NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
SUBCOMMITTEE ON PRIVACY AND CONFIDENTIALITY
February 18 and 19, 2004
– Minutes –
The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics (NCVHS) held hearings on February 18 and 19, 2004, at the Hubert H. Humphrey Building in Washington, D.C. The meeting was open to the public.
- Mark A. Rothstein, J.D., Chair
- Simon P. Cohn, M.D.
- Richard K. Harding, M.D.
- John P. Houston, J.D.
- Harry Reynolds
Staff and Liaisons:
- Amy Chapper, CMS
- Kathleen Fyffe, ASPE; Lead Staff
- John Fanning, LL.B., ASPE
- Marjory Greenberg NCHS, CDC
- Gail Horlick, M.S.W., J.D, CDC
- James Scanlon, ASPE; Executive Staff Director
- Marietta Squire, NCHS, CDC
- Julie Appleby,USA Today
- Martha Dewey Bergren, D.N.S., R.N., National Association of School Nurses
- Bill Braithwaite, independent consultant
- Christopher Calabrese, American Civil Liberties Union
- Ellen Campbell, U.S. Department of Education
- John Casillas, The Medical Banking Project
- Pat Catchman, FDIC
- Tom Dean, The Medical Banking Exchange
- Beverly Dozier, CDC, Health Information Privacy Office
- Robert Gellman, Privacy and Information Policy Consultant
- Thomas J. Gilligan, Assoc. for Electronic Health Care Transactions (AFEHCT)
- Jody Goldstein-Daniel, Office of the General Counsel, Civil Rights Division
- Priscilla Holland, National Automated Clearinghouse Association (NACHA)
- Jan Hoopman, NASN
- Ed Hunter, CDC
- Thomas Hutton, National School Boards Association (NSBA)
- Mary Lou King, Office of the General Counsel, Civil Rights Division
- Laura Manley Knoblauch, Illinois State Univ. and American College Health Assoc. (ACHA)
- Ian McCoy, National Automated Clearinghouse Assocication
- Jane W. McGrath, MD, American Academy of Pediatrics (AAP)
- Mary Moyen, NCHS
- Cris Naser, American Bankers Association (ABA)
- Sama Perkidolica, Association of State and Territorial Health Officials
- Joy Pritts, J.D., Georgetown University
- Dan Rode, American Health Information Management Association
- Nadine Schwab, B.S.N., M.P.H., P.N.P., American School Health Association
- Katheryn Serkes, Association of American Physicians and Surgeons
- Anna Slomovic, Ph.D., Electronic Privacy Information Center
- J. Steven Stone, American Bankers Assoc. and The Electronic Payments Association
- Sarah Wattenberg, Substance Abuse and Mental Health Services Administration
- Robert C. Williamson, Drug Enforcement Administration (DEA)
- Nancy Wook, ICC
- Jeffrey Zelman, OCR
- Kepa Zubeldia, M.D., Claredi
The Subcommittee on Privacy and Confidentiality held hearings on February 18 and 19, 2004, on implementation issues under the HIPAA Privacy Rule. The subcommittee received 17 presentations and talked with five panels about the balance between health privacy and other important concerns and looked at practical problems and unintended consequences of the HIPAA Privacy Rule upon banking, law enforcement and schools.
Panel 1: Banking – Panel 1
Kepa Zubeldia, M.D.
Dr. Zubeldia outlined the questions surrounding the status of the financial institutions under HIPAA and whether they should be considered clearinghouses or business associates. He provided a definition of clearinghouses and business associates, described each and outlined their different roles. He described the financial transactions defined by HIPAA, the ways in which those transactions may be processed through the payment chain, and how protected health information is contained within the transactions.
Joy Pritts, J.D.
Ms. Pritts identified three existing laws and regulations that attempt to protect PHI as it flows through the system: HIPAA, the Gramm-Leach-Bliley Act (GLBA), and the Fair and Accurate Credit Transactions Act (FACT Act). She explained each act, its position on information sharing, and the aspects of PHI that it does or does not protect. She noted public concern that financial institutions have a potential financial incentive for using health information and concluded that if banks are fully exempt under Section 1179, the medical information they receive is not fully protected by other laws
Mr. Casillas defined medical banking as the convergence of banking infrastructure with healthcare administrative operations, including the flow of PHI between the two. He explained that banks are functioning as business associates and sometimes as clearinghouses, and emphasized the value of banks’ administrative and transactional architecture to build a national health-information infrastructure. He identified a variety of instances in which PHI in remittance advice is exposed in the payment chain and indicated that his organization believes HIPAA should protect PHI in these situations.
J. Steven Stone
Representing the direct voice of the banking industry, Mr. Stone made four assertions. First, financial institutions are not trying to avoid HIPAA privacy and security requirements. Second, the ABA and NACHA are unequivocally opposed to data mining financial institution records for medical information. Third, only financial institutions are examined regularly for compliance with numerous privacy and security regulations. Finally, remittance advice is a defined component of a payment and thus is part of the payment process, and banks engaged in payment processing are exempt from the HIPAA transactions standards rules under Section 1179.
Panel 2: Banking – Panel 2
Mr. Dean explained that banks are playing a growing role in the remittance administrative process and can help to simplify or automate it. Only banks can transfer and settle payments and handle the attached remittance data, he asserted. Even if PHI and the payment are separated, banks are the only entities that could then reconcile the data effectively and he noted that banks are performing clearinghouse functions. He advocated for leveraging bank infrastructure to help providers. He sees a movement toward real-time claim processing and payment in doctors’ offices, which will involve banks.
Anna Slomovic, Ph.D.
Dr. Slomovic asserted that privacy protections for banks handling and transmission of PHI are inadequate and that banks which handle PHI in premium-payment transactions and remittance advice should be covered healthcare clearinghouses. She stated that PHI should be further encrypted to prevent access via the ACH network. Business associate agreements do not provide the same level of protection for health information as covered-entity status, she observed, and added that such agreements also offer no recourse for individuals who believe their privacy has been violated. She raised the issue of security breaches in the ACH network and called for stronger protections.
Thomas J. Gilligan
Mr. Gilligan emphasized that banks become subject to the definition of a HIPAA clearinghouse when they translate data or format. Although the preamble to the final rule says that the payment and remittance advice are part of the payment process, the two components are separable. He disagreed with the stance that HHS could not have intended to include financial institutions in HIPAA, noting that the HIPAA definition of a clearinghouse lays out a set of functions, and if you perform those functions, you are a clearinghouse and subject to the rule.
Panel 3: Law Enforcement – Panel 1
Mr. Gellman gave an overview of the law-enforcement provisions of the Privacy Rule. He noted that the HIPAA definition of a law-enforcement official is extremely broad and reviewed the six subdivisions that allow law-enforcement disclosures without patient consent. Overall, he emphasized the importance of meaningful standards, procedures and protections against using records against individuals. Mr. Gellman predicted that the U.S. healthcare system will become a law-enforcement surveillance system because disclosures to law enforcement for fugitives, suspects or witnesses are always authorized under HIPAA.
Robert C. Williamson
Mr. Williamson explained the DEA’s involvement in healthcare oversight and what a DEA Diversion Investigator does. He discussed ways in which HIPAA has influenced and impacted the DEA, calling HIPAA a confusing law that would be helped by outreach at the DEA.
HIPAA has created a reluctance to provide DEA Diversion Investigators with records that they have a right to under the law without some sort of paperwork, he reported. Mr. Williamson described prescription monitoring programs that function in 20 states and expressed concern as to whether pharmacies participating in these programs are violating HIPAA. He also discussed prescribing physicians’ growing fear and confusion about DEA and HIPAA rules.
Mr. Calabrese expressed the ACLU’s position that access to a patient’s medical records should require government agents to have judicial approval and a meaningful probable-cause standard. He emphasized that it is important to balance the interests of individual rights with those of law enforcement. Once records are computerized, searches change from an individual working with paper to comprehensive searches run by either a doctor’s office or law enforcement on a database of private, law-abiding citizens. He described an existing program that reports suspicious patient information to the FBI without notification to the patients. He concluded that, at a minimum, HIPAA regulation of law enforcement must be strengthened.
Ms. Serkes stated that APS is particularly concerned about administrative request processes. APS is not seeing decreased drug diversion in states with prescription monitoring program. She observed the movement toward a surveillance society and noted that physicians are choosing to stop prescribing controlled substances or are requiring patients to disclose authorizations.
Panel 4: Schools – Panel 1
Ms. Dozier discussed the ways in which the HIPAA Privacy Rule and FERPA impact public health, noting that records protected by FERPA are excluded from the definition of PHI in HIPAA. She described the difficulties for public health caused by the fact that FERPA does not permit disclosure of PHI to public health authorities without the consent or authorization of the individual, but HIPAA does. Ms. Dozier reported that HHS and the Department of Education are working together to resolve this data-sharing dilemma. They will study these issues and within 18 months submit a report to Congress describing the challenges to obtaining education records for public health purposes and how these challenges can be overcome. The report will also include specific qualitative and quantitative justifications for any recommendations for changes including changes to FERPA.
