as did the other parties who testified earlier, that some entities consider themselves business associates when they are truly not business associates. Consider that treatment exemption from the business associate agreement really doesn't apply in the communications that they will have with other health care providers, so they need a business associate agreement. I know my brethren and sisters in the law would love to do contracts over and over again, but the health care providers certainly don't want that.

The other response that they gave to concerns raised, I asked the question, are communications with other health care providers improved or weakened as a result of the HIPAA privacy rules. Invariably, they said weakened. The reason for that is a combination of misunderstanding, where a provider believed that it could not under HIPAA release information. A lot of that is now going away.

At the same time, I would have to say, we found health care providers who are using HIPAA as a way to create a restraint on competition. This health care provider had its favored referral site, and was letting one in but not the other one in, and claiming HIPAA was the reason why they couldn't do that.

One by one, I think we are knocking those down. I think is the evolution that I see here with the HIPAA regulations. We are going to see improvement on that, but the interagency communications could use some clarification from OCR as well. I would suggest that the clarifications not just simply be electronic on their website. We find that not everyone in the health care provider world has access to the website. Not everyone within the health care provider is allowed access to the website. Mine is on all the time. I look at the frequently asked questions on that site constantly, but I know that other health care providers don't necessarily do that. So some sort of simple in-writing communication to them, saying it is okay for the hospital discharge planner to talk to the home health agency admission planner, so they can facilitate the transfer of this patient to the home. They don't need to come with an armed guard, carrying a signed patient agreement that they have been admitted into care, which we have seen -- not the armed guard part -- we have seen demands placed on the home care providers.

Next point. I will use my mother-in-law as an example of this. We just recently moved her into our home, so I don't think we will have this issue again. She was recently a home care patient. We were at her house. We said, who is your home care agency? She said, I don't know. That was the beginning of my own awareness of how much is given to the home care patient on admission, and how much of it ends up getting filtered into real understanding.

A home health patient under Medicare typically goes through a two to two and a half hour admission visit, during which they are deluged with paper, such as the patient's bill of rights, patient admission agreement, discussions about advanced directives, and now the notice of privacy practices.

My mother-in-law, to find out who the agency serving her was, she had to reach down, lift off the TV Guide, which is the first document in her pile of papers, then the local newspaper, then eventually find all of these papers. I don't have a real strong solid idea of how this can be resolved, but something needs to be done for the patients, to get them to get a better understanding of their own awareness of their rights under HIPAA, because right now, it is falling from this paper load.

Dan mentioned in terms of paper load, the idea of flu vaccines and clinics, wellness clinics and the like. We asked OCR early on -- it has now been well over a year, we asked OCR for a statement on whether the notice of privacy practices have to be used for flu vaccines. Home health agencies provide hundreds of thousands of flu vaccines every year.

Not getting an answer, we have advised, given notice of privacy practices, use a roster of acknowledgement on notice of privacy practices. But that whole process takes longer than the flu vaccine does. So if there is a way to economize on that, we would certainly appreciate it.

Last point. I know this is not too much within your authority, but the home health agencies and hospices rely on two payment sources, Medicare and Medicaid. That does not mean that other providers who have other payment sources are in better financial shape. For example, for home health agencies right now, 36 percent of the home health agencies, Medicare reimbursement is less than their cost of delivery of care. We would like to see OCR and HHS internally coordinate on the issues of compliance costs with the various HIPAA requirements, so that we can see some foundation for discussions on adjustments in rates to accommodate what is clearly a new cost for home care providers and hospice providers.

We recognize there is a need to do this. We recognize the value in that. As I said earlier, the awareness of privacy is crucial here. So we would like to see the home care agencies continue in operation to deliver the services while passing out their notice of privacy practices.

Thank you for the opportunity to testify here. I want to finish with one last point. I have a trademark in my litigation. Pretty much every brief I ever file, whether it is with the federal court, district court or the U.S. Supreme Court, has a typo in it. My testimony that I submitted, while I was on jury duty yesterday, had a typo on page two that I would like to correct for the record. In the paragraph under business associate agreements, it states, with near anonymity, home care and hospice community states that there was a serious need to address standards regarding business associate agreements. It is supposed to say, with near unanimity. Anonymity is not quite what they are looking for here, but it is unanimity.

