September 27, 2002

The Honorable Tommy G. Thompson
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201

Dear Secretary Thompson:

As part of its responsibilities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the National Committee on Vital and Health Statistics (NCVHS) monitors the implementation of the Administrative Simplification provisions of HIPAA, including the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule).

The Subcommittee on Privacy and Confidentiality of the NCVHS held hearings in Boston on September 10 and 11, 2002. The testimony of 28 witnesses from throughout New England afforded the Subcommittee an opportunity to learn about the level of implementation activities by a variety of covered entities. Although additional hearings are scheduled in late October and early November in Baltimore and Salt Lake City, the NCVHS was so troubled by the Boston testimony that we are sending you our initial findings and recommendations. We anticipate sending you additional recommendations after our hearings have been completed in November.

The witnesses at the Boston hearing expressed widespread support for the goals of the Privacy Rule, and some health care providers said that it gave regulatory support to an ethical imperative. Some providers, especially larger ones, reported making substantial progress toward compliance. There was also praise for the guidance provided by the Office for Civil Rights (OCR) in July 2001.

Overall, however, the NCVHS was both surprised and disturbed at the generally low level of implementation activities and the high levels of confusion and frustration. Some covered entities decided to wait until the final Privacy Rule amendments were published in August 2002, and only now are beginning to contemplate their compliance duties. While some professional societies and other groups have made laudable efforts to educate their members, many physicians, dentists, and other health care providers, especially those in small towns and rural areas, have never heard of HIPAA, do not think it applies to them, or confuse their obligations under the Privacy Rule with their duties regarding standards and security and claims attachments. State and local governments reported lacking the budget or personnel to draft their own HIPAA documents and design training programs to comply with the Privacy Rule. The failure of the OCR to make available sample forms, model language, and practical guidance has left covered entities at the mercy of an army of vendors and consultants, some of whose expertise appears limited to misinformation, baseless guarantees, and scare tactics.

The unprecedented scope of the Privacy Rule raises the likelihood of widespread disruption of the health care system as we approach the April 14, 2003, compliance date. For example, tens of millions of acknowledgment of privacy notices will need to be signed, including by patients picking up prescriptions at retail pharmacies. Public health agencies at all levels have indicated that some providers and hospitals already are failing to report essential public health information because of the erroneous belief that it is prohibited by HIPAA. Representatives of public health clinics told the Subcommittee that they lack the resources to translate essential notices into the numerous languages spoken by their patients as well as to provide the necessary training to employees with low education levels and minimal fluency in English. Home health care providers said they are unsure how to protect the confidentiality of protected health information when it is stored in the homes of their patients. Large employers with self-funded employee benefit plans have received no guidance on when their benefits-related activities are subject to the Privacy Rule. Furthermore, nobody seems to know whether HIPAA or state law applies in the numerous instances in which the laws conflict.

The implementation of the Privacy Rule is undoubtedly more difficult than with typical regulations, and it will require concerted efforts by more than just OCR or even DHHS. Nevertheless, we believe that the Department’s HIPAA implementation assistance efforts need to be increased by several orders of magnitude – and quickly. A substantial increase in resources and personnel is necessary. A massive public education program, including public service announcements, is needed to inform the public about HIPAA and the notices, acknowledgements, and authorizations with which they will soon be confronted. Providers and other covered entities need targeted education programs in various formats and media. OCR needs to produce and disseminate sample forms, including notices, acknowledgements, and authorizations, with simple wording and in multiple languages. It also needs to provide prompt technical assistance, including responding to the thousands of requests for explanation and clarification sent by covered entities. OCR also needs to expand partnerships with professional associations, industry organizations, state agencies, and other affected parties to leverage and reinforce activities already under way.

The NCVHS very much appreciates OCR Director Campanelli’s appearance at our meeting on September 25, 2002. We think that new initiatives being developed by OCR in education and technical assistance are steps in the right direction. However, there must be a dramatic increase in the breadth, depth, and scale of implementation activities, and there must be a greater sense of urgency to the Department’s efforts. Unless prompt, vigorous action is taken to ensure that the implementation goes smoothly, the public acceptance and viability of the entire Privacy Rule will be threatened.

Mark Rothstein, Chair of the Subcommittee on Privacy and Confidentiality, and I would be pleased to discuss these matters, including specific suggestions, with you or your staff at your convenience. We appreciate the opportunity to offer these comments and recommendations.



John R. Lumpkin, M.D., M.P.H.
Chair, National Committee on Vital and Health Statistics

Cc: HHS Data Council Co-Chairs