July 14-15, 2004

Washington, DC

– Minutes –

The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics (NCVHS) held hearings on July 14 and 15, 2004, at the Hubert H. Humphrey Building in Washington, D.C. The meeting was open to the public.


Subcommittee Members:

  • Mark A. Rothstein, J.D., Chair
  • Simon P. Cohn, M.D.
  • Richard K. Harding, M.D.
  • John P. Houston, J.D.
  • Harry Reynolds

Staff and Liaisons:

  • Amy Chapper, CMS
  • John Fanning, LL.B., ASPE
  • J. Michael Fitzmaurice, Ph.D., AHRQ
  • Marjorie Greenberg NCHS, CDC
  • Gail Horlick, M.S.W., J.D, CDC
  • Evelyn Kappeller, OPA/OPHS
  • Lora Kutkat, NIH
  • Catherine Lorraine, FDA
  • Sarah Wattenberg, SAMHSA


  • Cynthia Beach-Smeltzer, Fund for Johns Hopkins Medicine
  • Don L. Bell II, NACDS
  • Carol J. Bickford, Ph.D., RN, BC, American Nurses Association
  • Barbara Cochran, Radio-Television News Directors Association
  • Rebecca Daugherty, J.D., Reporters Committee for Freedom of the Press
  • Kristin Fitzgerald, Fitzgerald Consulting
  • Maria Friedman, Centers for Medicare and Medicaid Services
  • Debra Goldschmidt, Columbia University Graduate School of Journalism
  • Sara M. Howley, North Broward Hospital District
  • Lawrence Hughes, American Hospital Association
  • Marilyn Zigmund Luke, America’s Health Insurance Plans
  • William C. McGinly, Ph.D., CAE, Assocation for Healthcare Philanthropy
  • Alicia Mitchell, American Hospital Association
  • Stanley Nachimson, CMS
  • Joy Pritts, J.D., Health Policy Institute, Georgetown University
  • Tonda Rush, American PressWorks, Inc.
  • David Sewell, Hogan and Hartson, LLP
  • Emily Stewart, Health Privacy Project
  • Beth Tossell, Health Privacy Project
  • Laura E. Vartain, Wexler & Walker Public Policy Associates
  • May Williams, American College of Physicians
  • Michael Yohannon, Capitol Associates, Inc.
  • John H. Zeller, Johns Hopkins Insitutions


The Subcommittee on Privacy and Confidentiality held hearings on July 14 and 15, 2004, on implementation issues under the HIPAA Privacy Rule. The Subcommittee received 10 presentations and talked with three panels about the balance between health privacy and other important concerns and looked at the impact of the HIPAA Privacy Rule on marketing, fundraising and media access to protected health information. The Subcommittee also heard a briefing on the HIPAA Security Rule.

Stanley Nachimson, CMS

Mr. Nachimson reviewed the provisions of the Security Standard’s Final Rule. The rule’s general requirements are to ensure the confidentiality and integrity of electronic-protected health information that is created, received, maintained or transmitted by covered entities. The goal in this Rule was to create a balance between protecting information and allowing access and it emphasizes scalability and flexibility. The Rule contains five sets of standards: administrative safeguards; physical safeguards; technical safeguards; organizational requirements; and policies, procedures, and documentation requirements. One issue to watch is security issues related to medical equipment.

Panel 1 – Marketing

Don L. Bell, II, National Association of Chain Drug Stores.

Reaffirming that pharmacies do recognize the tremendous value of protecting patient privacy and consider it an important part of their professionalism and a good business practice, Mr. Bell warned that government should not restrict important health care communications between patients and pharmacists. He acknowledged that there is not a bright line distinguishing marketing and other health care communications. He also announced the National Consumers League’s publication of a new privacy best practices guide, “Health Care Communications Provided by Pharmacies: Best Practices Principles for Safeguarding Patient Privacy,” and recommended it to the Subcommittee.

Joy Pritts, J.D., Health Policy Institute, Georgetown University

In contrast to Mr. Bell, Ms. Pritts believes that these health communications are largely marketing and that consumers do not understand what the marketing provisions allow and what they prohibit. She gave numerous examples and made several recommendations, including that the Rule’s marketing provisions should comply with the Fair Information Practice Principles and provide a choice for consumers when their health information is being used for secondary purposes, with an opt-out at the very minimum. There should be clear notice displayed prominently on mailed material that it is paid for by a third party. She also emphasized that more effective communication is needed about when authorization is required.

Panel 2 – Fundraising

John Zeller, Johns Hopkins Medicine

Mr. Zeller reported on the impact of the HIPAA Privacy Rule on institutions that rely heavily on private philanthropy from patients. He pointed out that this funding also contributes enormously to medical advancement by funding cutting edge medical research. Compliance with HIPAA has cost his organization significantly in terms of staffing and technology. Less than half of patients are signing the new authorization form, and while it is too soon to evaluate the results of this, they expect significant decreases. Mr. Zeller requested that the Subcommittee again urge HHS to allow disclosure of clinical department of service information for use in fundraising.

William C. McGinly, Ph.D., CAE, Assocation for Healthcare Philanthropy

The HIPAA Privacy Rule is causing a loss of services in communities because of the added costs that the organizations have incurred, Dr. McGinly reported. Larger organizations using an authorization form are reporting $400,000 to $700,000 annually to manage this process. At the same time, donations are decreasing. Often, fewer than 50% of patients give authorization, due in part to the inaccurate stigma on the word fundraising. He stated that the Rule is also creating extensive confusion that makes it more difficult for fundraisers to work and recommended allowing the use of point of service information within the health care provider for fundraising purposes, without prior written authorization from the patient.

Panel 3 – Media Access to PHI

Sara M. Howley, North Broward Hospital District

Ms. Howley explained how the Rule has changed what information hospitals may provide to the media and described her organization’s efforts at informing local media and attempting to work together. The consequences of the Rule that she has seen are: patient confusion about the different regulations on hospitals and law enforcement; media efforts to go around the rule to get their stories; and greater difficulty identifying John/Jane Doe patients. Her primary recommendation was for greater education about the Privacy Rule for the public, media and law enforcement.

Emily Stewart, Health Privacy Project

Emphasizing that the Rule states that patient medical records are not public records, Ms. Stewart gave examples of well-known individuals having their depression and HIV+ status revealed against their wishes. She also stated that media access to information has been by custom, not by law. Although the Rule does allow for access outside of the core health care system for quality assessment, accreditation, reporting to law enforcement or assisting public health authorities, members of the media do not hold these roles. Ms. Stewart added that media investigations should not trump the privacy of patients and urged the Subcommittee to keep the regulation concerning the media as it stands.

Tonda Rush, American PressWorks, Inc.

Ms. Rush described the confusion on the part of news sources—both covered and non-covered entities—as to what they were allowed to disclose, and the kinds of stories that she feels are important to the public but that the press may no longer publish due to Privacy Rule restrictions. Another big obstacle to timely reporting is the delay in public record filing and the now necessary reliance by press and public on law enforcement for information. Her examples included stories of contagious diseases that lacked important detail and the press’s inability to help identify John Doe patients. Ms. Rush concluded that public officials must look at whether the information and the stories that the press are unable to tell make us richer or poorer as a society.

Barbara Cochran, Radio and Television News Directors Association.