I have left copies of fresh testimony, and will supply it to staff in electronic form as well. My apologies for that.

DR. ROTHSTEIN: Thank you. That saved us our first question. Any clarifying questions for Mr. Dombi? If not, the floor is open for general questions and discussion for the panel. I want to thank you all for the testimony.

DR. HOUSTON: I'll make an interesting comment by my grandmother, being in a nursing home. She was quite upset when she was put on the birthday board. She let me know it four times in the four different times I went to visit her.

MS. MAASSEN: Not everyone likes the birthday board.

DR. HOUSTON: Not everyone likes the birthday board. She was quite adamant that she didn't want people to know her birthday or her age. I think she just felt very uncomfortable with that practice. So a little personal anecdotal evidence.

MS. MAASSEN: HIPAA gives you the right to restrict. That is what we do with every one of our nursing homes. If they don't want to be on the birthday board, they don't have to be. We have the right to restrict, and we would obviously remove them immediately from any birthday board or newsletter.

DR. HOUSTON: I just thought it was interesting anecdotal evidence. As soon as you said that, I said, oh gee.

DR. ROTHSTEIN: I was going to follow up on the birthday board question. It seems to me the birthday board is very similar to the clergy situation. What we probably ought to do is get some sort of clarification or guidance that would resolve that issue, at least for the limited group of providers that you are talking about.

It seems to me the solution is not to put it -- this is just my opinion -- in the notice, but a more desirable situation would be to handle it the way we do with clergy visits; just assume that it is okay and give them an opt-out. But you couldn't do that.

MS. MAASSEN: We can't now. The definition of directory information is condition, name, location. You can give that to clergy, but there is nothing about the birth date.

DR. ROTHSTEIN: No, I understand that. But what I am saying is, that kind of analysis and guidance from OCR would help with that and maybe other things as well. If you can think of other situations like that and send them to us -- Dan?

MR. RODE: The guidance would be very helpful for all of these situations, but we need to get the guidance in some order. I went to the page the other day, but I didn't get to count the number of frequently asked questions. I have been trying to in my head figure out how I can put the rule up on a web page and then have a link to the particular frequently asked question that goes with each part of the rule.

We are adding to the amount of documentation or print or whatever about the rule, but we are not necessarily getting to the clarification that I think we all want to have, and that we are working hard to do. That is why I think at some point in time we have got to come up with some type of a document that could take the subheadings of the rule and go through it and add the questions to a simple statement of the rule itself, instead of the rule as it currently is.

The OCR did a nice job of taking the original rule in the August 2002 update, and they put the two together. It says unofficial when you go to it, but at least you get everything in one place, sort of. Those of you who know, it says in Section 504, then you go to Section 516, and you figure out in 516 if it goes over to here.

When you get to a mom and pop shop, small physician office that doesn't necessarily want to go out and hire an attorney, even some other types of providers, it would be nice to have something that essentially says, this is what the rule is in English, this is what the requirements are and, oh, by the way, here are some frequently asked questions that we have related to this that maybe aren't that clear. But the questions come up, we have come up with an answer, and it is official.

People like us who represent associations can then say, here is the answer, but if you want the official answer, here is where you can get it, whether it is on a website or some other way to do it if you can't get to a website. So there is an answer. Right now, there isn't an answer, and all this good work that is being done is -- if we go for another year, how many frequently asked questions can we possibly fit on the site. We need something to help clarify this for folks.

We try to do that as associations, but we are not the expert, and no attorney would hang their hat on anything we said at that point. They want it from the agency.

DR. ROTHSTEIN: One of the things that this committee recommended quite awhile ago was that the website of OCR be much more focused than it currently is. So you would be able to click on nursing homes and have under that a list of all the FAQs and guidance documents of particular relevance to your industry, or you could click on dentist, or whatever. They would be broken down by a variety of ways.

You could also click on your home state. You can click on Pennsylvania and hear the key problems that might come up there. We are hoping that eventually that will happen, but that is not in our hands.

I interrupted Mr. Houston. John?

DR. HOUSTON: No, that's fine. I had another question, but I can't remember what it is, so why don't you guys go forward.

DR. ROTHSTEIN: Okay. Dr. Harding.

