November 25, 2002

The Honorable Tommy G. Thompson
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201

Dear Secretary Thompson:

As part of its responsibilities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the National Committee on Vital and Health Statistics (NCVHS) monitors the implementation of the Administrative Simplification provisions of HIPAA, including the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule).

On September 27, 2002, we wrote to you with preliminary findings from the hearing in Boston on September 10 and 11, 2002, held by the Subcommittee on Privacy and Confidentiality of the NCVHS. This was the first of three hearings scheduled to learn about the implementation activities of covered entities. The Subcommittee has completed its other two hearings, in Baltimore on October 29 and 30, 2002, and in Salt Lake City on November 6 and 7, 2002. In all, the Subcommittee heard testimony from over 70 invited witnesses and other individuals during public testimony. The witnesses represented a broad array of health care providers, health plans, professional and trade associations, state agencies, public health authorities, health information associations, health privacy advocates, and experts on health education and communication.

In general, the witnesses at the Baltimore and Salt Lake City hearings reinforced the views of the Boston witnesses we noted in our prior letter. The NCVHS found widespread support for the goals of HIPAA and the Privacy Rule. The August 2002 amendments were viewed positively as reducing some of the unnecessary burdens associated with the Privacy Rule. Witnesses praised the clarity and utility of the Guidance and Frequently Asked Questions (FAQs) issued by the Office for Civil Rights (OCR). Publication of an integrated text of the Privacy Rule was mentioned by some witnesses as being extremely valuable. Other witnesses lauded the OCR website.

Despite these positive comments, the tenor of the testimony at the two later hearings was virtually identical to that which we described in our letter after the Boston hearing. There is an extremely high level of confusion, misunderstanding, frustration, anxiety, fear, and anger as the April 14, 2003 compliance date nears. The OCR is widely viewed as not providing adequate guidance and technical assistance. In particular, numerous witnesses lamented the lack of model notices of privacy practices, acknowledgments, authorizations, and other forms. Many witnesses also complained that general guidance was of limited value because of their special industry or professional circumstances. Witnesses conveyed a great sense of frustration that they could not obtain any clarifications from OCR or answers to the questions they submitted via OCR’s website.

A large number of witnesses said that issues of preemption made compliance much more difficult, costly, and complicated. To determine whether state privacy laws or the HIPAA Privacy Rule applies to the multitude of health privacy issues, covered entities must obtain a comprehensive Apreemption analysis, detailing whether state or federal law applies. These analyses are often lengthy documents, expensive to research, highly technical, and not binding on any enforcement agency or the courts. Large, multi-state covered entities need to have such an analysis for every jurisdiction in which they do business. There is no national coordination on the issue of preemption, and state and local efforts vary widely in their degree of completion and, for those already completed, in the cost to obtain copies. A related issue involves conflicts and overlaps between HIPAA and other federal laws dealing with privacy, including Gramm-Leach-Bliley, the Family Educational Rights and Privacy Act (FERPA), the Privacy Act, and other statutes and regulations.

The lack of clarity on compliance responsibilities, the unavailability of free and authoritative model forms, and the absence of widely available training materials have left many covered entities lacking the wherewithal to come into compliance. Several witnesses described the aggressive efforts of numerous vendors and consultants to fill this vacuum by offering implementation assistance. Covered entities testified that they have no way of judging the accuracy of the information they are being given or the necessity of the expensive measures some vendors and consultants have urged them to adopt to become AHIPAA compliant, such as redesigning their facilities or replacing their computer systems. Some witnesses said they would like a system of certifying vendors and consultants or some other way of assisting covered entities in determining when such services are needed.

Several witnesses estimated that well below half of all small providers had made any effort to comply with the Privacy Rule, and some have no intent to do so. One witness reported that some rural providers have given up on compliance and adopted the position that AI can=t do this; let them catch me. Even more troubling are the potential adverse effects on the health care system. Some witnesses said that some Medicaid and other Asafety net providers may drop out of the system of providing care to indigent patients because they cannot afford to absorb the costs of complying with the Privacy Rule, and there is no way to pass along the costs. One witness, an administrator of a large oncology group, said that the difficulty and expense of HIPAA compliance had caused her practice to abandon the use of electronic billing and to go back to paper claims to avoid being a covered entity.