Ms. Cochran emphasized the importance of health information to the public, even more than to the media. In times of emergency, disaster and other events of high public interest, citizens turn to local television and radio, and HIPAA has made that kind of event much more difficult for reporters to cover. She provided numerous examples of information being improperly denied to press and described the impact of this on the necessary informing of citizens. Ms. Cochran’s organization offered nine specific proposals related to health information and the media.

Rebecca Daugherty, J.D., Reporters Committee for Freedom of the Press

Probably nine-tenths of the questions to this organization’s legal hotline for reporters have to do with inability to access information from government or other entities such as hospitals, Ms. Daugherty explained. Her primary concerns were the effects of the Rule on would-be whistle blowers and the need to dispel some bureaucracies’ mistaken belief that the Rule applies to them and that they would be subject to penalties for giving information to reporters. She stated that HIPAA will also eliminate any undercover reporting. Regarding public figures, Ms. Daugherty pointed out that, traditionally in tort law, public figures are, “to be quite crass about it, fair game for reporting, and that is a good thing, because it tells the public things that they need to know.”

Debra Goldschmidt, Columbia University Graduate School of Journalism

Ms. Goldschmidt addressed the Rule’s impact on medical archives. HIPAA is jeopardizing access to much of the contents of health science libraries because many of the records contain PHI. There are questions as to whether or which of these libraries may be covered entities and wide variation in how they apply the Rule to themselves. HHS has previously ruled that historical research did not meet the criteria for the Rule’s research exception. There are also fears that valuable records that are not already part of archives may be destroyed because the small practices or town halls that have them may view destruction as the prudent step.

Subcommittee Discussion

Discussion with the marketing panelists focused on disclosure of payment for mailing and opt-out mechanisms. Regarding a potential provision allowing a covered entity to mail out news of additional products for the individual’s condition so long as the covered entity did not receive compensation from the product manufacturer beyond the mailing costs, Ms. Pritts asked to also have notice on the mailing of who had paid for it and asked for patients to be asked up front in the drug store for authorization. Mr. Bell was cautious regarding this kind of change to the Rule, explaining the need to ensure that a pharmacy would not be held liable for not providing information that a patient had declined. The group also discussed communications from health plans and pharmacy benefits managers. The two panelists disagreed completely on whether the Rule should preempt of state privacy laws.

The Subcommittee voted to draft and approve a letter to OCR to be presented by Mr. Rothstein and Dr. Cohn to the Executive Subcommittee at its August, 2004 retreat. The letter is described in detail in the full minutes. The letter would be discussed as something under consideration, with input requested from the Executive Subcommittee in the context of a broader discussion of the relationship between the Committee and Subcommittee and OCR.

The Subcommittee looked at the scope of the Rule’s financial impact on the fundraising of health care organizations. It focused on the fact that specialty hospitals may engage in grateful patient fundraising that units of larger hospitals may not, because all patients at a specialty hospital have the same conditions. The panelists emphasized that visits to patients are to build relationships and educate, not to solicit for contributions. Panelists also stated that in about 20 years, they have been aware of fewer than ten complaints about fundraising.

Mr. Houston moved that the Subcommittee recommend to the full Committee that the fundraising provision be clarified or amended to allow for the provision of data related to patient service department, defined as broad areas of service, for the purpose of fundraising. The Subcommittee voted unanimously in favor of the recommendation.

With the media panel, the Subcommittee discussed the interrelationship of medical privacy and the public good. Proponents of the media pointed to the loss of potentially important whistle blower stories. Ms. Cochran urged the Subcommittee to focus on the day to day news coverage that before HIPAA was commonplace and of great use to people. The Subcommittee reiterated that the Rule cannot force any entity to disclose information and that it is intentionally designed to protect individuals. Mr. Rothstein proposed two possible recommendations: an addition to the exception for whistle blowers that would include the media and members of the public in very specific situations, and a limited media exception that would allow reporting to law enforcement officials in emergencies.

Mr. Reynolds encouraged the Subcommittee to protect the law’s existing due process to provide information needed for a specific reason, not because it is important to have it on the 6:00 news. Some of the media panelists will send this group a letter advocating that the four categories of permissible whistle blower contacts should be expanded to a fifth, covering the media and other people, Mr. Rothstein stated. He recommended waiting on any actions in this area until receipt of the letter.

The Subcommittee members agreed to hold hearings in fall 2004 dealing with e-prescribing and privacy issues under the Security Rule, then after January 1, 2005, on archival records and unique identification. It was noted that follow up hearings might be needed, so they would address longer term bigger picture privacy issues in spring 2005 at the earliest.



Mr. Rothstein welcomed Subcommittee members and guests to two days of hearings on implementation issues under the HIPAA Privacy Rule. The hearings considered whether the Rule strikes the appropriate balance between health privacy and other important concerns, looked at practical problems or unintended consequences of the Rule, and identified areas in which additional clarification, education or outreach are needed to facilitate compliance. The three panels addressed the Rule’s impact on marketing, fundraising and media access to PHI, two of which the Subcommittee has discussed extensively in the past.

His status as a professor at a medical school that is supported in part by patient contributions could be considered a conflict of interest for the discussion of fundraising, Mr. Rothstein noted. No other conflicts of interest were announced.

Briefing on Security Rule – Stanley Nachimson, CMS

The Security Standard’s Final Rule was published on February 20, 2003, with the effective date of April 21, 2005. The Rule’s general requirements are to ensure the confidentiality and integrity of electronic-protected health information, Mr. Nachimson explained. This means that only specific people in an organization can access the information, and that its alteration, either inadvertent or deliberate, must be prevented. Information must also be made available to the right people.

Mr. Nachimson stated that the Rule strives for balance between protecting information and allowing access. He emphasized that the security standards apply only to electronic-protected health information that any covered entity creates, receives, maintains or transmits. This is unlike the Privacy Rule, which addresses all protected health information. While transactions standards apply to information that is flowing between covered entities, security standards include that and also information that any covered entity will store or create within their organization, he added.

The Security Rule expects covered entities to protect against reasonably anticipated threats or hazards to and security or integrity of the information, and to protect against reasonably anticipated uses and disclosures that are not permitted by the Privacy Rule. Mr. Nachimson emphasized the use of “reasonably,” noting that they do not expect covered entities to protect against every possible threat because of the excessive burden. Covered entities must look at the threats to their information and determine what protections are reasonable for them. Covered entities are also expected to ensure workforce compliance by training and ensuring that their workforce follows the policies and procedures to protect the information.

Several themes were followed in designing the Rule. The regulation and standards had to be scalable and flexible, allowing covered entities to take into account the size, complexity and capabilities of their organization, their technical infrastructure, the cost of compliance procedures, and potential security risks. Mr. Nachimson described the standards as technology-neutral, addressing what needs to be done, not how. The standards address both technical and behavioral aspects with implementation specifications that may be required or addressable. This means a covered entity can choose between implementing that exact specification, an equivalent measure, or not implementing if that decision is reasonable and appropriate for that covered entity. He noted that these decisions must be based on sound and documented reasoning from a covered entity’s required risk analysis. They also expect every covered entity to periodically revisit their risk analysis and revisit decisions on addressable implementation specifications.