Jane W. McGrath, M.D
Dr. McGrath reported that real-world problems are created by the lack of clarity as to whether privacy requirements of HIPAA apply to health information in schools and what is allowable under current HIPAA and FERPA regulations. These problems include schools’ inability to obtain required immunization or student treatment information. She made three proposals: personally identifiable student health information should be protected in schools in the same manner that it is elsewhere; school and community health providers should be able to communicate directly concerning treatment and immunization records; and lastly, more stringent school privacy standards should be implemented to protect a student’s private health information.
Ms. Campbell offered the Department of Education perspective on the intersection of FERPA and HIPAA. FERPA generally prevents disclosure of students’ education records or personally identifiable information contained in education records without the written consent of the parent. When a student turns 18 or attends college, FERPA rights transfer from the parent to the student. The education record is broadly defined as all records, files, documents and other materials which contain information directly related to a student and are maintained by the school or the person acting for the school. She noted that there are no general exceptions to FERPA’s Prior-Consent Rule that permit a school to disclose records to a state health agency or to researchers, but information that is not personally identifiable may be disclosed.
Laura Manley Knoblauch
Ms. Knoblauch discussed the difficulties experienced by college and university health services in their efforts to comply with the privacy rules of HIPAA, FERPA and state laws. Student records maintained and accessed solely by the provider are governed by state law. Student records released for any reason are governed by FERPA. Non-student records are governed by HIPAA. This impacts who may receive records (FERPA allows professors but not healthcare providers) and decisions by health services about serving students and non-students. Ms. Knoblauch requested a workgroup to resolve the implementation issues of HIPAA in college and university health centers. ACHA believes this will require changes in both FERPA and HIPAA.
Panel 5: Schools – Panel 2
Mr. Hutton asserted that schools take their privacy responsibilities seriously but confusion over HIPAA vs. FERPA is extensive. Clarity is particularly requested regarding the HIPAA implications for schools of the education records exception for FERPA, and also regarding Medicaid billing by schools. Schools are struggling with issues of who is the covered entity and the implications of who employs the school nurse. FAQs on privacy are eagerly anticipated by school officials. He reported that many K-12 people would like as broad a FERPA exception to HIPAA as possible rather than trying to work with a new and unknown system. He urged the committee not to apply another layer of federal regulation since schools are already coping with the requirements of No Child Left Behind.
Ms. Schwab focused on the significant negative impacts of the HIPAA Privacy Rule on school attendance; student safety, health and learning; parent-school-physician communication; and the resources of families. ASHA believes the problems are caused by misinterpretation of the regulations and inadequate guidance, not the regulations themselves. Ms. Schwab pointed out that FERPA was enacted before children with significant physical, developmental, behavioral and mental-health problems attended school. She suggested four steps to remove the artificial barriers to school attendance created by paperwork and misunderstanding. She also described how providers’ interpretations of HIPAA have shut off physician-school communications, leaving schools unable to provide necessary treatments.
Martha Dewey Bergren, D.N.S., R.N.
Ms. Bergren reported that since HIPAA, school children have suffered and parents been overburdened as a result of misconceptions about communication of PHI with schools and refusal of HIPAA-covered entities to communicate directly with school nurses. She added that providers have implemented more restrictive policies than required by HIPAA, which they admit has greatly decreased their time and workload. Ms. Bergren stated that FERPA does not provide guidance to schools on how to protect family and student privacy, nor does it mandate confidentiality training. She recommended a stronger, clearer directive to providers that HIPAA not interfere with the provision of care regardless of the setting.
With regard to banking, the Subcommittee identified several issues needing further resolution to be included in a letter. First, clarification is necessary as to whether under section 1179 banks are business associates, clearinghouses, or neither. Second, if banks are business associates or clearinghouses, there is concern about whether or not they are currently meeting their obligations under the Privacy Rule. Most importantly, testimony indicated that PHI is embedded in banking transactions but is not necessary for many banking functions, although banks desire it to provide value-added services. The Subcommittee did not hear any testimony of misuse of PHI by the banking industry.
Four sensitive and complex law enforcement issues were identified by the Subcommittee and will be recommended for exploration at the department or inter-department level. These issues are: administrative requests under section 512(f) of the privacy Rule have very few requirements or restrictions; state and local officials may enact wide-ranging laws requiring the collection, disclosure and release of many types of records; there do not appear to be guidelines directing what a covered entity can and cannot do with regard to the problem of doctor shopping; and finally, the disclosure laws connected with prescription monitoring programs in about 20 states are potentially over-broad.
In discussion of issues relating to schools and HIPAA, the Subcommittee determined that it would write a letter identifying the intersection between HIPAA and FERPA as a source of conflict for schools. The Subcommittee discussed ways to communicate OCR’s clear information on HIPAA issues to all parties involved in school medical concerns. Particular emphasis was given to reaching providers about sharing information with schools, and the authority conveyed by OCR approval of materials was noted. Letters requesting written testimony will be sent to several provider groups to add insight into this issue.
Mr. Rothstein introduced the second in a series of hearings on implementation issues under the HIPAA Privacy Rule. The hearings are to consider whether the Privacy Rule strikes the appropriate balance between health privacy and other important concerns to determine whether there are practical problems or unintended consequences that have arisen as a result of the Privacy Rule and to identify any areas in which additional clarification, education or outreach efforts are needed to facilitate compliance. The five panels addressed the Privacy Rule’s impact on banking, law enforcement and schools.
Panel 1: Banking – Panel 1
Kepa Zubeldia, M.D., Claredi Corporation
As a former member of the subcommittee, Dr. Zubeldia helped to frame the banking issues: whether financial institutions should be defined as clearinghouses or business associates under HIPAA, and whether protected health information (PHI) is sufficiently secure as it passes through the banking system and healthcare payment chain.
Clearinghouses are defined by HIPAA based on the functions performed, Dr. Zubeldia reported. The functions include information coming from one entity to another and conversion of the format and/or the data content of the transactions from standard into non-standard. Clearinghouses can also provide value-added functions including reports, patient statements, tracking services, accounts receivable, management and collections.
Dr. Zubeldia described in detail the structure of two financial transactions under HIPAA, the 820 and the 835, and other banking transactions that may be involved in HIPAA transactions. He outlined the different ways in which the transactions can be delivered so that they do or do not contain PHI, noting that any form of remittance advice contains PHI. He observed that, although banks handle PHI in payment processing, they do not convert the information and therefore may not be a clearinghouse, a conclusion supported by a banking industry task force study. When banks provide additional services, they may perform the data-format or data-content conversion necessary to be considered HIPAA clearinghouses.
In determining whether a bank is a business associate, Dr. Zubeldia noted that the preamble of the Privacy Final Rule clearly says that financial institutions are not considered to be business associates. However, the banking industry task force determined that banks providing service to the healthcare industry can be business associates of health plans and providers. Dr. Zubeldia observed that banks have a long tradition of protecting confidential financial information and have security practices that meet or exceed many HIPAA requirements.
Financial activities are excluded from HIPAA in Section 1179, which means that a covered entity may disclose PHI to financial institutions for purposes of payment. Once PHI is properly disclosed in this way, it is no longer protected under HIPAA but by banking regulations.
Dr. Zubeldia raised the issue of whether banking regulation under Gramm-Leach-Bliley protects information collected about individuals who are not customers of the financial institution. This could become an issue in routine payments when the patient is not a customer of the provider’s bank. It could also arise with lock-box services: their paper data streams may or may not be considered PHI and their business associate contracts with providers may not contain minimum necessary clauses. Accounts receivable may expose PHI if used as collateral for a loan, and health or medical savings accounts require evaluation of claims and detailed documentation. Finally, rural banks are often low-privacy environments with unclear provider responsibilities.
In closing, Dr. Zubeldia noted that insurance creates further issues because business associate relationships may not exist but claims include fully identifiable health information.
Joy Pritts, J.D., Assistant Research Professor, Georgetown University Health Policy Institute
A 2000 survey showed that 95 percent of adult Americans do not want banks to have access to their medical record information without their permission, Ms. Pritts reported. She identified three existing laws and regulations that attempt to protect PHI as it flows through the system: HIPAA, the Gramm-Leach-Bliley Act (GLBA), and the Fair and Accurate Credit Transactions Act (FACT Act). Both HIPAA and GLBA encourage the creation of information networks but for different purposes. HIPAA’s National Health Information Infrastructure will share health information electronically between payers, providers, patients and many intermediaries including banks. GLBA encourages banks and financial institutions to share information for one-stop financial shopping.
Banks are in an ideal position to make this system work very well, Ms. Pritts stated, but they will have increased access to identifiable health information, which will at some point have a unique health identifier, making it very easily associated with a particular individual.
Ms. Pritts reported public concern for protection of health information because financial institutions have a potential incentive for using this information and individuals are concerned about discrimination. She reported that banks do convert remittance advice from HIPAA standard format into human readable form, which may qualify banks to be covered by HIPAA.