DR. HARDING: I think, Miss Maassen, you and Dan said a couple of things that were very interesting. It was around the issue of when there are two competing issues, both of whom have different authorities, who is the final arbiter, or something like that.

I remember five years ago, we were talking about pre-emption and so forth in this committee before the rules came out. I remember somebody saying that if state laws were more stringent, then they should override the federal law. I remember Bob Gelman saying, as determined by.

So who do you look to? Maybe that is something that this group could talk about, too, but who do you look to when you have a conflict of federal law, CMS and OCR? What is the process in your mind?

MS. MAASSEN: For us, we did have an opportunity to go meet with OCR. We were able to say to them, you as the enforcer of HIPAA need to help us with this conflict that we are having with OBRA, and please, could you talk to CMS, since you are both kind of in the same organization, and see if you could maybe possibly help us out.

I think OCR has come out with a statement, obviously on the conference calls when the question was asked, and CMS has taken it to the next step, and they have answered the question, but they haven't answered it in the same way. So we are still in the middle, saying, golly, what are we supposed to do?

I think we go to OCR because they are the enforcer, and ask them to provide us with guidance, because they are the enforcer of HIPAA, which is the rule that is going to get us --

DR. HARDING: But that doesn't quite do it. Can staff help us? Who is the final arbiter there?

MR. RODE: I'm going to say the court. In many cases it will end there. But we haven't had enough experience yet for anybody to -- maybe fortunately or unfortunately, I'm not sure which -- go to court.

We don't want it to go to court. We think there ought to be a way to resolve some of this. Obviously in this example, one would think somewhere in HHS there is an arbitrator within the Department.

When you get to a state-federal law, that gets a little tricker, because then you can have -- the question of more stringent becomes, more stringent in whose opinion. Until this floor can be raised to a ceiling, we are going to eventually see some of these probably end up in the courts.

Fortunately, it has not gone that far quite yet, but somebody is going to push the envelope at some point. I think what we can do six months from now or a year from now to answer that question is have a little better idea of where the problems consistently are coming up.

Right now, it is still too anecdotal to say this is just the problem or pre-emption, and all we have to do is go correct it. We have got to have a little more experience yet. But if we don't, then I think somebody will push it. Some federal agency or state agency is going to push it at some point.

MR. DOMBI: Dr. Harding, what we have recommended to our membership is to look to see who carries the biggest stick. If it is a Medicare condition of participation, as Donna was referring to with OBRA, that is the biggest stick out there. it can result in immediate jeopardy of termination or some other termination of the provider agreement, and there is no due process rights until after the termination takes effect.

So we would prefer facing OCR and arguing we acted in good faith, rather than facing CMS with a hearing after you have been terminated.

MS. MAASSEN: That is the position that we have taken on this particular issue. We are following the CMS guidance, because we know that they will be in our facilities every year to check on us. If we don't have it, we are out of compliance, and we can't afford that.

DR. HARDING: I understand.

DR. ROTHSTEIN: Thank you. Other questions? Did you remember what you wanted to ask?

DR. HOUSTON: Dan, I asked these questions this morning regarding whether there had really been much in terms of requests for accounting disclosures. Do you have much information back from your membership regarding --

MR. RODE: I did some followup on that question. There have been very few requests for accounting that anyone that I talked to knew of. That is part of the point. We are asking for a tremendous amount of accounting to take place.

What our members told us was this. If you take the information that currently is covered by TPO, and you put it aside, and you took the information, and you took the information that you are required to release by law and put that aside as we are suggesting, we are probably talking less than five percent of all patients who are ever going to ask for an accounting.

DR. HOUSTON: I don't think it is five.

MR. RODE: I'm not sure, but I am giving you a bigger number than one. That are going to ask for an accounting, but what we have got is a tremendously expensive process that has to be put together, because we are literally trying to track paper documents. I suggested offhand six months ago, just build an Excel spreadsheet. That should be simple enough to do. I was able to sit down with a small group in October who told me why they couldn't record it.

There have been some groups that have done to OCR, the State of New York being one of them. If I remember correctly, they have 38 separate reporting requirements in the state of New York that could hit a facility. If you are a health plan or a large hospital system in the state of New York, a patient can be seen in multiple different locations, could be seeing maybe a social worker who makes one report and puts it in the social worker notes. It may be a behaviorist. It could be the lab, which probably will make it to the medical record.