There are five sets of standards in the Rule: administrative safeguards; physical safeguards; technical safeguards; organizational requirements; and policies, procedures, and documentation requirements. The complete breakdown of the Rule can be found on the NCVHS Web site within the transcripts of these hearings.

The administrative safeguards set up the administrative structure for security standards within an organization. These include security management processes, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plan, evaluation, and business associate contract and other arrangements.

During Mr. Nachimson’s presentation, Dr. Fitzmaurice asked if a self-administered health plan would be required to isolate its information from regular personnel information. The organization determines who can have access to that information for payment and treatment operations, Mr. Nachimson replied, and there could be cross-access. This standard would be within Privacy compliance and Security has to be consistent with the applicable requirements of the Privacy Rule. He added that the relationship between the two rules is complex.

Mr. Nachimson outlined the standards and implementation specifications for physical safeguards: facility access controls, workstation use, workstation security and device, and media controls. Many implementation specifications in this section are addressable because of the wide range of physical plants in the health care industry, which require widely varying access controls.

The technical safeguards address how computer systems should be set up to adequately protect electronic-protected health information, Mr. Nachimson explained. He noted that there is some overlap and duplication here to ensure adequate protection. This section’s standards are: access control, audit controls, integrity, person or entity authentication and transmission security. It is not possible for a requirement to move from required to addressable without going through changes in regulation.

The Rule includes organizational requirements for business associate contracts and other arrangements, and certain requirements for group health plans. The last set of standards is documentation requirements, which has a six year time limit.

Areas Mr. Nachimson feels are particularly at issue include security incident reporting and whether a strict reading of the definition of security incident must be followed. This might require reporting every Internet “ping” to a system, of which there could be thousands in a day. Instead, they have been asked whether it is acceptable to report only more major things that could compromise the security of an operation. He noted that they avoid saying that a particular approach will definitely meet the requirements of the Security Rule, because there are so many factors and variables.

Mr. Houston asked whether medical equipment vendors, manufacturers or other covered entities have had questions about security issues related to medical equipment, observing that patches and viral protection software are not options on this equipment. Device questions have come up about all of the HIPAA standards, Mr. Nachimson reported, adding that this will need attention as it moves to collecting and transmitting digital information, which may or may not be considered electronic-protected health information. He also stated that they will have to respond to individual situations and devices to determine whether or not these are electronic-protected health information and covered by the Security Rule.

Mr. Houston pointed out that many telemetry systems do not offer much control over configuration or encryption once installed. In this instance, Mr. Nachimson recommended relying on the scalable and flexibility option in the risk analysis, where covered entities determine the risk and what capabilities are needed for protection. Dr. Cohn encouraged them to inform the industry as quickly as possible whether or not this area is in the Security Rule.

Although the Rule says that business associates must provide satisfactory assurances that they will appropriately safeguard information, Dr. Harding pointed out that work is sometimes done in places that are not under their control. Mr. Nachmison confirmed that there is not a consensus on addressing this issue; it remains the responsibility of the covered entity. He noted that they do not expect a covered entity to inspect the operations of a business associate, and suggested obtaining assurances that the information is adequately protected before signing a contract.

Mr. Reynolds commended all of the work on this regulation, stating that it “puts a nice framework around what you need to think about and how you need to approach it, but it has not been nearly as burdensome to implement as anything else…in HIPAA by a dramatic step. You have set up a really good structure.”

Mr. Reynolds asked about the challenges of role-based rules, given that many employees serve multiple roles. This is acceptable for an individual, Mr. Nachimson replied, as long as the activities are tracked through auditing. There are multiple layers of protection and standards, which he hopes are flexible enough to handle a variety of situations. Regarding auditing, Mr. Reynolds felt that there could be excessive burden if every transaction was tracked. This, too, should be based on a covered entity’s risk analysis, Mr. Nachimson stated, and reasonable protection systems put in place.

There is not a provision for paper records in this Rule, Mr. Nachimson explained, but the Privacy Rule applies to all information beyond electronic, so there is at least an assumption that covered entities will establish procedures for the rest of their PHI. The HIPAA Security Rule does not address paper because it would require a very different set of protections and the focus was first on protections for electronic-protected health information. They would wait to see if there was a need for paper beyond what was specified in the Privacy Rule.

Mr. Houston expressed his concern about the practicality and cost of several implementation aspects given the variety in so many factors. Mr. Nachimson stated, “concerns like yours led to the decision to first state in the Rule that things should be reasonably protected, and then give covered entities decision-making power themselves. You as a covered entity get to look at your situation and decide how you are going to protect that information reasonably and adequately. You may suggest less costly options or show how current processes are sufficient.”

These answers and comments are important and should be expressed in an FAQ, Mr. Houston observed, adding that this exact dialogue is very insightful. The FAQs are going through clearance, Mr. Nachimson stated, and are almost generic: first do a risk analysis and determine whether that particular solution is right for your situation.

Explanations of the small number of complaints or issues about the Security Rule were given by Mr. Nachimson. He feels covered entities may not yet have focused on this because they have been so attuned to getting their claims transactions ready. But he also feels that they avoided surprises by working closely with the industry on the standard. Because of the Privacy Rule, there was already a focus on protecting the confidentiality of information. Finally, the scalability and flexibility enable smaller entities to proceed in simpler ways, for example.

Mr. Nachimson stated that they will monitor the volume of questions by phone and on Ask HIPAA, adding that they are seeing a few more questions about security. They reach out to people via local and national conferences, and most questions are about the right way to respond, rather than how to get started. He felt that six months out from the compliance date would be an interesting check point and reported that plans have not been made yet for ongoing study of the Rule’s consequences.

Panel 1 – Marketing

Don L. Bell, II, National Association of Chain Drug Stores.

Mr. Bell thanked the Subcommittee for helping with the Privacy Rule clarification and revision process that his members feel has led to much better marketing provisions. He reaffirmed that pharmacies do recognize the tremendous value of protecting patient privacy and consider it an important part of their professionalism and a good business practice. NACDS members have no interest in adopting marketing strategies that will endanger public trust, he asserted.

Government should not restrict health care communications between patients and pharmacists, stated Mr. Bell. He feels that distinguishing between marketing and health care communications is the essential tension in this issue. The Rule defines marketing in part as making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. He feels this is a very broad definition. A pharmacist’s encouragement of a diabetic patient to use a glucometer is a valuable health care service, he stated, although the pharmacy might profit from the sale of that glucometer. Is advocating the use of the glucometer marketing, or is it a health care service? He asserted that informed consumers make better health care decisions.

Mr. Bell reported that since he testified in 2001, this Subcommittee has helped quite a bit with clarifying the rules. And for the most part, they believe that OCR has appropriately characterized important pharmacy communications as health care communications, rather than marketing or advertising. He then shared examples of the most common communications that pharmacies and pharmacists have with their patients, and described how they believe those fit within the marketing limitations. These included refill reminders, medication recommendations and counseling and drug utilization review from pharmacists or physicians.

A sometimes controversial communication is recommendation of alternative medications, or switch programs, Mr. Bell explained. When a patient is taking an expensive brand name drug, pharmacists may inform them about generic drugs or other medications that are biologically or therapeutically equivalent to the drugs they are taking, but may have fewer side effects or greater ease of use. He believes that these communications help patients with their health care, help save money, and provide options. PHI is not provided to the manufacturer.