She addressed whether other laws adequately protect the medical information that banks process.
The privacy provisions in GLBA establish limits on sharing consumer and customer financial information, which may contain medical information. GLBA does impose some restrictions on how a bank can share that information with others, including notice and op-out provisions. It does not prohibit banks from using consumer payment information or using or sharing information from commercial transactions.
The FACT Act prohibits banks and other creditors from obtaining and using medical information for consumer-credit decision purposes, Ms. Pritts explained, except to protect legitimate operational transactional risk, consumer and other needs. The limits on sharing medical information under this act are not clear and this is a potential problem. It appears to permit banks to share medical information with affiliates for any purpose that is either permitted without authorization under the Privacy Rule or that is referred to under Section 1179.
If banks are fully exempt under Section 1179, Ms. Pritts concluded, then the medical information that they receive is not fully protected by other laws and could be used other than for credit. There are also intermediaries whose role is not defined handling medical information.
John Casillas, The Medical Banking Project
Mr. Casillas defined medical banking for the Subcommittee as the convergence of banking infrastructure with healthcare administrative operations, or “utilizing bank IT and know-how to manage medical transactions.” He stated that in this situation, data with PHI can flow between the two structures.
Mr. Casillas said that banks are, in fact, providing clearinghouse services such as lock-box specialization that sends the remittance to the provider electronically and compares the remittance with the original claim. Eligibility and claims processing are emerging areas for banks. Most claim functions can be automated, leading to savings of about $10 per transaction, which can save the provider industry $35 billion. He stated that banks’ decades of investment in administrative and transactional architecture, such as the sophisticated ATM network, can be leveraged by providers to move forward into a national health-information infrastructure
Mr. Casillas envisions specialized outsourcing channels that remove PHI from transactions and move it through specialized banking networks. He added, “There is also the good possibility that banks can take both the payment and the data and move it simply through the ACH network. If that happens, we believe that that should be done under the cloak of privacy, HIPAA privacy.”
Mr. Casillas asserted that to protect their payment franchise, banks need to move data and dollars together through the banking network. Many banks provide accounts-payable services in which the bank takes in remittance information from the health plan and creates the transaction form that is sent through the ACH network. The majority of banks process payments that contain individually identifiable health information.
Section 1179 was not intended to exempt banks, Mr. Casillas asserted. All of the functions in Section 1179 refer to the movement of dollars and not data, indicating that payments, not remittance processing, are exempted.
Bank acquisition of clearinghouses will increase and clearinghouses may change their charters to become banks, he predicted, stating that HIPAA is revolutionizing medical-remittance processing and has energized the medical banking industry.
In evaluating HIPAA loopholes, Mr. Casillas observed that both electronic and paper remittances have PHI and lock-box personnel have access to PHI. When they create HIPAA transactions there is a non-standard to a standard conversion, implying a HIPAA clearinghouse. Another issue is whether an ACH should be considered a clearinghouse or a business associate when it manages the remittance transaction.
Mr. Casillas supports policies that encourage the bank-based healthcare stakeholder in America but listed several special cross-industry issues: the clearinghouse debate, HIPAA gap analysis of the ACH network, healthcare credit practices. In a case of PHI disclosure, he inquired whether a person files a complaint with the OCC or HHS and how it would be followed up.
J. Steven Stone, American Bankers Assoc. and The National Automated Clearinghouse Assoc.
Mr. Stone began by commenting that it is highly unlikely for a clearinghouse to move from a fairly unregulated environment to the highly regulated banking environment. He also noted that 835 transactions very infrequently contain PHI going through the ACH system, relatively few intermediaries are introduced in the straightforward ACH process, and the PHI in these transactions is very difficult to decipher. He provided the Subcommittee with a sample 835.
Representing the direct voice of the banking industry, Mr. Stone made four assertions. First, financial institutions are not trying to avoid HIPAA privacy and security requirements. Second, the ABA and NACHA are unequivocally opposed to data mining ACH or other financial institution records for medical information. Third, only financial institutions are examined regularly for compliance with numerous privacy and security regulations. Finally, a payment is defined as electronic remittance advice with an electronic-funds transfer. As such, it is part of the payments process, and his organization believes banks engaged in the payment processing to be exempt from the HIPAA transactions standards rules under Section 1179.
Mr. Stone stated that the banking industry fully supports the protection of consumers’ private medical information under HIPAA and consumers’ sensitive financial information of any sort.
Banks also expect that financial institutions with access to PHI will be business associates under HIPAA. The Banking Industry Task Force developed a privacy checklist for financial institutions that are or that will be business associates to coordinate with their GLBA privacy.
There is no evidence of strong interest in data mining of personal health information by financial institutions, Mr. Stone noted. He pointed out that financial institutions are regularly examined for compliance with GLBA privacy provisions and are subject to the highest standards of information security. NACHA’s rules require regular auditing of ACH departments. Effective June 2004, the FACT Act prohibits creditors from obtaining or using consumers’ medical information when making a determination of eligibility for credit.
Mr. Stone stated that in Section 1179, an entity that engages in the activities of a financial institution is exempt from the HIPAA Transaction, Privacy and Security Rules. The OCC determined that transmitting patient treatment information between insurers and providers was “incidental to the business of banking” under the National Bank Act.
Payment has to be accompanied by remittance information, and the more complex the relationship between the parties, the more remittance information is needed for the payment to take place. A funds transfer without explanation does not constitute a payment because the receiving party cannot apply it.
Mr. Stone acknowledged that financial institutions offering services such as eligibility testing and claims submission would be subject to applicable HIPAA clearinghouse regulations.
Mr. Stone explained that it would not be good for banks to be included in the HIPAA law because it would cause difficulties in reconciling regulatory oversight responsibility for financial institutions. He stated that there are areas in the requirements for clearinghouses that a bank may not be able to honor while fulfilling its other fiduciary responsibilities as a bank.
Mr. Rothstein asked if banks that do function as clearinghouses comply with all of the requirements that apply to covered entities or whether they execute business-associate agreements. Mr. Stone said that his organization strongly recommends business-associate agreements when financial institutions are engaged in healthcare processing. He stated that they have drafted language to help clarify the commitments of being a business associate.
Dr. Zubeldia added that a bank acquiring a clearinghouse may separate the two in an arms-length relationship with the full HIPAA protections required of a clearinghouse. Mr. Casillas reported that banks are executing and signing business-associate contracts when asked to do so.
In response to Mr. Rothstein, Ms. Pritts said she was not aware of any incidents of banks misusing medical-record information. She noted that perception can be almost as important as reality and that people react strongly to their medical information being made available to anyone who is in a position to make important decisions about their life. She added that most people do not know that banks may be in a position in the future to be processing health claims.
Ms. Pritts stated that there is significant indication that 1179 was intended to address consumer-oriented transactions and that transactions by financial institutions would be subject to HIPAA.
Mr. Casillas stated that privacy issues center on the remittance portion, so consumer-conducted financial transactions could be exempted from 1179. Mr. Stone asserted that strict interpretation does not limit banks in their ability to process payments under HIPAA and payment processing should be excluded from the regulation. Any change would require modification of HIPAA or amendment of Section 1179.
Two original drafters of 1179, Dr. Braithwaite and Mr. Gilligan, testified regarding intent.
Dr. Braithwaite stated that the intent was to exclude check or credit card consumer payments, from the standards being set by HIPAA, not to exclude anyone else for any other purpose. Mr. Gilligan pointed out that the language refers to an individual using the credit card system, making clear that this was consumer personal use of the payment system. Both men agreed that 1179 was intended to be for individual credit transactions.
In reponse to Mr. Houston’s request for suggested changes or recommendations, Dr. Zubeldia proposed a Subcommittee recommendation to providers and payers that they consider the financial system as potentially not in accordance with the spirit of HIPAA privacy, and perhaps require business-associate agreements to protect privacy. He stated that the banking industry and payment chain can function with less PHI, that PHI is only needed for value-added services.
Dr. Zubeldia confirmed Mr. Houston’s statement that banks could be business associates, even if they perform functions that could be characterized as clearinghouse functions, adding that guidance to providers and payers about business associate contracts would be appropriate.
Mr. Casillas reported that state laws to cover perceived loopholes in HIPAA are very uneven, adding that when a receivable is sold or held, the transferring of that receivable would not be allowed under some state regulations.
Panel 2: Banking – Panel 2
Tom Dean, Advanced Financial Solutions, Medical Banking Exchange
Mr. Dean’s intent was to help the Subcommittee understand the growing role that banks are playing in the remittance administrative process and how it can be simplified or automated.
Only banks can transfer and settle payments and handle the attached remittance data, Mr. Dean stated. Even if PHI and the payment were separated, they must be reconciled and banks are the only entities that could do that effectively. He noted that banks are performing HIPAA-defined clearinghouse functions of transferring and formatting information for provider customers.