But our system is disjointed right now, because we are not a large electronic system. There are too many different agencies that are requesting the information, and too many different parts of the health care system that can respond, when we already know for that set of documents that by law, we are required to respond, and no one has ever said that we are not responding.

So if we tell the patient that by law, these are the agencies, if you have one of the following things we are going to report it as we are required to by law, we think that ought to be enough to satisfy the fact that we have given them enough front notice that we are going to report.

We don't have any objection to the fact that there are other reasons that aren't covered by what is already in the rule. Just like the authorization process, they ought to be recorded in the court.

DR. ROTHSTEIN: Further questions?

DR. HOUSTON: I just want to ask one other question. Again, generally, the level of issues otherwise that you have heard, other than accountings and in terms of complaints. The privacy officer is also the head of medical records in many cases. Are you hearing much in terms of patient complaints or privacy issues?

MR. RODE: I have not heard patient complaints. I have heard attorney complaints. It gets back to the authorization question of, do we use Section 508 to write an authorization, when all the patient is trying to do is, please release a copy of my record to my attorney. It just doesn't fit.

What I didn't mention, the other complaint, and I get it more from attorneys than our members, but our members are caught in the middle, are whose authorization form. I call it the battle of the attorneys. The attorneys will come with a correctly completed 508, only to have the medical record department have to tell them at the direction of their counsel that they will not accept an authorization form unless it is filled out in their hospital's authorization format that they have come up. So we have two of them, and I have had to say, go fight it out.

We have nothing in the rule that says that you have to accept a complete 508. I would suggest to the committee that since under HIPAA, in other parts of the HIPAA law, if you have a completed 837, for instance, you are required under HIPAA to accept it if you are a health plan. Maybe you would want to consider at some point in time that if you do have an authorization that is complete under Section 508, it should be accepted by the party who it is delivered to, unless it has some other violation. But I can't resolve it when two attorneys go at each other and want to know whose form is more correct.

DR. HOUSTON: The other thing too regarding court orders and subpoenas, I know that has been an issue that we deal with. Even though we are in one state, there are many counties, and often the counties control the form of court orders.

MR. RODE: Subpoenas and court orders have been an issue as long as we have had release of information. So that part of it is not new. What is new is that we have now added to it, and the pre-emption issue occasionally is coming up.

What our members are telling us, and why I don't think you should jump on this immediately, is the fact that a lot of these court orders and subpoenas are being initiated by attorneys who have had no contact with HIPAA, are not aware of the law.

What is happening that is a pain in the neck is that you then have to reject the subpoena, which our members generally are trained to do, and inform them of how it should be done correctly. Literally, most of them have told me, in the consent sections of copies of 508 -- I think they are keeping them in the drawer now --

DR. HOUSTON: So it is helpful, in a way.

MR. RODE: It should go away, except for -- until we get with pre-emption, there are always going to be some problems.

MS. MAASSEN: I would just say, from our own personal experience, in our organization we have 200 nursing homes. All the authorizations, subpoenas, court orders come from our corporate office. That is exactly what I have done. I have Section 508, I have my own checklist. I go through it, I highlight for the attorneys what is missing. I send it back with a letter saying thank you very much, nice try, but here is what is missing, here is the checklist, and here is our authorization, if you would like to use it instead. It is not because we want ours over theirs; it is just that you didn't get all the components that were required, and it is easier for us to tell them what is missing, give them ours, and give them a second chance at sending it back to us, versus at the beginning when we just said, sorry, you're not compliant. We just got lots of nasty phone calls from attorneys.

MR. DOMBI: Maybe OCR can set up a continuing legal education thing where the attorneys can get credit.

DR. HOUSTON: That is not a joke. It would be great if OCR put stuff together like that.

DR. ROTHSTEIN: We have already recommended that.

DR. HOUSTON: That would be fantastic.

MR. FANNING: The attorneys who advise OCR have spoken at American Bar Association events, for example.

MR. RODE: I have been to those events. It is not where the personal injury lawyers go.

DR. ROTHSTEIN: Seriously, if you want to get to the practitioners, you need to do it at the local level. Not everyone travels to Tahiti or wherever the ABA conferences any given year.