NACDS members believe that disease state management and wellness programs should also be included within the exception for treatment. For example, without obtaining patient authorizations, a pharmacy should be able to compile a list of patients who purchase diabetes medication and send them letters suggesting that they receive diabetes self-management training. OCR has suggested that most, not all, of these programs fall outside the definition of marketing.

Mr. Bell announced that a new privacy best practices guide, “Health Care Communications Provided by Pharmacies: Best Practices Principles for Safeguarding Patient Privacy,” is being issued the week of July 13 by the National Consumers League (NCL). He recommended that the Subcommittee look over this guide before making any recommendations. The NCL is a private, non-profit consumer advocacy organization that has represented consumers for over 100 years. Their guide recognizes the importance of pharmacy communications to patient health and also creates a voluntary framework for increased privacy protections, he reported.

Joy Pritts, J.D., Health Policy Institute, Georgetown University

Ms. Pritts stated that her impression of the Privacy Rule is drastically different than that of Mr. Bell. She disagreed with the notion that the use of PHI for marketing purpose is not really a privacy issue and pointed to the Fair Information Practice Principle of choice. Paraphrasing an FTC report on privacy, she noted that choice means giving consumers options as to how any personal information collected from them may be used for secondary purposes, such as selling a product. Ms. Pritts agreed that this issue has a huge gray area but she believes that the practice of sending information on new drugs to a patient only because he or she has a condition and the provider is getting paid to send them that information, should at least be disclosed to the patient.

Ms. Pritts gave examples of individuals’ concerns about how their information is disclosed to others and how it is used, including a lawsuit for sending switching letters about HIV medication and mailings of Prozac samples. These situations targeted patients who had particular medications and the providers received outside payments to tell the patients about an alternate treatment. Treatment, she felt, would involve evaluation of the patients’ medical records. She observed that these practices erode the patient/pharmacist/physician trust. Patients think their information is being sold and bandied about without any consideration of their privacy.

The Privacy Rule requires authorization to use and disclose PHI to a third party for marketing, Ms. Pritts noted, but then it defines marketing to exclude many of the activities just described. Although pharmacists and doctors cannot sell the information, they are allowed to use PHI to encourage people to buy products and receive payment from drug companies to send out marketing materials. She stated that there is no authorization required to use PHI for switching letters, no choice, and no opt out. One very upset woman was receiving bright yellow and purple postcards for Prozac in the mail, which her mail carrier and everyone in her building could see.

Although acknowledging that there have not been as many published marketing incidents since the compliance date of the Privacy Rule, Ms. Pritts emphasized that it is very important not to preempt more stringent State laws, because they fill in where the Privacy Rule lacks.

Ms. Pritts told of speaking on the Privacy Rule at an academic conference on marketing, where everyone present understood that the Rule prohibited using health information for marketing. She asked what it is called when a pharmacy receives payment from a pharmaceutical company to send an individual a switching letter. To a one the attendees said in unison, marketing. In the Nebraska Law Review, associate professor of law June McDeasy concluded that the commercial use of PHI under the HIPAA Privacy Rule is, “marketing disguised as health care operations.”

The level of public understanding about the Rule’s actual scope is beyond confusion, almost to misinformation, Ms. Pritts stated, particularly the marketing provisions. She believes that HHS must do more than the existing FAQs to communicate what the provision means to consumers.

Ms. Pritts made several recommendations, commenting that many of them are “merely a pipe dream at this point.” The Privacy Rule’s marketing provisions should comply with the Fair Information Practice Principles. They should provide a choice for consumers when their health information is being used for secondary purposes, with an opt-out at the very minimum. There should be clear notice displayed prominently on the mailed material, identifying whether the consumer is getting this because someone is paying the provider to send it. There should be more effective communication about when authorization is required.

Ms. Pritts concluded by challenging the Subcommittee with the question “if the policy decision has been made that it’s okay for a pharmacy to be paid to use a patient’s health information to send them marketing materials on behalf of a drug company, why don’t we just say so, and get it up out front? Patients should know.”


Mr. Houston questioned sending a communication to a patient when there is potential that others may glean the patient’s condition from the mailing, and contrasted this with appointment reminders, which must be carefully communicated not to reveal health information to other household members. Mr. Bell agreed that obvious mailings were counter to the intent of the Rule and also a bad business practice. His members report that everything that they send out is in an envelope.

Observing that Ms. Pritts raised some very good points, Mr. Bell noted that the new NCL guide specifies that these letters should always include a very clear disclosure of any payment for the mailing by a manufacturer or other party and an easy method of opting out. The members he has contacted report already doing this.

In reponse to Mr. Rothstein’s hypothetical recommendation that the regulation include some sort of opt out mechanism available to consumers, Mr. Bell stated that NACDS members are not in favor of any new regulations. As an association, he believes that best practices in guides by NCL and others, along with the nature of the market, will resolve this.

Regarding communications from physicians, Ms. Pritts felt these were less biased because generally the doctor is looking at the patient’s medical chart, evaluating the condition and considering the promoted drug among several options. However, “when someone is receiving $3 a name to send out a mailing for Prozac or a new HIV/AIDS treatment, to me, to every marketing professional I have talked to, and to most health care consumers, that’s marketing.”

Although Ms. Pritts liked Mr. Rothstein’s proposed provision that it is permissible for a covered entity to mail out news of additional products for the individual’s condition so long as the covered entity did not receive compensation from the product manufacturer beyond the mailing costs, she had additional requests. She asked for notice on the mailing of who had paid for it, and ideally, she would like patients to be asked up front for permission for communications.

Mr. Bell was cautions regarding this kind of change to the Rule, explaining the need to ensure that, if a patient declined receiving information, the pharmacy would not be held liable for not providing medical information that it might get paid for sending. Lawsuits against pharmacies for not providing information such as refill reminders or emphasizing the importance of taking your drugs correctly are increasing, he noted. He reminded the Subcommittee that the U.S. has a market-based health care system. “Someone is paying for all of it. Someone is paying for all the drugs dispensed, all of the communications being made.”

Other covered entities—physicians and health plans—send communications that may be underwritten by a pharmaceutical company and could blur the line between marketing and treatment, Mr. Houston observed. Mr. Bell suggested that the Subcommittee look at pharmacy benefits managers (PBMs), who send out a lot of communications, own mail order pharmacies, and are clearly providers but are not covered entities. Ms. Pritts referred to a specific exception for health plans, adding that their marketing communication problems do not have easy answers.

Including disclosure on mailings sent at the behest of a third party would not be a change of practice for most pharmacies, Mr. Bell stated, and is one of the best practices mentioned in the NCL guide. He emphasized that his members do not like changing the Privacy Rule in any way because it took so much time and effort to come into compliance.

Regarding state lawsuits and preemption, Ms. Pritts noted that every State has some rule or law that is more protective than the Privacy Rule, often due to concerns about conditions with stigmas. It is very important that these more protective State laws remain in place, she believes, although it causes practical difficulties for people who practice in more than one State. She related that, since HIPAA implementation, Hawaii and Texas have mostly revoked their fairly comprehensive medical privacy laws. She added that several States are moving to bring their requirements more in line with the Privacy Rule, which can be good or bad.

