April 25, 2002 Letter to the Secretary – Privacy and Confidentiality Additional Recommendations and Response to NPRM – National Committee on Vital and Health Statistics

April 25, 2002

The Honorable Tommy G. Thompson
Secretary
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201

Dear Secretary Thompson:

As part of its responsibilities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the National Committee on Vital and Health Statistics (NCVHS) monitors the implementation of the Final Rules that adopt the health data standards required by the Administrative Simplification provisions of HIPAA and provides consultation regarding privacy standards.

Over the past several months the NCVHS has sent you three letters containing recommendations regarding the “Standards for Privacy of Individually Identifiable Health Information.” These recommendations, which were informed by public hearings held by the NCVHS Subcommittee on Privacy and Confidentiality, addressed issues involving consent, minimum necessary, research, marketing, and fundraising.

This letter responds to the Notice of Proposed Rulemaking (NPRM) published in the Federal Register on March 27, 2002, containing proposed modifications to the Final Rule. We present our additional recommendations related to the areas we have previously addressed in our letters as well as other issues raised by the NPRM.

At the outset, the NCVHS would like to acknowledge and thank the Department for the careful consideration it gave to our previous recommendations. The preamble to the NPRM indicates that the Department paid close attention to the views of the NCVHS and that in several instances our recommendations were adopted.

Consent

The NPRM proposes to eliminate the requirement that covered entities obtain patient consent for treatment, payment, and health care operations (TPO). Instead, use of consent forms would be optional. Direct treatment providers need to make a good faith effort to obtain an individual’s written acknowledgment of the provider’s notice of privacy practices. Other covered entities, such as health plans, would not be required to obtain this acknowledgment from individuals, but could do so if they chose. The NCVHS supports this revision. We believe it strikes the proper balance between the benefits of informing and empowering patients and the burdens of requiring covered entities to have patients complete additional paperwork.

Although consent for disclosure of PHI for TPO would seemingly further patient interests in privacy and autonomy, the consent form would likely become simply another piece of paper for a patient to sign without much thought or discussion with a health care provider. The notification procedure can succeed in informing individuals how their records may be used for TPO, but only if the notifications are explicit and covered entities are diligent in explaining the contents of the notice to patients. In our view, effective privacy protections for PHI are much more likely to result from HIPAA-imposed limits on uses and disclosures than from patient-negotiated limits flowing from the signing of a consent form.

Minimum Necessary

NCVHS supports the NPRM with regard to the minimum necessary provisions.

Research

NCVHS supports many of the proposals in the NPRM with regard to research, including the following: (1 ) the decision to continue requiring an authorization or institutional review board (IRB) or privacy board approval for use or disclosure of PHI for research; (2) the interpretation permitting IRBs and privacy boards to issue partial waivers of authorization for the purpose of allowing a researcher to obtain PHI necessary to recruit potential research participants; (3) the proposal to permit an individual’s authorization to use or disclose PHI for the creation or maintenance of a research database or repository without an expiration date or event; (4) the modification of waiver criteria to be better aligned with the Common Rule; and (5) the commitment to provide additional guidance and clarification on the relationship of HIPAA Privacy Rule provisions dealing with research and the Common Rule.

NCVHS is opposed to the proposal that would require a covered entity to disclose any remuneration that will result from obtaining an authorization only in the case of an authorization for marketing. Although we agree with the intent to simplify authorizations, our reading of the NPRM would permit a covered entity to accept remuneration from the sponsor of research for enrolling patients without disclosing this fact at the time the authorization is sought. We believe that the issue of remuneration is a material fact of which potential research participants have a right to know.

NCVHS has previously recommended “that HHS reconsider whether the provisions of the privacy rule dealing with the de-identification of information unduly interfere with research and, if so, search for options to reduce the undue interference.” Consequently, NCVHS supports the NPRM’s request for comments on the issue and its reconsideration of the de-identification provision. In particular, NCVHS strongly supports the concept of permitting restricted uses of a limited data set which does not include facially identifiable information, but in which certain identifiers would remain.