Mr. Dean feels that banks will begin to provide the service of matching electronic claim data with electronic remittance data and reporting the results to providers. He said he was an advocate for leveraging bank infrastructure to help providers and believes that banks will suggest providers process claims as well as remittances through banks. He sees a movement toward real-time claim processing and payment in the doctors’ offices, which will require payers to submit back remittance data in a format that can be automatically entered into a provider systems. There are now small point-of-sale devices being distributed by banks that include eligibility checks and claims, he added.
Banks’ increased involvement in claims processing will help them accurately value receivables and more readily make loans to providers, Mr. Dean noted. This will involve modeling the real value of claims over time, with data warehousing, mining, and even sharing data between banks. He stated that this creates opportunity for doctors to invest in technology, which will help the country experience the tremendous savings of administrative simplification. He added that private health information issues must be addressed, especially related to the sharing of private health information.
Mr. Dean advocated that the medical community leverage the infrastructure that exists in the banking community and take advantage of banks’ investments in high-speed transaction processes and databases. He also emphasized that healthcare is local and that local banks exist everywhere healthcare is dispensed.
Anna Slomovic, Ph.D., Electronic Privacy Information Center (EPIC)
Dr. Slomovic’s organization believes that privacy protections for banks’ handling and transmission of PHI are inadequate and that banks handling PHI in premium payment transactions and remittance advice should be covered healthcare clearinghouses. She proposed that PHI should be further encrypted to prevent access via the ACH network.
Business associate agreements do not provide the same level of protection for health information as covered entity status, Dr. Slomovic asserted, pointing out that business associates must comply with the Privacy Rule only to the extent of their agreements. When banks are business associates, a situation could occur in which different uses and disclosures apply to the same transaction at the originating end and on the receiving end.
Dr. Slomovic reported that the business associate contract does not provide recourse for individuals who believe their privacy has been violated, because they are not party to the contract. As business associates, banks would not be subject to oversight by the Office for Civil Rights and would be exempt from civil and criminal penalties under the Privacy Rule.
The preamble to the 2000 Privacy Rule clearly requires additional encryption of PHI as it moves through the ACH system, Dr. Slomovic stated. Without additional encryption, large amounts of PHI could be subject to abuse such as data mining for marketing and credit evaluation.
Dr. Slomovic raised the issues of network security breaches and transactions being captured and stored in the intermediary codes of the ACH network. Fraudulent activity on the ACH network is increasing as criminals become more familiar with that and all networks. She noted that banks would be obligated under the Privacy and Security Rules to inform their covered-entity clients about inappropriate uses and disclosures of PHI, including network security breaches.
As transactions go through the ACH network they are captured and stored in intermediary codes, Dr. Slomovic reported. This is necessary to trace network problems and verify transaction integrity. The PHI in stored transactions will not be protected by the Privacy Rule. She stated that additional encryption is the only solution that would protect this PHI.
Dr. Slomovic asked the Subcommittee to recommend that the OCR and officials with responsibility for HIPAA transactions and codes work with banking regulators to address the applicability of HIPAA to banks and the permissibility of sending PHI through the ACH network without additional encryption. She also asked the Subcommittee to recommend that the OCR work with banking regulators and the National Credit Union Association to ensure that the rules promulgated under the FACT Act are consistent with the HIPAA Privacy Rule and provide an appropriate level of protection to PHI once it enters the banking system.
Thomas J. Gilligan, Assoc. for Electronic Health Care Transactions (AFEHCT)
Mr. Gilligan introduced AFEHCT as a healthcare IT vendor-industry advocacy group that is interested in the privacy of PHI and a level, competitive playing field for processing and transmitting of the information.
The language of Section 1179 makes it clear that the exemption applies to consumer and not corporate transactions, Mr. Gilligan stated. He warned that the American Banking Association’s (ABA’s) position would exempt banks from having to apply HIPAA privacy protections to PHI in many situations in which they take physical possession of the PHI and then do their own analysis of it.
Mr. Gilligan explained that the definition of the term payment in the HIPAA regulations is very broad, including claims, utilization review, and other things not necessarily thought to be part of the payment process. He asked whether the term claims activities could be construed so broadly as to include payment and remittance advice.
Financial institutions can process check payments and remittance advice without becoming a HIPAA clearinghouse, Mr. Gilligan observed. It is when they translate the data or the format they become subject to the definition of a HIPAA clearinghouse. He reported that the preamble to the final rule says that the payment and remittance advice are part of the payment process, but noted that the two transactions are separable.
Mr. Gilligan opposed the ABA’s argument that HHS could not have intended to include financial institutions in HIPAA. He asserted that the definition of a clearinghouse lays out a set of functions, and if you perform those functions, you are a clearinghouse. Much of the privacy regulation is set up the same way, he stated. If you receive information from a private entity and do certain things with it, you are designated as a covered entity.
Mr. Gilligan suggested that best way to handle this might be to ask the banks to lay out the specifics of their problems and then deal with those specifics in the privacy regulations.
In listing unintended consequences of HIPAA, Mr. Dean reported that banks in small communities are unsure what business associate agreements they need to have to help providers with the information that might come in an ACH. Medium-sized banks are not helping providers and payers to facilitate these transactions because they do not understand the nature of what they have to do or how they will be regulated in a business associate agreement or if they are a covered entity. He feels it would be helpful if banking regulators adopted common standards that eliminate HIPAA conflicts for facilitating payment and handling remittance data.
Dr. Slomovic observed that the vast majority of people have no idea what happens to their health information, that PHI could go to medical transcription companies, billing companies or mailing houses under business associate agreements. She feels that the Privacy Rule has institutionalized the current system and does not add transparency from the consumer’s point of view, despite the notice provisions. She stated that encryption would prevent a system that can be compromised both from the inside and from the outside.
Mr. Gilligan interjected that the risk of data interception is remote and that encryption of data that is going from point to point is not currently required. There are no examples where that data has been intercepted, he stated, and said that it would be easier to get data by bribery.
Mr. Stone added that HHS dropped the encryption requirement from the final Rule, acknowledging that the ACH system in no way resembles an open network like the Internet. He pointed out that non-encrypted transactions cannot be easily read or interpreted and that there has never been a reported incident of a breach of network security in the ACH system.
Confidentiality of information is an ACH requirement, Mr. Stone replied to Mr. Houston. Mr. Gilligan stated that an additional layer of encryption would multiply the needed resources by five to seven times, and conceded that no study has been done to determine that cost. Mr. Stone noted that the step not taken is the re-encryption of stored data, which has also not been studied.
Panel 3: Law Enforcement
Robert Gellman, Privacy & Information Policy Consultant
A former subcommittee member, Mr. Gellman explained that he would provide an overview and interpretation of the law-enforcement provisions of the Privacy Rule, and focus on the changes that have resulted from HIPAA. He believes the Privacy Rule has caused many covered entities to establish privacy policies that are stronger than those in HIPAA.
The HIPAA definition of law-enforcement official is extremely broad, encompassing virtually every federal, state and local government agency with the authority to investigate or conduct an inquiry into any potential violation of law. Mr. Gellman identified six subdivisions of 164.512(f) that allow law-enforcement disclosures without patient consent.
In the first subdivision, administrative requests—including administrative subpoenas, civil investigations, investigative demands, “or virtually anything else,” according to Mr. Gellman—can be made without a subpoena, a written request, or approval by a supervisor of the law enforcement official making the request. “The Rule, I don’t believe, has any meaningful standards, and there are no procedures at all,” he said.
The second category relates to identification and location of a suspect, fugitive, material witness or missing person. Mr. Gellman felt that the limits are good but no administrative process is required and more could be done to strike a balance and allow for emergency conditions.
Information about the victim of a crime is the subject of the third category. In order to make disclosures without consent, law enforcement has to represent that the information is not intended to be used against the victim and that a delay would materially and adversely affect their activity, Mr. Gellman reported. It says expressly that it must be determined by professional judgment, meaning by a physician or other medical professional, that the disclosure is in the best interests of the patient.
The limitation on whether information can be used against the victim is absent in the rest of the rule, Mr. Gellman noted. The third category also illustrates that disclosures can be regulated based on the presence of emergency situations. Finally, it illustrates that medical judgment can override law-enforcement requests. He emphasized that the entire law-enforcement section is discretionary.
Mr. Gellman approved of the fourth, fifth and sixth provisions and noted that there are other non-consensual disclosure provisions that give law enforcement access to records and emphasized the need to carefully evaluate any law-enforcement provision in context.
Describing how law-enforcement officials can obtain records easily by reviewing HIPAA and finding the provision that is the easiest, Mr. Gellman commented, “I think that this gives law enforcement too many bites at the apple.”
Mr. Gellman also discussed Executive Order 13181, which recognizes that health-oversight investigators may uncover unrelated information about wrongdoing and requires review and approval from the deputy attorney general before information can be used against the patient.
The formal procedure and a requirement for an annual report are the most important things in the Executive Order, he stated. However, the Order does not allow for appeal and it grants the Attorney General unlimited access to every healthcare record in the country for health investigations, period, with no limit. Mr. Gellman feels that this is why other protections against using records against individuals are so important.