In contrast, Mr. Bell stated that NACDS members would appreciate preemption because they struggle to try to follow 50 different rules. Their association has created a HIPAA preemption analysis and spends $10,000-20,000 every other month to update the 50 constantly changing standards plus regulations and lawsuits that constantly impact the Rule.

Re-disclosure of PHI by marketing firms is one of the concerns about the fact that the Privacy Rule does not cover everyone who holds health information, Ms. Pritts stated. Many are only covered through a business associate contract over which HHS has no authority. Agreeing with Ms. Pritts, Mr. Bell added that Internet pharmacies have protected health information and specifically require patients to waive any privacy rights. They are not covered entities, because they don’t adopt the necessary type of electronic transactions.

Mr. Houston also asked Ms. Pritts for her perspective on using the patient service department for purposes of fundraising. Ms. Pritts responded that she would think about that, review the regulation, and respond after this part of the session.

Panel 2 – Fundraising

John Zeller, Johns Hopkins Medicine

Academic medical centers and nonprofit health care organizations support without question the spirit of HIPAA legislation to ensure the privacy of medical record information, Mr. Zeller began. He thanked the Subcommittee and Committee for the letter of March 1, 2002, recognizing the vital role that private philanthropy plays in funding medical research, patient care and education programs in this country.

Mr. Zeller reported that private philanthropy from patients is an essential component of Johns Hopkins Medicine’s financial health and also contributes enormously to medical advancement. Patients direct funds to cutting edge medical research tied directly to their own or family members’ diseases, he stated, and this research is often so new that traditional funding sources such as NIH will not yet support it.

Fifteen months after the implementation, HIPAA has impacted their fundraising efforts by requiring diversion of current staff, addition of staff to manage authorization information, and creation of a new office of HIPAA fundraising compliance, Mr. Zeller stated. Their operating budget has increased to accommodate substantial authorization form printing and systems costs, and they have developed makeshift systems to manage authorization information in the short term while building a system that will be able to handle this information.

Mr. Zeller observed that trying to implement a uniform process in a large, complex organization like Hopkins presents a great challenge. In order to comply with HIPAA, they met with their leadership, trustees, legal counsel, physicians, clinical managers and various hospital committees, and concluded that institutional policy would be to offer authorizations to patients at registration. This implementation began last December, and preliminary data shows less than half of their patients are signing the authorization form.

At this juncture, Mr. Zeller stated, the HIPAA impact on fundraising is difficult to assess and they do not know whether the patients who have signed the authorization forms are truly philanthropic. He pointed out that successful fundraising programs rely on strong, ongoing relationships built face to face with potential donors over time. Asking permission to engage in such conversations before any contact with the institution can be very awkward for all parties.

The varying legal interpretations make it very difficult to determine best practices for grateful patient fundraising and develop a model for institutions to follow, Mr. Zeller stated. Noting that it would be helpful if HHS would implement what the Subcommittee suggested in the letter of March 2002, he asked that the Committee renew its recommendation that HHS explore procedures for disclosure of clinical department of service information for use in fundraising, such as simplified authorization or an opt-out procedure for departmental information.

William C. McGinly, Ph.D., CAE, Assocation for Healthcare Philanthropy

In addressing how life has changed for fundraisers since the last time he met with the Subcommittee, Dr. McGinly testified that there is a lot of confusion regarding the Privacy Rule and many upset people. There is a loss of services in communities because of the added costs that organizations have incurred.

One example is the fact that demographic information can be used without prior written authorization as long as there is an opt-out, Dr. McGinly explained, but interpretations of this run the gamut and create more and more confusion. He has encountered one attorney who is advising that all healthcare clients and volunteers have to enter into a business associate agreement, which is not the case. Compliance officers and other advisors are incorrectly insisting that his members cannot visit patients. And, although fundraisers are entitled to have the age of the patient, sometimes hospital staff will not disclose the birth date, permissible information that is needed for planned giving.

Dr. McGinly’s organization conducted a fax survey of members in 2002 to get a range of expenditures and added costs relating to implementing HIPAA just for fundraising. The responses ranged from $25,000 to well over $1 million. Larger organizations using an authorization form are reporting $400,000 to $700,000 annually to manage this process. Also in the year 2002, giving dropped from $8 billion to $5.5 billion, he reported, recognizing that the major cause of that was the economy, but it was also due in part to confusion in donors’ minds.

In some of the larger teaching hospitals, less than 50 percent of the people who are asked will not give prior written authorization because of incorrect negative associations with the word fundraising, Dr. McGinly stated. He asserted that they are not the telephone call at dinnertime, but people are rejecting the opportunity to be educated about what the organizations are doing and the opportunity to volunteer and donate money.

Dr. McGinly assessed the situation as a process of now rebuilding from the standpoint of 2001, with $8 billion raised, which is what one chief executive told them that implementing all of the HIPAA regulations worldwide or across the board was going to cost. If that is true, they have wiped out what they have gained in philanthropy as a result of HIPAA regulations overall. He recognized that fundraising is a much smaller percentage of that figure, but they believe that substantial dollars are being invested in something that is unnecessary, according to their donor bill of rights. These grateful patients have been helped, Dr. McGinley stated, and many want to turn around and benefit the community and others in need.

Dr. McGinly pointed out that independent, freestanding specialty treatment centers can still do fundraising to their patients. He recommended allowing the use of point of service information within the health care provider, without prior written authorization from the patient, for fundraising purposes. He stated that it is the way that they have conducted business for 35-plus years, up until the time the new regulations came in.


Mr. Rothstein reminded the group that three of the four Subcommittee members work at academic medical centers that are funded in part by private donors, so therefore have in theory some level of conflict of interest.

Dr. McGinly confirmed his belief that there has been an impact on the amount of funding collected and on the costs of fundraising. Mr. Zeller reiterated that it is very difficult to quantify the impact definitively. He reported that, in this financial year, contributions coming from individuals and private foundations have dropped from 70 to 56 percent, with 90 percent of that number from grateful patients. If a patient registers and does not sign the authorization, Mr. Zeller said that they try to re-seek an authorization six months later. Johns Hopkins can still make general solicitations without the disease or department, but those returns account for less than one percent of the total private gifts made.

The regulations do not prohibit a specialty hospital from doing grateful patient fundraising, Dr. McGinly reported. No authorization is needed because all patients at a center have the same condition, such as a spinal cord injury, and fundraising at such institutions has held up well.

Mr. Rothstein stated that the Subcommittee has been wrestling with the issue of how to continue successful fundraising at large multi-specialty medical centers, how to strike the balance between patient privacy rights and the other valid rights. He asked for Mr. Zeller’s view on an opt-out for patients similar to the directory opt-out, where individuals could elect not to have patient service department disclosed for fundraising, but ordinarily it would be available. Mr. Zeller replied that this would still create a very awkward situation relative to seeking that authorization or that process at the front door. Physicians do not want to seek this authorization, he added.

Mr. Zeller strongly preferred another scenario, in which the burden was on the patient to initiate their exclusion from the directory and patient service department for fundraising. He clarified that they are not looking to access or utilize specific diagnoses.

Dr. McGinly asserted that opting out or carving out one piece of this will make AHP members’ lives more difficult in tracking this information. He agreed with Mr. Zelller that they are not interested in diagnosis and added that part of their responsibility is a visit in the hospital. One of the best notices of privacy practice he has ever seen, Dr. McGinly stated, did not have an opt-out in the notice of privacy practices, rather, it was in the materials that were being mailed.