Thank you very much, I appreciate it. Now we are ready to move to the public comment time. I'd like to ask Toby Levine to please come to the table. You don't need to stand. You can if you want. Thank you, and we are happy to hear from you.

MS. LEVINE: Thank you very much. My name is Toby Milgram Levine. I am a senior attorney at the Federal Trade Commission in the Division of Financial Practices. My remarks are my own, and do not necessarily represent the views of the Federal Trade Commission or individual commissioners, our standard disclaimer.

I want to thank the subcommittee for the opportunity to come today and bring to your attention information regarding the Federal Trade Commission's experience with developing financial privacy notices. I believe it is relevant to the notices that are required by HIPAA.

The Gramm-Leach-Wiley Act, which went into effect in July of 2001, requires financial institutions to protect privacy of consumers' financial information, provide consumers notices stating what information is collected, with whom it could be shared, and any rights that they may have under the act with regard to limiting information sharing, very similar to HIPAA. Eight federal agencies including the Federal Trade Commission are responsible for enforcing the act for the respective covered entities.

In December of 2001, the eight agencies coordinated a workshop entitled Getting Notice: Writing Effective Privacy Notices. The purpose of that workshop was to gather information on how to better communicate financial privacy to consumers and how to improve GLB notices, which many of you I'm sure have received and have had the same reaction as most consumers, which is that they are largely full of legalese, they are not consumer friendly.

Some surveys have found that on average, they were written on a second year college reading level. I don't know of any data on the reading level of HIPAA notices, but I would assume that they are very similar.

I brought for you today copies of a brochure that the Federal Trade Commission developed for businesses, highlighting some of the key points taken from that workshop, and the transcript and presentations are available on our website, with the link noted in the brochure.

With limited time today, I just wanted to mention a few of the key points. I think they apply equally well to HIPAA notices as they do to our own GLB notices.

First, we learned at the workshop that the notices must be written in plain language, and that is with a capital P and a capital L. It is a term of art, and understood by communication experts. It should be written by communication experts and not lawyers. While lawyers should review them for accuracy, they are not the best persons to know how to communicate with consumers.

Second, notices should be tested with real consumers to determine whether they are effective in communicating the information intended. Consumer testing can be critical in the development of effective notices.

We have now gone through at least three cycles of notices in GLB. While many have improved, too many are still too long, too complex and confusing. There are industry initiatives under way to design a short form notice, one that would be standardized in format and allow consumers to compare practices between institutions. Such short form notices would be much easier to read. They could either be layered on top of the full compliance notice or they would indicate that the full notice would be available upon request for consumers who want more information.

Staff of the eight GLB agencies have recently recommended to the agencies that we explore whether to engage in rulemaking to develop such a short form notice.

One final point. Notices standing alone cannot educate consumers about the information practices of institutions or about their rights. Consumer education really requires a much broader context, so that consumers know why they are getting these notices, what they mean, and why they should value the information that they are being given.

There is a very steep learning curve in this area of privacy, whether it is financial or HIPAA, and agencies, including my own, really do need to do more to educate consumers about the value of these notices and how to interpret them. We are continuing to develop more education for consumers, and also for businesses.

Frankly, sitting this afternoon and hearing the testimony that was provided, you could have slipped in the term GLB instead of HIPAA. In many, many, many cases we share the same challenges as you do.

DR. HOUSTON: Do you have business associates, too?

MS. LEVINE: We call them service providers.

DR. ROTHSTEIN: Thank you for that testimony. I do have a question for you. I don't know if you heard the testimony of Janlori Goldman. She sat in your seat.

MS. LEVINE: Yes, I did.

DR. ROTHSTEIN: She referred to the problem not of the content so much of the notice or the level, but the way it was presented, as apologetically, here is this paper you have got to sign, I'm sorry that we have to give it to you and all that sort of stuff.

Obviously, that is not best calculated for educating the individual and so forth. Have you had that same problem under GLB? And if so, how did you deal with that?

MS. LEVINE: I think in our experience, what happens is, consumers got these notices in the mail and they wondered, what is this, why am I getting it. In fact, when they read it, they were probably surprised more by the practices that were outlined in them, in terms of, I didn't know financial institutions could share information in these ways.

So rather than creating a sense of comfort about information practices, instead I think many consumers became very cynical and surprised and confused. For the same reason, we did no consumer education prior to consumers getting them in the mail. The notice was considered to be the education, and it can't be.