Mr. Gellman predicts that the U.S. healthcare system will become a law-enforcement surveillance system because disclosures to law enforcement for fugitives or suspects or witnesses are always authorized under HIPAA.
Robert C. Williamson, Drug Enforcement Administration (DEA)
Within the DEA, Diversion Investigators enforce federal laws and regulations that pertain to the legal use of controlled substances, Mr. Williamson explained. He noted that many of the records Diversion Investigators would wish to see are required under the statute to be maintained and accessible to the DEA, and that the DEA culture and methods are relevant.
Any person or organization intending to use a controlled substance in a legitimate way must register with the DEA. Pharmacists and doctors who dispense drugs are required by law to keep records for the DEA of prescriptions for controlled substances. Regarding access to the records, Mr. Williamson said that Diversion Investigators do audit registrants to make sure they can account for the drugs they have ordered and dispensed.
Although these are not presented as law-enforcement activities, Mr. Williamson noted that they are the sources of evidence for regulatory investigations that could result in a letter of admonition to the registrant or revocation of their DEA number. The registrant has a right to a hearing before an administrative law judge. If situations become criminal investigations, the DEA works with other agencies.
Diversion Investigators have found HIPAA to be a confusing law that would be helped by outreach at the DEA, Mr. Williamson said. He reported that the DEA was unsuccessful in its efforts to have the Diversion Program listed in the health-oversight category rather than the law-enforcement category. It needs to operate within both categories, he stated, but Diversion Investigators are generally treated as law-enforcement officers. They use administrative subpoenas to access the needed records to which they are entitled, such as prescriptions in a pharmacy. The subpoenas can be challenged and are not causing the DEA to lose investigations. HIPAA has created a reluctance to provide Diversion Investigators with these records without some sort of paperwork, which the DEA can and does provide, Mr. Williamson said.
Mr. Williamson described how HIPAA has impacted the prescription monitoring programs that the DEA encourages state governments to adopt and that exist in about 20 states. In these programs, pharmacies transmit certain data elements to a state agency whenever a prescription is filled for a controlled substance. The agency evaluates the information to find patients that are doctor shopping—going to more than one physician—and to evaluate physicians’ prescribing practices. He observed that abuse of certain substances seems to be less in states with these programs. There has been concern as to whether pharmacies participating in these programs are violating a HIPAA rule by giving information to a state agency. He is concerned that DEA is advocating programs that might be prohibited.
On the physician side, Mr. Williamson explained, growing numbers of doctors treat pain aggressively and so may be contacted by the DEA. He stated that a path must be cleared for them and approval given, that they strive to avoid trouble with the DEA or the Medical Board. He described the confusion of a physician caught between rules of patient privacy and requirements to report a suspicious prescription situation and observed, “I don’t think that this law was intended to harm well-meaning health care professionals that want to do the right thing.”
Mr. Williamson concluded by expressing that there is a great need for more outreach to address the many unresolved questions and noted that the DEA is really trying to work with HIPAA.
Christopher Calabrese, American Civil Liberties Union
The law-enforcement exemptions under HIPAA that appear to establish limits on law-enforcement access are illusory, Mr. Calabrese stated. The ACLU believes that government agents should have to obtain judicial approval and have a meaningful probable-cause standard before they are granted access to a patient’s medical records.
He noted that warrants are required if medical records are in a home and must state why the records are wanted. He advocated that the same standard be in place for doctors and insurance companies. Mr. Calabrese acknowledged that law enforcement will at times have a compelling need to access these records, but emphasized the importance of balancing individual rights with the interests of law enforcement.
The ACLU has six areas of objection to the regulations. First, there is no meaningful requirement of judicial review. Second, even when judicial review is sought, the standard falls short of the traditional probable-cause standard. Third, the regulations do not require notice to individuals whose records are about to be searched. Fourth, the exemptions are over-broad, allowing release of patient information any time police are trying to identify a suspect or fugitive. Mr. Calabrese’s fifth objection is the regulations’ blanket intelligence and national-security exceptions to the very minimal procedural requirements, giving unnecessary and inappropriate carte-blanche authority to law enforcement. The final concern is that evidence obtained in violation of the legal standard of regulation should be inadmissible at trial.
Mr. Calabrese emphasized that, once records are computerized, searches change from an individual working with paper to searches run by doctors’ offices or law enforcement on databases of private, law-abiding citizens.
Mr. Calabrese then illustrated how “this lack of appropriate privacy controls leads to disturbing and dangerous results.” The Strategic Medical Intelligence (SMI) unit is a group of volunteer doctors in Pittsburgh, Pa., that serves as a conduit between local doctors and the FBI. Their stated goal is to act as an early-warning system for bioterrorism.
Local doctors notify the SMI when they encounter a suspicious event, a term that Mr. Calabrese pointed out is completely undefined. The SMI team determines if the event is a potential terrorism event and refers such events to the FBI. The SMI receives one to two referrals a week and has forwarded the individually identifiable information of at least three people to the FBI. Patients may or may not be told that their medical information is being forwarded. He concluded that an individual who knows that a doctor visit may trigger an investigation by the FBI is less likely to go to the doctor whether they are guilty or innocent.
There is a complete lack of standards in this program, it dramatically increases reporting and it turns doctors into government informants, Mr. Calabrese stated. It is unnecessary because this same type of information could be compiled in a de-individualized manner.
In closing, Mr. Calabrese stated that at minimum, HIPAA regulations must be strengthened. Medical records should only be released in the face of a warrant or a court order with notice asserting that the police have probable cause to believe that the requested records contained evidence of a crime. “The current HIPAA regulations assure that the flimsiest security rationale trumps personal privacy. That harms patients, doctors and public health,” he concluded.
There is inadequate guidance regarding patients going to multiple doctors to get prescription drugs, Mr. Houston stated. He asked what the panelists see as the balance of patient privacy versus patient safety and what is appropriate in terms of reporting in order to ensure that that patient isn’t abusing medications.
Mr. Calabrese noted that hospitals and doctors obscure real problems because of bureaucratic confusion over what to release. He blamed the fact that the regulations are over-broad and advocated specific exemptions instead.
Mr. Williamson observed that the prosecution of doctor-shopping cases requires evidence that the suspect was going to multiple doctors. He feels that HIPAA is the place to spell out the exemptions and facilitate police officers’ carrying out simple investigations.
Prescription monitoring programs raise some clear privacy issues, Mr. Rothstein stated. Physicians have a disincentive to prescribe, knowing the system is now monitoring prescriptions for painkillers. Individuals may also be reluctant to seek medication, knowing that they are automatically being put in the system. He encouraged exploring alternatives to balance the legitimate interest in preventing doctor shopping while protecting both physicians and patients.
Mr. Williamson reported that the monitoring programs are not uniform among the states and noted that the programs help physicians find out where their problem patients are. In every state, he reported, privacy issues are debated in the state legislatures and law enforcement has access to the programs. The DEA has discussed a national program but likes the state programs that are tailored to a state’s drug-abuse situation. He noted that they want to make sure the programs can communicate with each other across state lines.
HIPAA already says information believed to constitute evidence of criminal conduct on the premises of a covered entity can be disclosed to law enforcement, Mr. Gellman stated. He does not feel this is a complete solution or easy to apply. He also believes there should be better disclosure such as signs or notices if physicians are going to “rat on their patients to the cops.”
Mr. Gellman observed that if information is being collected for a specific, limited purpose, rules should be in place that it will be used only for that purpose and discarded after a suitable period of time. He felt that this is more important than having a quasi-anonymization process.
Concerned that every prescription in Kentucky goes not only to the health department, but to the contractor of the health department, the unknown IT person who looks for matches and patterns, and state law-enforcement, Mr. Rothstein commented, “We are paying a tremendous civil-liberties price for I’m not sure how much payoff.” Mr. Calabrese felt this comment perfectly stated the civil liberties concerns, adding that collected information seems never to get thrown away and is rarely used only for what it was collected.
Mr. Houston added that while he feels a paperless environment and comprehensive patient data are vital for improving quality of care, he does have concerns. Mr. Calabrese agreed that information is a lynchpin to providing quality health care, and feels this underscores why better protections are needed. He stated that this collected information becomes a magnet for law-enforcement investigations but is not protected by adequate probable-cause standards.
Federal lawmakers are almost forced to come to a general standard of saying “required by law” and letting the political process in the states deal with details, Mr. Gellman commented. Mr. Calabrese added that the ACLU is most concerned about making federal standards stiffer, rather than small ways states can improve them.
It is not practical in all cases nor would it be politically possible to require warrants for records, Mr. Gellman noted. He suggested that administrative requests require a written request to the institution from the law-enforcement agency, signed by a supervisor of the agent making the request. He also recommended requiring evidence that the information is really needed. He proposed that the Subcommittee clarify the rule to covered entities, notifying them that they are not required to turn over information. He suggested that covered entities have an internal procedure requiring approval of a supervisory official within the medical facility before information is turned over to law enforcement.