Regarding hospital visits from fundraisers to patients, Dr. McGinly explained that the fundraising staff or volunteers visit patients coming into the hospital. Frequently these are people who are established or have been a donor, but they may make a new call on someone, not directly for fundraising, but to help them out, see how everything is going. Mr. Zeller emphasized that if someone in fundraising visits a patient, it is not for the purpose of discussing a gift or to solicit them. Instead, he said, grateful patient fundraising is built upon a relationship, which can involve courtesies to facilitate the best possible patient experience: escorting a patient to appointments or stopping by with greetings from friends or colleagues. Both panelists clarified that people are not coming in and asking patients for money.

Dr. McGinly confirmed that, prior to this regulation, one could, using a publicly available directory, go to a patient’s hospital room and see the name of their physician. When the organization wanted to endow a chair in honor of that doctor, they could mail the patient a solicitation not saying that he or she was a patient, but that they are establishing a chair for that physician. Now, although a fundraiser might know through a visit that a patient is on the cardiac care wing, he could not build a file of cardiac patients for fundraising without a written patient authorization. Patients may get an invitation to contribute, but it is much broader.

The development office gets a daily printout of patients and may compare it to current donors or decide that these are a group of people to visit, Dr. McGinly noted. The fundraiser does not learn about the patient’s diagnosis, but where they are receiving service in the hospital, and use of that information is restricted. Mr. Rothstein emphasized that institutionally related fundraisers are seemingly in a worse position than someone off the street.

Mr. Reynolds asked whether changing the organizational structure of a specialty unit in a larger hospital would allow the unit to do the same fundraising activities that independent specialty hospitals do. Discussion was unable to resolve this point.

Dr. McGinly emphasized that attorneys feel written patient authorization is the best practice. He added that, over 35 or 40 years, if people asked AHP members not to receive fundraising materials, they were removed from the list. “We have a serious responsibility in protecting that information, which is the integrity of the fundraising through the health provider,” he stated, adding that they feel the current Rule is overkill.

Mr. Rothstein and Mr. Houston reported that there are no OCR FAQs for guidance or clarity on these issues. Mr. Houston suggested that maybe the issue is some type of substantive change that allows foundations and other organizations to do their business or to regain the lost fundraising dollars. The Committee is already on record with a recommendation in this area, Mr. Rothstein reminded the group, and much of this discussion would require an amendment to the rule. He asked if there was anything HHS could do to make fundraising easier that could be accomplished without amending the rule, such as guidance, education and interpretation.

Although Dr. McGinly agreed that more guidance and clarity would help, he stated that the one thing that is really detrimental is the written authorization. He encouraged the Subcommittee to follow through and suggest a rule change.

To describe the scope of the new fundraising costs, Mr. Zeller reported that there is a significant increase: $400,000 in the short term, not including systems time for needed development, the cost of preparing three-part authorizations or new technology to manage the thousands of authorizations. It also redirects dollars and staff from other areas. He added that some of their largest contributions come from individuals, so the diminution of the percentage of individuals supporting Hopkins from 70 to 56 percent translates quickly into multiple millions of dollars. He believes that the less than 50 percent providing authorization very likely contributes to that.

Mr. Zeller reiterated that philanthropy is built on relationships and comes over a period of time. He warned that, “to keep that stream alive, you constantly have to replenish it with new relationships. If that part of the process is being interrupted, then what we see now may be a very temporary sustaining philanthropic support that could be in great jeopardy going forward.” It will likely take two to three years at a minimum to see the impact of this. He explained that, over time, the return on the investment of a philanthropic dollar is almost ten to one, and is particularly felt in the research enterprise.

Dr. Harding inquired about the number of complaints in this area, to which Dr. McGinly responded that to his knowledge, none of the 2400 complaints that had come in to the CR were related to fundraising. He added that in 20 years, he has not encountered more than half a dozen complaints, all of which were resolved and turned around.

Encouraging the Subcommittee and panelists to look at what can be done in the context of the current Rule, Mr. Houston suggested asking for guidance that would clarify that an organizationally separate subsidiary or freestanding facility would be acceptable because there is not any specific separate risk of privacy violation. Panelists and Subcommittee members agreed that the notion of physicians making fundraising appeals to their own patients was counter to ethical standards.

Panel 3 – Media Access to PHI

Sara M. Howley, North Broward Hospital District

Ms. Howley’s hospital system provides care for the northern section of Broward County, regardless of patients’ ability to pay. She stated that patient privacy has always been their top priority and described their comprehensive preparation for HIPAA implementation.

Prior to HIPAA, Ms. Howley noted, they had a little bit more leeway in the timeliness and the information they were able to provide to the media regarding public record patients. That has since changed somewhat, and they have included that in all policies. They have gone to specific efforts to educate their media relations staff, evaluate media staging areas, and then work directly with the media, law enforcement and fire and rescue.

Ms. Howley described meetings with fire and rescue personnel, law enforcement and the Florida public information officers group to discuss the new standards and processes relating to the media. They then joined all South Florida hospitals for a media summit and invited all media outlets and law enforcement in South Florida. Representatives from AHA and the Florida Hospital Association announced what would be taking place, how the changes would affect the press relationship with the hospitals, and what could be done to best work together. She emphasized that they understand that the media has a job to do.

Ms. Howley described some consequences since the HIPAA implementation. One is patient confusion. Families do not understand why fire-rescue and law enforcement can discuss information at the scene, but once in the hospital the information is protected, she said. The second consequence is that reporters will do what they must to get the information or get to the patient or the family. She has had reporters sneak into hospitals, call patient rooms directly, or wait outside for family members or patients.

Many families call to say that reporters are at the house or calling a place of business, Ms. Howley reported. Her staff explains that they are there to help, and if the family signs the consent form, the hospital can release information per their recommendation, in some instances even holding press conferences or helping the family manage the situation.

Recently they have seen a third consequence, John Doe and Jane Doe patients, Ms. Howley stated. They need to find a next of kin to make decisions on the patients’ behalf. Prior to HIPAA, they would have law enforcement come in, take fingerprints and run checks to find next of kin without going through the media. As a last resort, they would ask the media to take a photo and some information about the patient and “very instantly we would find their loved one.” She noted that this made their process much easier, whereas they are now limited to releasing a description. This is less effective at getting a family member’s attention and adds extra time onto what they would consider critical care time.

Ms. Howley’s main recommendation was for more education with the general public, law enforcement and the media. “It is very difficult to explain to the public about HIPAA rights in a time of crisis, which is when we are seeing people.” She believes education before a hospital visit would be most beneficial. She also believes that law enforcement and fire-rescue, while not under HHS, should be educated and encouraged to be more accountable for patient information.

Emily Stewart, Health Privacy Project

This organization educates the public about their rights and providers about their responsibilities, and conducts analysis on issues including the HIPAA Privacy Rule and State privacy laws. Ms. Stewart noted that when patients do have to choose, they often have to forego quality health care in order to secure their privacy. She cited a 1999 California health care survey showing that one out of every six Americans withdraws from participation in their own health care for fear that the medical information will be used without their knowledge or permission. In April 2001, a Harris survey showed that four out of ten people with multiple sclerosis had lied or failed to disclose their diagnosis to colleagues, coworkers, friends and even family members out of fear of job loss and stigma, she explained, adding that this is why they believe the Rule is so important.