What we have learned from consumer experts, communication experts, is that you have got to layer the education over time, through a lot of different vehicles. As a result, what we have done on our website and through materials directed to consumers, tried to explain more about why they are getting the notices and how to understand them.

It is still very difficult, and because of resources we haven't done enough work in that area. But we are planning to do more. Each of the agencies has some information that they provide, particularly online, for consumers. But clearly, more needs to be done to explain what these notices are about, and put them in the proper context.

I don't have a good answer. I don't think we have accomplished that, either.

DR. ROTHSTEIN: We had a whole hearing on that issue, if you remember, it was in Baltimore, on the issue of consumer education and how to do that. It is a very difficult and expensive proposition.

MS. LEVINE: Well, the analogy that some experts have used is the seatbelt analogy, that it took many years of getting information out about seatbelts before consumers began to use them in increasing percentages. So I think it is going to take time, but I think a big step will be getting notices in such a format and form that consumers will be familiar with them when they get them. They will see them over and over again and as a result be more accustomed with their content.

We still don't have the terminology down, I think, in the way we are expressing these practices. They still sound fairly confusing to consumers. So if we are authorized by the agencies to go forward to do rulemaking, consumer testing will be a very important part of that process, so we can develop language that truly is meaningful to them.

DR. HOUSTON: I always look at the pharmaceutical companies as the pros. Their ads come out with somebody running through the meadow with music, and then just one word. That is just the start. Then they start layering, and they are darn good. But that again is in the expense category.

In our last subcommittee meeting a couple of weeks ago, we began talking about GLB, and we appreciate your being here, for your contribution as well as listening to what we are doing. We were talking about the fact that some of the forms that are used in banking, the 835 form or something, I can't even remember now the exact number, but some terminology, has a number of medical issues on it, or demographics on it. That could commingle our common interests a great deal and be a concern for HIPAA kinds of things.

Is there a group working on this, on the HIPAA issues in the GLB?

MS. LEVINE: There have been from time to time discussions between the two agencies on the interrelationship. I'm not aware of one currently going on, although often we at the Federal Trade Commission generally will defer if the HIPAA regulation is very specific about certain practices, and if it is more protective than what GLB provides, we defer to the HIPAA protections. To the extent that there are inconsistencies, I can't represent that we worked those out.

DR. ROTHSTEIN: Other questions?

MR. FANNING: I just have a bibliographic item. The HHS Data Council privacy subcommittee website now has a brief section devoted to communications about privacy. It includes a link to the workshop that Toby's organization had, and some other good references. That can be reached by going to the NCVHS website and clicking on the Data Council link.

DR. ROTHSTEIN: Thank you. That concludes our hearings for today.

I want to take a minute to talk about our February hearings, which are the next time we will meet after tomorrow. On our schedule that we discussed, there are very few dates that are available, so we have chosen February 18 and 19, so Wednesday and Thursday that everyone is free. So please reserve those dates, the 18th and 19th.

Tomorrow, we have some time on the agenda at 11:30, and we will be discussing the actual substance of the areas that we want to go into on those two dates. So we are basically moving the hearings that were originally scheduled for the 3rd and 4th of February to the 18th and 19th.

DR. HOUSTON: Do they have a location?

DR. ROTHSTEIN: They will be in Washington. We have held off on trying to reserve a space until we knew the dates. But I will speak with Marietta tomorrow morning and we will try to make it in the Humphrey Building, if at all possible.

DR. FYFFE: I think if we cannot get the Humphrey Building, our second choice would be in the District or in Northern Virginia near Reagan Airport. We have to take a look at what is available.

DR. HOUSTON: Is it going to be two full days or a day and a half?

DR. ROTHSTEIN: It will probably be a day and a half, but we will discuss -- we have reserved those dates and we have agreed on those dates, and tomorrow we will work out the topics we want to talk about. If we want to have four topics, then it will be two full days. If we want to have three, it will be a day and a half. That is the way we will resolve it. It will at least be three issues.

Are there any other questions, comments? In that case, we will stand adjourned until 8:30 tomorrow morning.

(Whereupon, the meeting was adjourned, to reconvene Thursday, November 20, 2003 at 8:30 a.m.)