Mr. Williamson expressed that having to go to a judge to obtain routine information would be inefficient, very expensive and problematic. He stated that police evidence should not be required to obtain information because if there is evidence, the person could already be indicted on a reasonable suspicion.
Mr. Houston observed that the Subcommittee is still missing perspectives on this subject, despite extensive but unsuccessful efforts to get additional law enforcement witnesses. Mr. Rothstein remarked that their input is needed and can be solicited for any recommendations that would affect their interests.
Kathryn Serkes, Association of American Physicians and Surgeons
APS is particularly concerned about administrative requests, administrative subpoenas, and grand-jury subpoenas, Ms. Serkes stated. Physicians are subject to state licensing, and because of fraud investigations, subject to administrative investigations and reviews.
Ms. Serkes recounted a case in which the administrative process was invoked in a law-enforcement environment. The DEA attended a medical licensure board administrative hearing of a physician, then used the information without the knowledge or consent of that physician or her attorney. The physician had no legal representation because it was an administrative proceeding. This physician was cited for not reporting an anonymous call accusing a patient of diverting controlled substances. Ms. Serkes stated that APS does not think an anonymous phone call should compel a physician to report patient medical records.
Kentucky is considered the gold standard for prescription drug monitoring programs, Ms. Serkes noted, yet the state continues to have one of the biggest problems in drug diversions. APS is not seeing the correlation between the reporting and clamping down on the true diversion.
She observed the movement toward a surveillance society and asserted that people have given up part of their privacy rights in exchange for receiving prescriptions. Ms. Serkes stated that many physicians are choosing to stop prescribing controlled substances because of requirements to document and reveal patient records. She described the other extreme, in which pain specialists have patients sign contracts authorizing disclosure of their records to anyone the doctor sees fit.
Ms. Serkes described an APS packet of HIPAA facts that drew 40,000 requests for posters that read, “You have the right to remain silent in this office, because what you say may be used against you.”
Panel 4: Schools – Panel 1
Beverly Dozier, CDC, Health Information Privacy Office
Ms. Dozier discussed implications and impact on public health of the nexus between the Privacy Rule and the Family Educational Rights and Privacy Act of 1974 (FERPA). She noted that records protected by FERPA are excluded from the definition of PHI in HIPAA. Therefore, even if information contained in an educational record is health related, FERPA and not HIPAA governs the privacy of those records.
The HIPAA Privacy Rule permits covered entities to provide PHI to public-health authorities, such as the CDC, without the consent or authorization of the individual. FERPA, however, does not generally allow schools to share health information in education records with a public-health authority without parental consent, Ms. Dozier stated. Public health authorities may share the data they collect with healthcare providers and schools, if needed.
Ms. Dozier observed that for some nationwide health surveillance projects, public health authorities believe that accurate data could not be obtained if consent or authorization were required, especially for conditions in children. When a school runs a health clinic, she noted, there is confusion as to whether FERPA or HIPAA protects the health information. Some of the childhood conditions CDC tracks, such as autism and ADHD, are often only identified in the school. The results and conclusions of in-school tests are protected by FERPA and are seldom found ascertained in the clinical setting.
The CDC is allowed until next year to access educational records in five metropolitan Atlanta counties, Ms. Dozier reported. For 40 percent of the children identified with autism, information was found only at the school sources, which provided a great deal of unique information on the features of the children’s disabilities.
“It is vitally important to the health of the nation’s children that public health authorities and educational institutions work together to identify the incidence of childhood conditions and find effective interventions and preventions,” Ms. Dozier asserted.
She pointed out that the recent Birth Defects and Developmental Disabilities Prevention Act is an opportunity for HHS and the Department of Education (ED) to work together to resolve this data-sharing dilemma. Within 18 months, HHS and ED will submit a report to Congress describing the challenges to obtaining education records for public-health purposes in the absence of parental or patient consent and how these challenges can be overcome. It will also include specific justifications for recommendations for changes, including changes to FERPA.
Jane W. McGrath, M.D., American Academy of Pediatrics (AAP)
Dr. McGrath described real-world problems that stem from the lack of clarity about whether privacy requirements of HIPAA apply to health information in schools and what is or is not allowable under current HIPAA and FERPA regulations.
Under HIPAA, school nurses may no longer call local health departments or pediatric providers to update students’ immunization information without explicit written parental permission. She noted that authorization is not required of other health professionals for these records.
Another area of concern Dr. McGrath emphasized is the exchange of information related to students’ special-care needs. Because schools are not considered covered entities under HIPAA, the exchange of information with the child’s provider for purposes of treatment is thought to require parental authorization. Many school nurses provide daily care for children with complex medical conditions and it is vital that the school nurse be able to quickly contact a student’s physician if something should go wrong, she asserted. The child suffers when there is a delay.
Obtaining records after a student has been discharged from a mental health facility has been a long-standing problem for schools, said Dr. McGrath. Schools must now depend entirely on parents to provide discharge summaries. When the school nurse is included in discharge planning and receives a summary, consistent follow up and medication is much more likely.
Schools provide services that are billed to Medicaid and Dr. McGrath believes that the government should clarify schools’ responsibilities under HIPAA. Schools should be encouraged to collaborate with managed-care organizations, community providers and others and should be included to a greater degree in the community network of healthcare.
Dr. McGrath also reported that schools do not adequately protect students’ private health information. Under FERPA, health information need not be separated from a student’s academic record and may be released to an individual who only desires academic information. This compromises a student’s health privacy but does not violate FERPA.
The AAP made three recommendations for the Subcommittee’s consideration. Students’ personally-identifiable health information in schools should be protected in the same manner as such information elsewhere. Second, school health providers and community health providers should be able to communicate directly concerning treatment issues and immunization records. And, lastly, more stringent health privacy standards should be put into place within schools to provide adequate privacy for students’ health information.
Ellen Campbell, Family Policy Compliance Office, U.S. Department of Education
Ms. Campbell reported that FERPA requires written parental consent for disclosure of a student’s education records or personally-identifiable information in education records. The education record includes all records, files, documents and other materials containing information directly related to a student, maintained by a school or its representative.
FERPA encompasses K-12 students’ records pertaining to services provided under IDEA and health records maintained by an educational institution subject to FERPA, including immunization records and records maintained by a school nurse. When a student reaches the age of 18 or attends college, FERPA rights transfer from parent to student.
The preamble to the final Rule states that FERPA and the confidentiality provisions of IDEA protect the privacy of information in education records, Ms. Campbell reported, including health-related information. It reads “We do not believe Congress intended to remand or preempt FERPA when it enacted HIPAA.”
FERPA does not protect treatment records of college students or those 18 or over, and these are not subject to the HIPAA Privacy Rule. If the records are used for any purpose other than treatment of the student, they become education records under FERPA, Ms. Campbell noted.
Ms. Campbell reviewed FERPA background and explained that FERPA’s Prior-Consent Rule does not permit schools to disclose records to state health agencies or to researchers. FERPA does contain a very limited exception to the Prior-Consent Rule, allowing disclosure of information to appropriate officials for strictly construed health or safety emergencies.
FERPA does not prohibit an educational institution from disclosing non-personally-identifiable information to state health officials or to any other outside entity, Ms. Campbell clarified. Rather, FERPA prohibits the disclosure of personally identifiable information from education records without the consent of parents or students. She also noted that FERPA does not prohibit schools from obtaining written parental consent for disclosure of information to outside entities. She suggested that this could include a broad consent at the beginning of the year for any disclosures to physicians that might need to be made.
Laura Manley Knoblauch, Illinois State Univ. and American College Health Assoc. (ACHA)
Noting that she is a member of the ACHA’s HIPAA Task Force, Ms. Knoblauch discussed the difficulties of college and university health services in their efforts to comply with the privacy rules of HIPAA, FERPA and state laws. Student records maintained and accessed solely by the provider are governed by state law. Student records released for any reason are governed by FERPA. Non-student records are governed by HIPAA.
FERPA allows student health services to release a student medical record to a professor without obtaining the patient’s consent, but the regulation requires patient authorization for release of medical records to a healthcare provider for treatment purposes, Ms. Knoblauch reported. She went on to say, “In my opinion, to consider clinic records maintained by the student health service education records under FERPA, instead of medical records, is absurd and illogical.”
When some university health services implement a HIPAA-only approach for non-student records, student medical records appear to be held at a lesser privacy standard. Legal experts have said that since FERPA is, in some cases, more stringent, it is not an option to comply only with HIPAA and could result in federal funds being withheld from the university. Other university health services have discontinued providing care to non-students, such as spouses, summer camps, visiting scholars, athletic interns, and J-1 Visa Scholars. This decreases healthcare access and services to the campus community.
Ms. Knoblauch reported that representatives of university health services have attempted to contact the Department of Education and/or HHS with questions regarding the HIPAA-FERPA intersection but have received no official response.