Fears surrounding HIPAA also featured prominently in the testimony. Witnesses were very concerned about the possibility of overzealous enforcement by OCR as well as private lawsuits, both of which were viewed as costly to defend. Other witnesses reported that the fear of violating HIPAA already has resulted in negative health outcomes, including providers=refusing to share patient medical information that would be helpful in treating another patient and a decline in mandatory or permissive reporting of essential health data to public health agencies, tumor registries, and other entities.

Another important part of the compliance picture is the need for education and training. Millions of health care workers will need to be trained in the next few months, but there is a dire shortage of expertise, materials, and funding. Overwhelmingly, witnesses said that generic training will not work; to be successful it must be customized by industry, entity, and job description. In addition, consumers have received virtually no information about HIPAA, and it will be difficult for them to understand the basis or context for the myriad notifications, acknowledgments, authorizations, and other forms with which they will soon be presented. Public education is complicated by consumers’ varying levels of education, cognition, and language proficiency.

Some of the most promising testimony received by the Subcommittee came from state and regional coalitions of covered entities and professional associations, which have often succeeded in advancing implementation for their members. Unfortunately, there is no federal interface or coordination with these groups, and the number of covered entities reached by them remains relatively low.

Complete versions of the testimony from the hearings have been posted on the NCVHS website. This letter contains some key findings drawn from the testimony. Our recommendations for implementing the Privacy Rule are detailed in the accompanying attachment. The NCVHS is aware that the Department, and OCR in particular, have limited resources to accomplish the extensive recommendations set forth in the attachment. Given these constraints, we encourage the Department to marshal all available resources to provide OCR the funds and staffing necessary to accomplish the massive technical assistance, outreach and education efforts needed in the upcoming months to ensure successful Privacy Rule compliance efforts.

The additional information derived from our last two hearings reinforces the view we expressed in our letter of September 27, 2002, that unless prompt, vigorous action is taken to ensure that implementation goes smoothly, the public acceptance and viability of the entire Privacy Rule will be threatened.

We appreciate the opportunity to offer these comments and recommendations.



John R. Lumpkin, M.D., M.P.H.
Chair, National Committee on Vital and Health Statistics

cc: HHS Data Council Co-Chairs



I. Coordination and Collaboration

1. Department-wide Efforts. Problems in coordinating agency efforts, already beginning to surface, are likely to intensify as all of the elements of Administrative Simplification come on-line. It is difficult for the public to understand the lines of responsibility at HHS, and a source of confusion and frustration is the inability to get integrated answers to HIPAA questions.

  • OCR and CMS need to improve coordination of education, outreach, and technical assistance.
  • The Secretary should implement any organizational steps necessary to promote essential coordination of Departmental implementation activities.

II. Education, Outreach, and Technical Assistance

Technical Assistance

2. Covered Entity Teams. OCR should establish covered entity teams to assist the various industries and professions with their unique compliance issues.

  • OCR should assign a designated staff person for each major profession and industry. This would permit ongoing and closer contact between OCR and health professional and industry groups that could result in, among other things, compilations of valuable compliance materials for the OCR website, identification of specific issues for FAQs, and OCR presentations at meetings of the relevant groups.
  • OCR should establish teams to assist state governments in determining which of their programs are covered entities under HIPAA. Many of the state programs are HHS grant-in-aid programs, and HHS has particular expertise and interest in the programs. OCR also can provide other coordination and assistance to states in complying with the Privacy Rule.
  • OCR should focus technical support on safety net providers, including community health centers, rural physicians, Medicaid physicians, advanced practice registered nurses in rural areas, health care providers treating indigent populations, and sole or small group practitioners. These providers often lack the knowledge, time and resources to achieve compliance.

3. “Defensive Practices” . There is considerable misunderstanding about the requirements of the Privacy Rule, and concern about possible HIPAA liability is causing some covered entities to restrict the uses and disclosures of essential protected health information when doing so is permitted under HIPAA. Such “defensive practices” may result in adverse outcomes with respect to treatment and data collection activities for research and public health.

  • OCR technical assistance should focus on clarifying permissible disclosures under the Privacy Rule to counteract the increased use of defensive practices.

4. Website. OCR should enhance its website.

  • OCR should revamp its website to provide for greater segmentation, including by profession, industry, and state. Numerous links should be added to professional groups, provider associations, and statewide coalitions. A disclaimer that these other sites are not official would not diminish the value of supplying this information. HHS should also ensure better coordination of all its websites containing HIPAA-related information.
  • OCR needs to provide more examples, decision trees, diagrams, and matrices. Any visual aids to explain the complexities of the Privacy Rule would increase comprehension.

