Testimony by Donna Maassen for the March 30, 2005 NCVHS Subcommittee on Privacy and Confidentiality Hearing

Subcommittee on Privacy of the

National Committee on Vital and Health Statistics

Privacy and Health Information Technology Hearing

March 30, 2005

Comments provided by Donna Maassen, Privacy and Security Officer of Extendicare Health Services, Inc., on behalf of the American Health Care Association (AHCA) and the National Center for Assisted Living (NCAL).  The American Health Care Association (AHCA) and the National Center for Assisted Living (NCAL) are the nation’s leading long term care (LTC) organizations. AHCA/NCAL and their membership are committed to performance excellence and Quality First, a covenant for healthy, affordable and ethical long term care. AHCA/NCAL represent more than 10,000 non-profit and proprietary facilities nationwide dedicated to continuous improvement in the delivery of professional and compassionate care provided daily to more than 1.5 million of our nation’s frail, elderly and disabled citizens who live in nursing facilities, assisted living residences, post-acute centers and homes for persons with mental retardation and developmental disabilities.

The following comments are prepared in response to the request of the National Committee for Vital and Health Statistics Subcommittee on Privacy to discuss potential privacy and confidentiality issues raised by the National Health Information Network (NHIN).  Thank you for the opportunity to provide this feedback.

Overview

In submitting testimony on the concerns of the LTC provider community regarding issues of privacy and confidentiality in a NHIN, we feel it is important to describe the current status of health information technology in LTC, the significant enhancements that would be achieved by inclusion of LTC in electronic health information exchange initiatives, impediments and motivators to expanding health information technology (IT) adoption in LTC, and finally industry specific concerns regarding the impact of health IT on the security, privacy, and confidentiality of protected health information.

Current State

While it is perceived by some that the LTC industry is 8 – 10 years away from the adoption of an electronic health record (EHR), in reality, many long term care providers are already identifying implementation of an EHR as a near term goal. The nation’s 16,000 Medicare and Medicaid certified nursing facilities routinely submit Minimum Data Set (MDS) files electronically to state agencies as required by federal survey and certification rules. The Centers for Medicaid and Medicare Services (CMS) is actively engaged in efforts to enable the automatic population of MDS information from an EHR.  Additionally, nursing facilities, assisted living residences and homes for individuals with mental retardation and developmental disabilities use computer applications for billing, documenting patient assessments and progress, care planning, as well as electronically generating physician orders.  We also have nursing facilities  using palm pilots and touch pads to document activities of direct care staff, and tablet PC’s on medication carts to prompt for and record the administration of medications.

While the LTC provider community has some “technology stars”, and significant pent-up demand for the efficiencies and improvements afforded by EHR systems, the profession continues to struggle with predominantly paper based health information processes.  Currently, patients admitted to nursing homes often arrive before their medical records; a situation that can compromise comprehensive assessment, care planning and quality.  Paper records containing these patients’ medical information are usually large and fragmented from years of accumulated, independent medical encounters and they also contain information gaps.  In fact, the medical records of chronic care patients in LTC facilities are often split into smaller files for easier daily use and access, leaving other relevant medical information locked away in file cabinets and archival storage.  LTC professionals find the current record system and records unwieldy, insufficient and difficult to use.  Since the medical needs of elderly Americans significantly impact the health care system, the movement toward electronic records that are interoperable within networks will greatly enhance patient care, quality and safety in the LTC setting.

Long Term Care and the NHIN

A key factor in the success of the National Health Information Network will be the inclusion and definition of all components in the spectrum of care.  During their stay in a nursing facility, our patients interact with multiple physicians and ancillary providers such as pharmacies, labs, or x-ray providers.  For example, at Extendicare, we have just over 150 nursing facilities and work with approximately 5,250 physicians at any given time.   An average 100 bed Extendicare nursing facility coordinates care and treatment with approximately 35 physicians.  That is not to mention that this same nursing facility has an association with each hospital in their community for potential admissions and discharges as well as relationships with multiple out-patient service providers such as pharmacies, labs, x-ray providers and dialysis centers. The sharing of health information between these providers is critical to effective care delivery for our patients.