Ms. Knoblauch requested that the Subcommittee identify a workgroup from the Department of Education, HHS and ACHA to specifically address HIPAA implementation issues in college and university health centers. ACHA believes changes are required in both FERPA and HIPAA. These might include: adding a FERPA exemption of any medical record created by a university health service, leaving an institution to comply with state law or HIPAA as appropriate; and including in HIPAA’s definition of PHI medical records held by institutions of higher education. She believes these changes would meet the privacy intent while eliminating the dysfunctional intersection of these two regulations
Mr. Houston asked if, prior to accepting a child, schools could require an authorization granting the nurse access to medical information. Dr. McGrath explained several issues with authorizations: often children use a group of physicians and the form might not apply to all of them, and children starting mid-year or developing a new problem might not have the form on file. Although procedures can be put in place, schools overlook them because they do not see healthcare as their primary responsibility.
Ms. Campbell clarified that FERPA only applies to schools that receive funds from the U.S. Department of Education, so a private school would be subject to HIPAA if it qualified as a covered entity. She added that FERPA does not require schools to create any records or maintain them in a specific fashion. She concurred that medical information could be commingled with academic records, and the protection is the limited access to all the records. Neither does FERPA require training of teachers or school nurses about privacy requirements, but Ms. Campbell added that her office has an aggressive FERPA training program.
Mr. Rothstein asked whether the Dept. of Education could say that medical records should be treated separately from educational records by all schools subject to FERPA. Ms. Campbell stated that she does not believe they have the authority to say that at the lower level.
Dr. Harding asked for more insight on how HIPAA has created complications at the college level and what would help. Ms. Knoblauch expressed the challenge in determining whether records are HIPAA or FERPA for those that see both students and non-students. Sometimes patients are both. “Quite honestly, if all the records were HIPAA, it would make my life simpler,” she said. She noted that state laws are more stringent than HIPAA or FERPA in only a few cases.
If FERPA were eliminated and HIPAA did not apply because there were no electronic transactions, Ms. Knoblauch felt state law would apply. Mr. Houston responded that FERPA was intended provide federal framework for the protection of student information, that the federal government has put regulations in place to protect either health information or student information in all cases.
Since HIPAA, Ms. Dozier said, states that were previously reporting public health conditions to the CED but do not have state reporting laws felt like they were no longer allowed. She identified the problem as educating the state and local health departments.
Mr. Rothstein suggested that services from a nurse to a child, such as injections or medications, qualify under the treatment provisions of HIPAA. He noted that where there is treatment, even performed by a non-covered entity, disclosure of related PHI does not require an authorization.
A growing number of students have mental health treatment outside of school, Dr. McGrath explained, and their return to school requires integration of behavioral supports and medication. Prior to HIPAA, it was possible for a school nurse to receive a discharge summary of a child who had been in a psychiatric hospital or residential treatment that would outline the treatment recommendations, medications and behavioral supports that could help manage that transition. Now the discharge summary can only be given to the parent and it is not always possible for the school nurse to get a copy. Dr. Harding noted that some parents want to hide mental health issues, and Mr. Rothstein added that others legitimately fear stigmatization.
Dr. McGrath reiterated AAP’s recommendation for school nurse involvement for appropriate sharing of information and more stringent privacy rules for health information in schools. She urged the Subcommittee to address what happens to medical records when a child transfers.
Mr. Houston noted that the Subcommittee’s purview is the HIPAA Privacy Rule, not FERPA. Mr. Rothstein added that clarity is needed on the jurisdictional constraints of the statutes to know what can be changed by regulation and by whom, and what needs a statutory amendment.
There is not a federal advisory committee on FERPA and Ms. Campbell knew of no reports dealing with medical records under FERPA. She added that the Dept. of Education worked with HHS to develop Web sites on the intersection, but those are still in clearance in HHS. The Dept. of Education is pursuing its own guidance and will be putting that up on their Web site shortly.
Panel 5: Schools – Panel 2
Thomas Hutton, National School Boards Association
Mr. Hutton asserted that schools take their privacy obligations seriously but there is a great deal of confusion under HIPAA and FERPA. K-12 educators and school attorneys are currently occupied with the challenges of the No Child Left Behind Act, and adding one more federal regulatory approach will be difficult for schools, he reported. FAQs on privacy are eagerly anticipated by school attorneys and other school officials.
Many K-12 people would like as broad a FERPA exception to HIPAA as possible, Mr. Hutton stated, rather than trying to work with a new and unknown system. He asked for clarity in situations when larger districts function as healthcare clearinghouses for Medicaid reimbursement for smaller districts.
Mr. Hutton identified the largest issue as the HIPAA implications for schools of the education-records exception for FERPA. There is a long list of the exceptions to FERPA education records and how HIPAA is involved. He reported that Medicaid billing has led to the most questions. A school nurse may be an employee of the school district or a county department of health, he observed, and asked if this has implications upon which entity has HIPAA obligations. He noted that drug and alcohol testing is another issue.
Local communities are pleading for clarity about where one set of privacy regulations ends and one begins, Mr. Hutton said. Ideally, schools would have one clear system of privacy regulations, not three. He asked the Subcommittee to remember as it made recommendations to help K-12 schools, that on the local level the understanding of the regulations is “perhaps several steps back from what you heard earlier this morning.”
Nadine Schwab, B.S.N., M.P.H., P.N.P., American School Health Association (ASHA)
Ms. Schwab focused on the significant negative impacts of the HIPAA Privacy Rule on school attendance; student safety, health and learning; parent-school-physician communication, and on the resources of families in public schools.
ASHA believes that the problems are caused by misinterpretation of the regulations and inadequate guidance, not the regulations themselves, Ms. Schwab explained. She reported that students are being kept from school, parents are missing work and school resources are being drained because under HIPAA, providers refuse to share mandated immunization and physical-assessment information with schools. Public schools are both prohibited from denying children access to school and, at the same time, are required to deny them access if they have not complied with the public-health mandate, she observed.
Ms. Schwab reported that paperwork is often the problem. Many providers’ offices will no longer fax immunization or physical exam forms to schools. Many will not accept parent-signed school authorization forms and some will not accept a faxed authorization on their own forms. Parents must drive to the provider’s office—hundreds of miles in some remote parts of the country—sign the provider’s form and hand deliver the immunization record back to the school.
These delays stemming from HIPAA communications can be disastrous for the most vulnerable students who can least afford time away from the classroom and whose families are less able to learn about these laws and the paperwork that goes with them.
Ms. Schwab stated that four items of guidance to state health departments and providers can remove these artificial barriers to communication and school attendance. One, school nurses and physicians should be recognized as public-health professionals and extensions of their state’s public-health system, regardless of which entity employs them. Two, school nurses should be authorized to access and contribute to state immunization registries. Three, providers are permitted to release records about state-mandated health requirements to school nurses. And, four, immunization data may be faxed from a HIPAA-covered entity to a school.
As Dr. McGrath stated earlier, HIPAA has shut off communications between healthcare providers and school health professionals regarding treatment of children in school who have acute and chronic health and mental-health conditions. Ms. Schwab suggested that problems might best be resolved if FERPA could be updated to be more consistent with HIPAA.
Martha Dewey Bergren, D.N.S., R.N., National Association of School Nurses
Ms. Bergren outlined how FERPA and HIPAA have affected the responsibilities of school nurses. School nurses act as case managers and provide treatment and health monitoring for children that have the same diagnoses, treatments, and healthcare needs found in acute-care facilities. She added that school nurses often care for children prior to kindergarten and that the records of those children contain extensive family health information.
Ms. Bergren shared numerous situations reported to her by school nurses. Many of these echoed the communication difficulties between providers and school health personnel described by Ms. Schwab and Dr. McGrath.
As a result of these situations, thousands of students have been excluded from school or re-immunized due to missing immunization dates. Students’ return to school following an illness or injury has been delayed and students have returned to school without needed medication or treatments for their chronic or acute health conditions.
Ms. Bergren reported that not only have parents missed work to deliver records between providers and school, they have also spent time in school administering medications or treatments because nurses cannot obtain or clarify physician orders by phone or fax.
Her examples included health departments’ refusal to share vision and hearing screening results with schools so the school can provide follow-up and accommodate, for instance, a child with a vision problem by moving them to the front of the room. She told of how providers will not verify unreadable dates on documents and restrictions on physical activity are sent to schools without the health reason for the restriction or what body system it affects.
While some facilities are overreacting to the Privacy Rule, Ms. Bergren stated, many are aware that they may share health information for treatment but are not required to share it without authorization. Citing that they are permitted to have more restrictive policies than the minimum required by HIPAA, primary providers admit that their new, stringent policies have greatly decreased the time and workload previously spent collaborating with schools.
Ms. Bergren observed that FERPA does not provide guidance on how to protect family and student privacy or mandate confidentiality training for educators or school health employees.