By and large, health information can be highly sensitive and can be subject to public scrutiny, Ms. Stewart stated. She gave examples of well-known individuals having their depression and HIV+ status revealed against their wishes. She emphasized that the Rule intentionally states that patient medical records are not public records, although hospital directory information is available for people who know the patient’s name if the patient did not opt out of the directory.

Ms. Stewart emphasized that, in the past, media access to information was by custom, not by law. The Rule now clearly prevents hospitals from treating patient records as public records. It does allow for access outside of the core health care system for quality assessment, accreditation, reporting to law enforcement or assisting public health authorities, she reported, adding that members of the media are not deputized to be law enforcement or public health officials. She believes that their investigations should not trump the privacy of patients, and that informing the public and investigating misdeeds within the health care system must proceed within the bounds of personal privacy.

The Health Privacy Project recognizes that this issue does pit civil liberties against one another, the public’s right to be informed and a patient’s right for personal privacy. Ms. Stewart pointed out that the Supreme Court has ruled that the rights of the press are no different from those of any other third party in a situation, such as a neighbor or prospective employer. She urged the Subcommittee to keep the regulation concerning the media as it stands.

Tonda Rush, American PressWorks, Inc.

The 2500 members of the National Newspaper Association are small dailies and weeklies around the country, many more than 100 years old, Ms. Rush stated. She described how the news media use health information, which in most cases means a very simple statement of name, maybe an injury and maybe a statement of condition, to connect the community through people stories, provide information on public events and officials, and at times put health care institutions and the state of health care into the public spotlight.

Ms. Rush observed that, to the media, HIPAA has become shorthand for a lot of trouble they have had in the past year. Peoples’ stories are often gagged, she stated, and reporters’ news sources are confused about what they can or cannot say. At one small hospital, she noted, the public affairs person said that they would not disclose anything because they were not sure what they could disclose. She called this breaking the law by not telling rather than by disclosing.

Very often, official sources that have public record responsibilities in the States and are not covered entities are using HIPAA as an excuse to not reveal things that they otherwise would have said, Ms. Rush stated. Her organization had discussed whether OCR’s online decision making tool could and should include a statement that the Privacy Rule does not affect public records laws held by law enforcement officials, for example. This would give them a place to point to when the county sheriff cites HIPAA as a reason not to release an accident report. They believed that they had an agreement from OCR to do that but there has been no follow up.

Most people in the media believe that HHS is indifferent to their concerns, Ms. Rush explained, and that any solution should be found in Congress. She emphasized that law enforcement agencies do have public records filing responsibilities and stated that media have had trouble with hybrid agencies, particularly in small towns. The regulations do allow these agencies to segregate themselves out to protect patient information and still observe their public record responsibilities. However, many of these have found the regulations too confusing and expensive, so they are treating themselves as a covered entity for purposes of press accounts only, she stated, and provided specific examples.

Ms. Rush provided numerous examples of the challenges faced by the media: whistle-blowers’ fears and newspapers’ fears of subpoenas to identify whistle-blowers; a story of viral meningitis that could only hint at numerous other potential cases; an amnesiac patient who was identified because his case happened before the Privacy Rule; and churches complaining about the discontinuation of nursing home admissions and birth announcements in small towns.

Ms. Rush provided the Subcommittee with an article about a small town workplace shooting, where the family members were gathered in a community center and told almost nothing by police for three hours. Five of their family members had been shot by an irate worker. Although the police were rightly focused on the crime, she said, the police were the source that under the present law the media and the families had to rely upon, and the source did not assuage the community concerns. In this case, she stated, HIPAA was one of the complications.

Although Ms. Rush acknowledged that a lot of information appearing in public print prior to the Rule happened as a result of custom, not public record law, in today’s world, the stories often are not being run because if there is no name, there is no story. She pointed out that if information is not reaching the public, it is difficult to know what is missing that would have been printed before. “What I think will be lost in the process is all the benefits, both direct and intangible, that come from having a spotlight on public events, on accidents, on public institutions, upon disasters, anything that you might have had some benefit from public disclosures,” she asserted.

Ms. Rush concluded by saying that it is left to the public arena and public officials to try to look at whether the kinds of information that they are unable to access and the stories that the press are unable to tell make us richer or poorer as a society.

Barbara Cochran, Radio and Television News Directors Association

Ms. Cochran emphasized the importance of health information to the public, even more than to the media. In times of emergency, disaster and other events of high public interest, a certain amount of identifiable health information reaches the public through the press, and the HIPAA privacy policy has placed a blanket of secrecy over health care information, she stated.

After the terrorist attacks of September 11, journalists used hospital lists and other records to chronicle the devastation and to do compelling vignettes about the victims, Ms. Cochran explained. Directory information enabled the public and journalists to keep track of victims of the Oklahoma City bombing, anthrax attacks and the school shootings at Columbine and in Jonesboro. She believes that information helped the public fully understand the effect and extent of such tragedies. Because of HIPAA, journalists are having a hard time finding out names of disaster and accident victims and investigative reporting of malpractice or patient abuse is difficult or hazardous to chronicle.

Ms. Cochran focused on the broadcast media, noting that local television news is the chief source of information for 50 percent of the public and the most trusted medium. Regarding a fire, accident, or still worse, a school shooting or other tragedy, citizens turn to local television and radio, and HIPAA has made that kind of event much more difficult for reporters to cover.

HIPAA has affected what non-covered entities feel free to report, Ms. Cochran stated. Even athletic directors and victims’ relatives believe they cannot now give out information. Her examples included a department of corrections that used HIPAA to withhold information about inmates who had died in state prisons. A news team was removed from a hospital after the patient and the family had expressly invited that team for an interview. Routine requests for public record 911 recordings, have been denied because officials mistakenly cite HIPAA.

Ms. Cochran’s organization has distributed and posted online an FAQ on the background and fundamentals of the Rule, so that reporters can assert their rights to obtain information when it is mistakenly being withheld. They requested that information be posted on the HHS Web site clarifying that HIPAA does not preempt State public record laws, and that State law enforcement agencies that are not covered entities may still provide patient information. They have not received a response to that request.

Describing recent stories that have lacked health information, Ms. Cochran fears that another disaster will disclose the problems. She suggested that “the HIPAA rules are in contravention to the goals that the federal administration is trying to achieve now in making sure that there is quality information after a homeland security disaster occurs.” If information about what to do and the status of loved ones cannot be disseminated on radio and television, something that began as a crisis can quickly develop into a disaster, she believes.

Ms. Cochran provided another example of a Syracuse public school bus that had an accident while carrying 40 pupils on a trip. Almost all of the students were injured and were taken to a variety of hospitals around the area. The hospitals could not release information about what kids they were treating and the parents were unable to get the information from the news media, so parents had to go from emergency room to emergency room trying to find their children.

Ms. Cochran’s organization offered nine specific proposals, listed below, for the Committee and HHS to consider.