5. FAQs. OCR should improve its FAQ response process.

  • OCR should post answers to questions within 30 days. Part of the frustration in complying with the Privacy Rule is that OCR has not been able to respond to the tens of thousands of questions it has received. At the end of 30 days, covered entities cannot afford to wait any longer and must attempt to find their own answers to problems. The question submission feature on the OCR website needs to become a timely, meaningful part of outreach or it should be dropped altogether.
  • OCR should tailor FAQs to be more responsive to the needs of specific entities, professions, and groups, such as long-term care facilities and academic medical centers. Answers to FAQs with special relevance to particular covered entities should be posted on the segmented website described in recommendation 4.

6. Guidance on Privacy Rule’s relationship to other laws. The issue of preemption is a great source of uncertainty and confusion among covered entities. Even without undertaking its own state law preemption analysis, there are steps that OCR can take to alleviate the burden with complying with this complex piece of the Privacy Rule.

  • OCR should assist in the coordination and publication of state preemption analyses, including putting state-specific preemption analysis links on its website. OCR also needs to publicize and inform covered entities about the underlying preemption principles of HIPAA and the Privacy Rule.
  • OCR should publish an analysis of other federal laws that may overlap with the Privacy Rule, setting forth how to comply with multiple privacy requirements simultaneously (e.g., Gramm-Leach-Bliley, FERPA, Federal Substance Abuse Regulations, Privacy Act of 1974). HHS should recommend legislative amendments and technical corrections where it would be difficult to comply with two federal privacy laws simultaneously.

7. Training. With millions of health care providers and other individuals to train, OCR needs to leverage its training efforts.

  • OCR should train its regional staff so that they can serve as a definitive resource, working with local groups on state-specific compliance issues and relieving some of the burden from the OCR national office.
  • OCR should sponsor train-the-trainer programs for the private sector.

8. Compliance Assistance. A variety of measures should be adopted to assist covered entities in complying with the Privacy Rule.

  • OCR should publish a list of no-cost and low-cost compliance measures. Many covered entities are convinced that everything associated with the Privacy Rule is expensive. Publishing a list of no-cost and low-cost measures should promote at least some compliance measures by all providers immediately and get them on the road to fuller compliance in the future.
  • OCR should publish a list of compliance issues on which vendors and consultants may be valuable. Covered entities are extremely concerned about wasting money on worthless consultation services, and they would like some way to evaluate whether such services are necessary. Although it is difficult and impractical to have OCR certify vendors and consultants, some guidance on how to know if you need outside help would be easy to do and valuable. Ideally, OCR-produced documents will replace the need for consultants for simple compliance measures.
  • OCR should work toward being able to provide on-site assessments of compliance. A comparable program of OSHA (Aon-site consultation), provided by state agencies and contractors under the auspices of federal OSHA, has been successful. Getting a clear, in-person ruling on the types of measures needed could save considerable time and expense for covered entities.


9. Statewide Coalition Building. Statewide coalitions of health information associations and other professional and trade organizations are among the most effective mechanisms for reaching covered entities. Support for existing programs will be much less expensive than creating new measures.

  • OCR should coordinate and support private sector initiatives to leverage existing programs and increase their reach and effectiveness.

10. Communication Methods. Numerous media and formats should be utilized in outreach activities.

  • OCR should have regular conference calls on compliance issues. The CMS conference calls on HIPAA have been widely praised and should become a part of OCR=s Privacy Rule implementation program.
  • OCR should host web-based seminars.
  • OCR should start a monthly newsletter, which can be distributed to, among others, all Medicare providers.
  • OCR should contact all the individuals filing for an extension on the HIPAA Transaction Rule, informing them that they may be covered entities under the Privacy Rule and that filing for an extension with CMS does not operate as a stay of their compliance obligations under the Privacy Rule.
  • OCR should establish a toll-free hotline to answer questions.


11. Develop materials for distribution to consumers. Simplicity and widespread distribution should be the hallmarks of educating the public about the Privacy Rule.

  • OCR should prepare a simple, one-page handout explaining the basics of the Privacy Rule for providers to distribute to their patients. Such a handout should be at an appropriate reading level, and should be translated into other commonly spoken languages.
  • OCR should distribute the handout as widely as possible. For example, it could pursue with CMS a mailing to all 35 million Medicare recipients about the Privacy Rule. The annual CMS guide to Medicare benefits might provide this opportunity. In addition, OCR should pursue with CMS and state Medicaid directors methods of distributing the handout to Medicaid beneficiaries.