Ms. Bergren welcomed guidance and direction in several areas including issues of communications between providers and schools emphasized by earlier speakers. To these she added: written technical guidance on the submission of electronic transmissions for reimbursement; an exemption of public screening data collected for the detection of easily-preventable disabilities that interfere with learning such as vision and hearing; and a stronger, clearer directive to providers that HIPAA not interfere with the provision of care regardless of the setting. Her requests urged providers to adhere to the spirit of administrative simplification.
Mr. Rothstein observed that the statute and regulations are clear and have clear answers to 90 percent of the presenters’ questions. He felt that the issue is communicating these answers to providers to avoid delays.
Noting that he was troubled that providers are using HIPAA to avoid doing work, Mr. Houston requested recommendations for ways to align FERPA and HIPAA. Ms. Bergren reported that a national confidentiality committee for student health records has issued suggestions encompassing much of Dr. McGrath’s testimony. Ms. Schwab added that educators do need access to health information and emphasized that FERPA does not sufficiently address appropriate use and protections of health records in schools. Both agreed that teachers and administrators need much more education about protecting health information in schools.
Mr. Houston also inquired about the status and depth of the FAQs for providers and covered entities. He suggested developing a model authorization form to diminish the paperwork issue. Some states have such models, Ms. Schwab reported, but provider education is still needed because some providers refuse any but their own form.
Mr. Rothstein requested any success stories, such as localities or districts that have programs to use as models for replicating success. Ms. Schwab described a Massachusetts program that provides schools with guidance from the State Department of Public Health about immunizations, public health mandated information, and frequently-answered questions. She also noted a very helpful opinion from the Oregon Attorney General addressing whether or not schools that were Medicaid billing were subject to the Transaction Rule but not to the Privacy Rule. She felt that HHS could mirror this in a technical-assistance guidance. Ms. Bergren stated that she would request details about reported positive situations.
Dr. Harding commented that it seems necessary to reconsider the 30-year-old FERPA law, and Mr. Houston emphasized the need to provide clear, understandable information and not impose a heavy level of further regulation. It is essential that the law not interfere with good patient care, Dr. Harding stated, adding that he does not know how to codify this.
Ms. Horlick reminded the Subcommittee that she provided the Massachusetts memo at the November 2003 meeting. She recommended creating a one- or two-page memo for schools with a hand out for providers, with Q&As directly from the rule or the FAQs on the OCR Web site. She and Ms. Bergren agreed that, in order to have impact on providers, a document needs to come to providers from OCR, because fear of financial penalties and jail time is driving much of the refusal to share information.
Expressing his sorrow and frustration at these situations, Mr. Rothstein observed that they are not real problems but are getting in the way of children’s education and health care.
Mr. Rothstein stated that this Subcommittee and full Committee had recommended that there be special sections on the OCR Web site for schools, providing the official word on many kinds of issues. He indicated the Subcommittee’s hope that this will come about in the future. He stated again that he would like to see examples of successes that can be endorsed.
Members of the Subcommittee were asked to identify areas needing more information or hearings.
Mr. Houston inquired whether, according to 1179, a bank handling PHI would become a business associate or be designated a covered entity as a clearinghouse. Mr. Rothstein proposed framing the issue by stating that the banking process includes PHI in the payment of claims, and describing the testimony that PHI goes along with claim payment in some transactions. Where it goes through the payment chain it is within the scope of the Privacy Rule, raising the broader issue of the exemption in 1179 that must be clarified. The Subcommittee also discussed that some banks function as clearinghouses or business associates but may not comply with all the requirements of the Privacy Rule.
Two other points about banking were raised by Mr. Rothstein for inclusion in a letter. First, the Subcommittee did not hear any testimony of misuse of PHI by the banking industry, in terms of selling, wrongfully disclosing or using information inappropriately. Second, according to testimony, it is possible to achieve the payment needs of the payer, the bank and the provider without including PHI, which may influence the structure of 835s or related rules. Mr. Houston pointed out that PHI is necessary for the value-added services many banks wish to provide.
Mr. Rothstein recommended that the letter not focus on details of banking function but simply state that the Subcommittee heard testimony that PHI, for many banking functions, is not necessary and that further exploration of how to exclude PHI in banking is desirable. In NPP, it is not disclosed to anyone that their PHI may be disclosed to bankers, he added. He suggested that if PHI is disclosed, it might be in the interest of consumers to notify them that financial institutions other than the bank are involved in the payment chain.
Mr. Fanning offered a possible principal distinction between ordinary business associates and banks. Business associates have no relationship to individuals’ lives, except as handlers of their information on behalf of a payer or a provider. Banks’ broader place in people’s lives supports the argument that people should know that a bank has their information. Mr. Houston felt that the situation needs some additional research.
Subcommittee members agreed that the testimony had provided the essence of the issues and that the concern was PHI embedded in banking payments. Mr. Rothstein confirmed that they would ask the Secretary to take appropriate action regarding the concerns.
Introducing the second topic of the hearing, law enforcement, Mr. Rothstein noted that the Subcommittee had wanted more presentations and discussion. He raised two issues for the group’s focus. First, there are very few requirements or restrictions on administrative requests under 512(f). Second, 512(a) gives very wide discretion to state and local officials to enact wide-ranging laws requiring the collection, disclosure and release of all sorts of records.
A third issue was added by Mr. Houston: whether there are guidelines as to what a covered entity can and cannot do when addressing a problem of doctor shopping. Mr. Rothstein brought up the prescription monitoring programs and potentially over-broad disclosure laws related to them.
He went on to state that the Subcommittee does not need to resolve these issues but can indicate that it has identified them. The Subcommittee can recognize that it does not have an adequate record because key stakeholders have not testified, but it believes that these are issues that need to be explored at the department level or inter-department level.
Noting that these questions also address the relationship between this regulation and state law, Mr. Fanning reminded the group that the complexities involved in interfering with local judicial process, even with police practice, are very great. He observed that a regulation of this kind is a first step in hammering out national policy on the use of information. The attention called to the subject may have effects on future choices by legislatures, for example.
Dr. Harding suggested that the Subcommittee compliment the good and remain quiet or say very little about aspects that are not good, and that way draw attention to them with faint praise since they are very sensitive issues. The need to balance privacy against this important interest was emphasized again by Mr. Rothstein.
Mr. Houston introduced the Subcommittee’s discussion of HIPAA and schools by identifying the conflict or tension between FERPA and HIPAA. He noted that this group does not have responsibility or purview over FERPA, but felt it important to identify this source of issue.
Medicaid billing, the employer of the school nurse, and other broad issues would be helped by clarification as to which law applies, Ms. Horlick suggested. Mr. Rothstein stated that OCR has been very clear, so it becomes an issue of communicating to all of the parties involved.
The authority of OCR’s approval is important for any materials developed, Ms. Horlick emphasized, noting that information is available but that people are not seeking it out. She suggested creating an official one- or two-page piece. Discussion arose around whether FAQs are available or are sufficient for communications such as reassuring providers that sharing information with the school nurse for purposes of student treatment or immunization is not going to violate the law and get the doctor into terrible trouble. Mr. Rothstein noted that busy providers are not going to seek out the latest online FAQs and suggested working through a familiar information source such as a medical association.
In response to Mrs. Greenberg’s amazement that healthcare providers are feeling such anxiety and not sharing, Ms. Horlick re-emphasized that doctors are reluctant to share even immunization data without authorization, unless there is a state law. She added that many parents may not want discharge summaries or sensitive information to be shared without their authorization, because under FERPA it may be mixed with other records.
The issue of private and parochial schools not being covered under FERPA was added by Dr. Harding, asking whether these schools consider themselves covered entities under HIPAA and what is happening with that whole group without the presence of FERPA.
Mrs. Greenberg asked whether more dialogue with provider groups is needed, and Mr. Houston raised the issue of some providers using HIPAA as an excuse to not provide information. Instead of further hearings, Mr. Rothstein proposed letters to other provider groups with narrowly tailored questions asking for written responses and giving groups the requested lead time to survey their members. The letters could include that the Subcommittee heard testimony that physicians have been reluctant to release records under certain circumstances in which the regulations are quite clear that doing so is permissible. The letters could ask for suggested ways to reduce these impediments. Noting that he and Ms. Fyffe would discuss which groups would be appropriate to contact, Mr. Rothstein stated that at its next meeting on March 4-5, 2004, the Subcommittee would set the deadline for preparing the draft of the letter based on this hearing.
At that upcoming meeting within the full committee meeting, the Subcommittee will present the draft of its letter dealing with research, public health and other issues. The letter would be sent to the Executive Subcommittee on February 19, 2004. The letter is likely to be revised when it gets to the full committee, with debate about the one bullet on which agreement was not reached.
The Subcommittee agreed that topics for the third round of hearings would include fund raising, marketing, and the issue of media access to medical records. Mr. Houston requested streamlining of less-controversial portions of the hearings to allow time for discussion of fund raising. Mr. Rothstein recommended inviting testimony from the Association of Healthcare Philanthropy, one or two organizations and possibly a consumer person.
Mr. Rothstein adjourned the meeting.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.