The Nationwide System of Electronic Health Records Overview, dated January 13, 2005, provided by Kathleen Fyffe, Department of Health and Human Services (HHS) Senior Advisor states, “The HHS Framework calls for an interoperable infrastructure, or National Health Information Network (NHIN), which will allow for the secure movement of health information so that the adoption and use of EHRs will realize their full benefits.  Interoperable health records will allow patient information to be portable and to move with consumers from one point of care to another.  Indeed, non-interoperable EHRs could actually impede access and harm care by protecting information silos and proprietary control over populations to limit mobility of patients.”  Based on this statement, it is clear to us that the intent of HHS is to ensure quality of care by setting standards of information sharing among providers.  AHCA/NCAL strongly urge HHS’ Office of the National Coordinator of Health Information Technology (ONCHIT) to include the electronic health information needs of LTC providers in the current efforts addressing information technology and network connectivity.

In the January 2005 keynote speech at the Healthcare Information and Management Systems Society (HIMSS) annual conference, Dr. David Brailer, National Coordinator of Health Information Technology, highlighted some of the benefits of health IT adoption such as improved care, reduced wasteful and redundant treatments and prevention of medical errors.  However, when Mr. Brailer cited these benefits he did so in the context of benefits to the hospitals and physician practices.  AHCA/NCAL feels strongly that these health IT benefits should accrue for the 1.5 million frail and elderly residents in parallel with the accrual of such benefits for ambulatory care and acute care populations.  Therefore, we are requesting that the interests of LTC providers be incorporated in all efforts related to the definition, development and implementation of NHIN initiatives.

Impediments & Motivators

Technology is not new to LTC, but the profession has been slower to advance to more sophisticated technology because of the significant cost investment required.  As you are aware, a high percentage of reimbursement received by LTC providers is generated by government programs and barely covers the cost of providing health care services.  Providers are seeking to reduce their risk as they invest their limited technology dollars in EHR systems.   Inclusion of LTC in initiatives such as the Certification Commission for Healthcare Information Technology (CCHIT) would help assure LTC providers that the software selections they make will meet the minimum standards of an Electronic Health Record.  This would further reduce the financial risk of IT investment by assisting providers who do not have the luxury of an IT department to guide their software selection and assure appropriate security controls.

LTC providers are committed to finding the resources necessary to allow them to take advantage of the benefits seen by utilization of an EHR system.  However, to assist providers, we believe it is critical that CMS develop a program which allows LTC providers the opportunity to engage in initiatives leading to interoperable electronic health information.  In addition, these programs should include government subsidies for funding start-up expenses for equipment and training.  Once a network framework and data components supporting exchange of electronic health information are established, we recommend that tax incentives be made available to providers and organizations who purchase hardware and software and expend time in electronic health information connectivity.   Impact Of Health IT On The Security, Privacy, And Confidentiality Of Protected Health Information

As we discuss the electronic sharing of health information, it becomes apparent that standards will need to be in place to define the data sets needed by health care providers for each type of information exchange.  The Health Insurance Portability and Accountability Act (HIPAA) Privacy rule contains areas that deserve discussion in light of this exchange of health information.  The first is the Minimum Necessary Standard.  This Standard requires that entities covered by the rule limit health information for disclosure to the “minimum necessary” to fulfill the request.  This standard forces the “holder” of the information to be responsible for determining the minimum necessary amount of information for disclosure.  This professional judgment factor comes into play each and every day as we share information with hospitals both in pre-admission and post-discharge continuity of care situations.   One could argue that the minimum necessary standard does not apply to the disclosure of protected health information for the purpose of treatment between health care providers, but those of us who operate in this environment on a day-to-day basis know that every health care provider does apply the standard and they do so in ways unique to their organization.   Therefore, emerging standards such as the Continuity of Care Record (CCR) may be a potential solution to this subjective situation of today.  The CCR is being designed to be a snippet of the full medical record and contain information limited to the most recent patient/provider encounter.  The intent of the CCR is to provide the most relevant information to the referring provider as well as the patient.  AHCA is a sponsor of the CCR and is currently developing the data components needed for a patient being referred to a nursing facility (such as from a hospital) and referred from a nursing facility (such as LTC patients referred to home and community-based services, hospitals or assisted living centers).  The standards for minimum necessary disclosures are a key component of protecting the privacy of our patient information.