12. Consumer Education Approach. While a massive public education program is needed, tailoring the message is necessary for successful communication.

  • OCR’s public education needs to proceed along many tracks, including editorial briefings, extended radio and television interviews, feature articles, and town meetings. Public education must be coordinated with education efforts aimed at health care providers, because if patients ask their providers about the Privacy Rule and the providers have no idea what the patients are talking about, this will undermine the physician-patient relationship.
  • OCR’s consumer education efforts need to be segmented to different populations, and specific efforts are needed for the individuals who are most vulnerable to discrimination or hardest to reach (e.g., chronically ill, mentally ill, substance abusers, homeless, low income persons).
  • OCR’s consumer education must include communicating the value of health information interchange, including better health outcomes and reduced costs.

III. Regulation and Enforcement

13. Evaluation. Ongoing and systematic efforts are needed to evaluate the effectiveness of the Privacy Rule.

  • The Department should fund research to assess the effects of all aspects of the Privacy Rule.

14. Communicate enforcement plans. There is great anxiety about overzealous enforcement of the Privacy Rule, and dissemination of information about enforcement could allay these fears. OCR needs to reassure providers that reasonable efforts to comply will not lead to enforcement actions.

  • OCR should communicate clearly and specifically with providers and other covered entities about its enforcement plan and penalty assessments.

15. No certification statement. The use of the phrase “HIPAA compliant” and similar ones has caused covered entities to rely on the unsubstantiated claims of vendors and consultants.

  • OCR should issue a statement that it does not certify any products or services as AHIPAA compliant.

16. Accounting for Mandatory Disclosures. Extensive disclosure activities occur for mandatory reporting, which makes the accounting for mandatory disclosures burdensome for covered entities.

  • OCR should consider deleting mandatory disclosures (e.g., disclosures required by state law) from accounting requirements. Guidance is also needed on the degree of detail required in the notice of mandatory disclosures.

IV. Guidance

17. OCR should draft and make widely available model forms and templates, including state-specific, industry-specific, and profession-specific forms. Such forms should include model notices, model authorizations, and model acknowledgments of notices received. In addition, OCR should consider publishing standardized gap assessment guides, simple checklists, a HIPAA practice management handbook, and time-lines to assist covered entities.

18. OCR should provide guidance on the following topics.

A. Covered provider questions. Guidance is needed with regard to who is a health care provider (e.g., ambulance companies, fire rescue units) as well as what constitutes an electronic transmission. Common questions include whether faxing, telephoning, or e-mailing PHI for standard transactions makes a provider a covered entity. Similarly, are physicians who do all billing on paper, but who need to fax PHI to other providers for treatment purposes, covered entities? Are professional practices with fewer than 10 full-time employees exempt from HIPAA? In addition, OCR should provide guidance on the advantages of using electronic records rather than paper to inform providers who are considering not using electronic records in an effort to avoid being a covered entity.

B. State agency, “quasi” health plans/providers. Guidance is needed to help state “quasi” health care service and public health programs ascertain their covered entity status (e.g., agency responsible for care/custody of minors that also secures or pays for health care services; federally funded breast and cervical cancer early detection and screening programs; state laboratories that do not furnish testing directly to patients, do not bill and are not paid for testing). With regard to health plans, more guidance is needed about “high risk pools” established under state law as well as what programs would be considered excepted benefits under the Public Health Service Act. Guidance is also needed on whether a state agency is a “health care provider” if it funds health care providers to furnish medical or health services.

C. Health plan. Guidance is needed on the practice of health plans sending explanation of benefit (EOB) forms, which contain PHI, to subscribers rather than to individual patients. Guidance is also needed to explain what types of entities fall under the current “catch-all” provision of the health plan definition. For example, are “continuing care contracts” utilized by multi-level retirement communities health plans?

D. Group health plan sponsors, self-funded and fully-funded benefit providers. Guidance is needed to clarify how group health plans, including self-funded plans that utilize third party administrators (TPAs) to process claims, must comply with the Privacy Rule, as well as the specific HIPAA privacy responsibilities of health plan sponsors. Guidance is needed on when a benefits department is acting as an employer/plan sponsor (e.g., enrollment function) versus when it is acting on behalf of the group health plan (e.g., claims appeals function). Guidance would also be helpful regarding the HIPAA compliance obligations of an insurance issuer in its relationship with a small health plan during the additional transition year available to small health plans for compliance.