Marketing

NCVHS supports the NPRM’s new requirement that specific authorization is required before PHI may be used for marketing. We believe, however, that the general authorization requirement in the NPRM is insufficiently protective of PHI in marketing in the context of the various exceptions and possible applications of the rule. We believe these unintended consequences may be eliminated through several modifications, while retaining the general principle of requiring authorization for marketing. Accordingly, NCVHS recommends the following revisions to the provisions dealing with marketing:

1. The definition of marketing needs to be simplified to cover any communications about a product or service, unless it is subject to one of the specific exceptions. As currently written, the communication must be to encourage the recipient of the communication to purchase or use a product or service. Thus, communications encouraging the recipient to tell others about a product or service are not covered, nor are marketing communications couched as merely informational messages. The change NCVHS recommends is necessary because only activities within the definition of marketing require an authorization, and under the wording in the NPRM, a wide range of commercial activities need not comply with the authorization requirements.

2. The NPRM excepts from marketing (1) descriptions of the entities participating in a health network and their products and services; (2) communications for treatment of the individual; and (3) communications for “case management or care coordination for that individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to that individual.” Although the NPRM states that the third exception is not intended to increase the scope of the marketing exceptions, NCVHS is concerned that the third exception could be interpreted much too broadly. We reiterate our position that case management and care coordination should not be considered marketing, but we recommend the inclusion of additional language clearly limiting the applicability of this exception.

3. The provision excluding face-to-face communications from marketing needs to be limited to contacts by health care providers. Otherwise, business associates (that may have the same rights as covered entities) could engage in face-to-face marketing activities without being subject to the authorization requirement.

4. In the December 2000 Privacy Rule, exceptions to the definition of marketing are limited to oral communications or written communication where no compensation is received from a third party. If compensation is received by a third party, the Privacy Rule will not permit the communication to be excepted from the definition of marketing. The NPRM proposes to broaden the exceptions to the definition of marketing by including written communications where the covered entity receives direct or indirect remuneration from a third party for making the communication. NCVHS believes that remuneration for communication transforms the communication into a marketing event, and therefore recommends that the original limitations to the exceptions to marketing be restored.

5. Under the NPRM, marketers are not required to disclose how they obtained the identity or PHI of individuals they contact, the rationale being that the execution of an authorization provides the individual with all of the necessary information about the identity of possible marketers. NCVHS believes that disclosures at the time of marketing contact are important because authorizations are likely to be signed by vulnerable people at a vulnerable time. Accordingly, NCVHS recommends that conditions on marketing based on an authorization need to be established by the Privacy Rule. As we recommended in our letter of March 1, 2002:

Authorizations to permit health care marketing should be limited to products or services that are directly related to the health of the patient, and should clearly indicate that they are comprehensive and can include sensitive protected health information. The disclosure of protected health information by covered entities to marketers should be conditioned on the marketers’ agreement (1) not to redisclose the information, and (2) to disclose, in the course of marketing, the financial arrangements of the parties.

NCVHS further notes that the focus should be on “marketing” rather than “marketers” because there is potential for privacy abuse caused by the practice of marketing, even where the entity would not describe itself as a marketer.

6. NCVHS would like to reiterate another recommendation contained in our March 1, 2002 letter, that “[s]tandardized, simplified procedures should be adopted to ease the burden on individuals who want to opt-out of future marketing contacts.” Applying this principle to authorizations, the Privacy Rule should contain simple procedures for the revocation of marketing authorizations.

7. NCVHS continues to believe that the Privacy Rule must place restrictions on the methods of marketing pursuant to an authorization, so that confidential PHI is not disclosed on the outside of mailings or through voice mail, an unattended FAX, or other modes of communication that are not secure.

Fundraising

The NPRM does not specifically address the issue of fundraising and therefore NCVHS would simply restate our recommendations on fundraising set forth in our letter of March 1, 2002.

Accounting for Disclosures

NCVHS recommends that HHS clarify the rules for accounting for disclosures for public health and research purposes. Further, NCVHS believes that the burden for accounting for disclosures for public health and research purposes should be minimized whenever possible.

We appreciate the opportunity to offer these comments and recommendations.

Sincerely,

/s/

John R. Lumpkin, M.D., M.P.H.
Chair, National Committee on Vital and Health Statistics

cc: HHS Data Council Co-Chairs