Another area within HIPAA that causes privacy concerns with a national health information infrastructure is the preemption standard.  This standard states that if state law is more stringent than HIPAA, then the state law must be followed.   Examples of conflicts between HIPAA and state requirements are seen daily in LTC in the area of access to health information.  Issues associated with the request for patient information by family members can be highly problematic.  Some states have no proxy laws, and if a family member is not legally named as guardian, no one or everyone may have the right to access the information.  How the NHIN determines the level of access by each user and how the request to access information is recognized by the electronic information system are key concerns.  A system that can discriminate between a legal guardian and responsible party will be needed to prevent inadvertent, inappropriate disclosure of health information.

The HIPAA Long Term Care Consortium (LTCC), a group of LTC professionals from 30 of the nation’s largest LTC providers working together to identify best practice application of the HIPAA standards, has worked for 3 years on creating a database of state preemption issues.  The LTCC participated in an initiative coordinated by the Health Care Leadership Council to analyze the state preemption issues and provide documentation to assist each industry in applying the preemption standard effectively.  The LTCC contributed a million dollars to this project and yet three years later we still do not have a comprehensive picture for each of the 50 states that identifies where there are variances between HIPAA and state laws.  Beyond the initial one million dollar investment, the LTCC has contributed hundreds of person hours to interpret the legal documentation to make it more user friendly to the LTC industry. AHCA recommends that the state preemption issue may best be addressed at the Regional Health Information Organization (RHIO) level.  Each RHIO would determine the appropriate patient/organization access and disclosure at the local network level and would ultimately determine what information could be shared nationally.  This recommendation is based on the premise that RHIO’s will include LTC facilities.  In most cases today, that is not the case.

The final area of HIPAA that we would like to address is the Security Rule.  As you are aware, the Security Rule was written with scalability and flexibility as a key component.  However, this flexibility leaves many providers unsure of what the minimum requirements are for a “secure” environment.  We believe it is essential to the success of the NHIN that minimum security requirements be delineated.  Patients expect their health information to be protected at all times and if we are going to implement a pure EHR and a National Health Information Network, security will be the cornerstone to patient confidence and comfort.

In the past, CMS and OCR have indicated that they would provide guidance and assist providers with clarification of “confusing” or “unclear” issues.  They have provided some guidance, but there continues to be a need to work with each sector of health care to address their specific privacy and security needs.  In an effort to erase some of the confusion for LTC providers, and to establish much-needed guidance for our profession, the Long Term Care Consortium (LTCC) was created.  The LTCC voluntarily comes together on a regular basis to share ideas in relation to complying with the HIPAA Administrative Simplification regulations (i.e., privacy, security, transaction and code sets, national provider identifier, etc).  The LTCC has created and is sharing via AHCA’s website, invaluable resources/tools that provide direction and guidance for implementing privacy, security and standard transaction rules in long term care facilities.  To view these tools go tohttp://www.ahca.orga/hipaa/index.htm.  Thus we see how today, health care providers are forced to set standards for their own health care setting.  This may be a reasonable process, but as we increase the amount of information being shared between health care sectors, clearly defined security protocols will be a requirement of our patients as well as of providers.  As a provider, I will not be willing to share my patients’ protected health information electronically until I know that the communication security protocols have met a minimum standard.

Conclusion

In closing, we hope that this testimony has shown that the LTC provider community:

1. is currently using technology, and is poised to embrace an expanded role of technology,
2. has significant contributions to make to electronic health information exchange initiatives,
3. is faced with fiscal and human resource impediments and would embrace motivators to expanding health IT adoption, and
4. has specific concerns regarding the impact of health IT on the security, privacy, and confidentiality of our patient’s protected health information.

AHCA/NCAL supports the National Health Information Network and the EHR and wishes to play an active role in the definition and development of both these initiatives.

Thank you for the opportunity to provide input into this very important national initiative.