E. Employers. Guidance is needed on the applicability of the HIPAA Privacy Rule to a range of employer activities related to health matters, including on-site and off-site employer-sponsored health clinics, administration of flu shots, occupational health surveillance activities, fitness centers, wellness programs, and employee assistance programs.

F. Medicaid. Guidance is needed on whether Medicaid managed care organizations and Medicaid state agencies are acting separately as covered entities or are Medicaid managed care organizations business associates of Medicaid. If separate covered entities, is the beneficiary supposed to receive two notices of privacy practices, and must the individual contact each entity separately for access, amendment, and accounting?

G. Hybrids. Guidance is needed on what is a firewall. OCR should provide examples of effective firewalls.

H. Organized Health Care Arrangements (OHCAs). Clarification is needed to explain that OHCAs arise by operation of law and not through designation by covered entities. Guidance is needed regarding the HIPAA liability of hospitals and other institutional providers vis-à-vis physicians and other health care professionals who are part of an OHCA.

I. Business Associates. Clarification is needed on the definition of “business associate” and when contractors should enter into business associate agreements.

J. Training. OCR should provide guidance about what needs to be included in a covered entity training program, taking into account the need for training in different languages and varying levels of comprehension. Different versions of training will need to be developed to address all audiences. Guidance is also needed on whether the academic medical institution or the hospital where they are working is responsible for providing HIPAA training to residents and other trainees. Other questions needing clarification include whether health care workers who rotate at multiple sites of a covered entity need multiple training courses at multiple locations and when an institutional provider must train temporary employees and other non-standard employees (e.g., contractors, students, volunteers, temps).

K. Reasonable safeguards. Guidance is needed on what is “reasonable” for physical privacy around the customer service desk and computer in the offices of health care providers. What are reasonable and/or scalable physical safeguards for “home health” medical records? What security is appropriate for use of laptops and PDAs? OCR should consider drafting guidelines for communications between caregivers and patients over the Internet (e.g., expectations for tracking/archiving) and via fax (e.g., what are the expectations for testing/verifying fax numbers).

L. Notice. Clarification is needed on what constitutes a “good faith effort” to obtain acknowledgment that an individual has received notice of privacy practices? How many times must a provider make a good faith effort? Do providers need to track their efforts to obtain an acknowledgment? How does a practitioner provide notice when the first contact is not in the provider’s office (e.g., hospital or nursing home) and the institution is not drafting notices for an OHCA? What if the individual refuses to sign the acknowledgment? What criteria should be used to ascertain whether a phone contact is a first point of entry triggering the notice requirement or whether it is merely clerical or administrative?

M. Right to deny request for restriction and confidential communications. Guidance is needed regarding what criteria may be used to deny requests for restrictions or confidential communications. Many covered entities indicated an intention not to accept any requests for restrictions. Is there any way that OCR can interpret this requirement to make it easier to comply with requests and thereby encourage providers to do so?

N. Accounting for disclosures. Guidance is needed on interpreting of trackable disclosures, and models should be provided for managing this information. Do covered entities need to account for public health disclosures that are required under state law (e.g., infectious disease reporting, births, deaths, gunshot wounds) or are such disclosures “health care operations” and consequently outside the accounting requirement? Other questions involve application of the “50 or more” rule in the research context as well as disclosures to researchers who are dual employees of a university (non-CE) and a hospital (CE).

V. Additional Resources Needed to Implement the Administrative Simplification Provisions of HIPAA, Including the Privacy Rule

19. Adjustments to Medicaid Reimbursement. The Secretary should pursue with Congress and the state Medicaid agencies making adjustments to Medicaid reimbursement rates to recognize the costs of complying with HIPAA.

20. Fund the ASCA $42.5 million. The Secretary should recommend to Congress that it fund the $42.5 million for technical assistance authorized under the Administrative Simplification Compliance Act (ASCA), and that some of that funding should be allocated to Privacy Rule implementation and the recommendations contained herein.

21. HIPAA Compliance Grants. The Secretary should recommend that Congress fund HIPAA compliance grants for the states.

22. Relieve financial burden for providers. The Secretary should recommend that Congress provide tax incentives or other mechanisms for HIPAA compliance for providers lacking the resources to comply.