  1. The rules should be revised to allow a covered entity to disclose basic information about an individual’s medical information to the press and the public, so as not to interfere inappropriately with news reports on matters of public interest.
  2. The definition of a covered entity should clearly exclude public agencies, including fire and law enforcement departments.
  3. The definition of health care should clearly exclude emergency services provided by emergency and law enforcement agencies.
  4. State laws should be pre-empted, and that should be clearly stated.
  5. The regulations should be revised to ensure protection for whistle blowers to report their concerns to journalists or others charged with investigating the quality of health care.
  6. The regulations should state that they do not apply to health information of individuals who have died.
  7. The rule should not afford the ability to restrict public access to directory information.
  8. The regulations should not apply to entities including public health authorities and law enforcement agencies that receive disclosures of health information from covered entities.
  9. The regulations should clearly state that the civil and criminal penalties do not apply to the news media in cases where information disseminated by news media is received from a third party who may have violated HIPAA.

Rebecca Daugherty, J.D., Reporters Committee for Freedom of the Press

Probably nine-tenths of the questions to this organization’s legal hotline for reporters have to do with inability to access information from government or other entities such as hospitals, Ms. Daugherty explained. Her primary concerns were in two areas: the effects of the Rule on would-be whistle blowers and the need to dispel some bureaucracies’ mistaken belief that these rules apply to them and that they would be subject to penalties for giving information to reporters.

The effect on whistle blowers is certainly pernicious, Ms. Daugherty stated, but her organization does not know how to document that effect, other than to point out the kinds of stories from whistle blowers in the past. If whistle blowers are faced with fines and possible criminal penalties of $25,000 to $250,000, the media is unsure what those people will do when they have a story that they feel needs to be disclosed through the press. She gave the 1960 example of Miss Evers’ Boys, a four-decade long experiment on black men with syphilis who were not treated with the standard of care for the time but were allowed to deteriorate as part of a study of the effects of the disease. This study was approved by the American Medical Association and the Centers for Disease Control, Ms. Daugherty added. When AP published that story, the experiment was over within a week. She believes that a doctor might not tell a reporter about such a situation today because of the penalties on the health care professional.

A more recent example occurred in a fertility clinic at the University of California-Irvine that was selling embryos, Ms. Daugherty related. Clinic workers notified the press and worked with the reporters. Again, as soon as the story was reported, that situation stopped. These are the kinds of things that the public does not hear about now, she observed.

Ms. Daugherty emphasized the need to dispel the widespread fear among some bureaucracies that they might also be affected by these penalties, so they cannot talk to the press. She noted that media would rather get medical news from medical professionals, but with more clarification they could more readily learn about what law enforcement observed and be able to provide information to the public. In many cases people really need this information, she added.

HIPAA will also eliminate any undercover reporting, such as posing as nursing home assistants, by reporters who are not willing to also pay fines, Ms. Daugherty stated, adding that some stories can only be uncovered through this method.

Regarding public figures, Ms. Daugherty pointed out that, traditionally in tort law, public figures are, “to be quite crass about it, fair game for reporting, and that is a good thing, because it tells the public things that they need to know.” She observed that these rules do not allow any publication of information about the health of people to whom we trust our lives, such as pilots and bus drivers.

In closing, Ms. Daugherty stated that they had heard testimony that police and firemen do not get facts right, so they should not give out information. She asserted that it is very important for HHS to make clear that penalties do not apply to non-covered entities such as law enforcement.

Debra Goldschmidt, Columbia University Graduate School of Journalism

Ms. Goldschmidt spent the 2003-2004 academic year researching and tracking the impact of the HIPAA Privacy Rule, looking at police investigations, fundraising research, media access and more. Her presentation addressed the Rule’s impact on medical archives.

Ms. Goldschmidt reported that Stephen Novak, head archivist of the August C. Long Health Sciences Library at Columbia University, believes that access to much of the contents of health science libraries is in jeopardy because of HIPAA. The problem is that many of the records contain PHI. Anyone wanting to review these records has had to sign an agreement that they will not use any names or personally identifying information. But this is no longer enough.

Ambiguities in the law have caused confusion over access to records, Ms. Goldschmidt noted, adding that there is even a question as to whether these libraries may be covered entities. At Columbia, the library is part of the medical school and hospital, therefore hospital attorneys say the library is a covered entity and must comply with HIPAA. However, the library of medicine at Harvard is part of the university and not the hospital, so they consider themselves exempt.

Ms. Goldschmidt described the confusion resulting from various institutions interpreting the rule as they see appropriate. Some institutions are suffering from overzealous application and interpretation, she said, because they are simply playing it safe. She posed several questions: is the Rule retroactively applied, and if so, how far back does it go? If a letter written by a doctor contains a patient name, is that PHI? And can consent be assumed for the use of photographs previously published, even if the original consent form is missing? Last October, two archivists’ organizations sent a letter asking Secretary Thompson for clarification, she reported, but there has been no response.

At Columbia, requests for records containing PHI are now reviewed on a case by case basis by the hospital’s privacy board, Ms. Goldschmidt stated. She believes this could discourage historians from using the valuable archives. The law does have an exception for research, but in fall 2003, HHS ruled against two biographer/historians who had requested the records of two deceased individuals from the National Library of Medicine under this exception. She reported that they were told that historical research did not meet the criteria for research as defined by the Rule. If this is the case, Mr. Novak said, they cannot show their collections to anyone.

Mr. Novak also fears that valuable records that are not already part of archives may be destroyed, Ms. Goldschmidt stated, because the small practices or town halls that have them may feel the prudent step is to get rid of them. Archivists say this will be a real loss to future historians, and that HIPAA is standing in the way of history.


Mr. Houston asked Ms. Howley whether issues relating to media rights came up in her media summit. Ms. Howley explained that the summit was prior to the implementation and introduced a lot of new information to the media and clarified some issues to them. They held another media meeting in May 2004 with just a few local affiliates and newspapers. She stated that patient privacy was very much an issue, particularly the consistency of how hospitals were responding. Her organization is planning to do another large summit as a one-year follow up, “to really get some good information and find out what we can do to work better.”

Ms. Howley believes that more direction and education, such as real-life scenarios, would be valuable. They are often told to use their best judgment, and since their priority is patient privacy, their best judgment might be to err on the side of caution. She reported that her hospital system does not have a different HIPAA standard for VIPs, athletes, politicians or victims of terror. If someone well-known enters their hospital, she added, they definitely contact the person, but they require consent before releasing additional information. She was not aware of any cases in which media access efforts have actually impeded patient care.

The testimony ranged widely, Mr. Reynolds commented, and stated that it is very difficult to deal with the individual person’s privacy and know what to say about that. He added that adjustments to the Rule are a very fine screwdriver that can easily push it too far one way or the other, and asked for insight on how to make those adjustments.

“We are definitely looking at this from the point of view of a public viewer and not as the custodian of a record,” stated Ms. Rush, stating that “we have very gradually…been shifting away from an open society to a need to know society,” and calling this a slippery slope. She compared trying to understand public vs. private information with knowing which plants to save in an Amazon jungle: it is too soon to know the effects of a loss.

In crafting HIPAA, the agency, to its credit, took the best it could understand and some basic principles that it believed in about the right of a patient to control records, and installed a standard that Congress had never really debated, Ms. Rush stated. She discussed the dangers of creating a “Swiss cheese” list of people who need to know and how this would likely deliver distorted information to the public record.

However, Mr. Rothstein believes that the change in the way we view medical records and privacy is a 50-year trend in American health care, seen in research ethics and patient care. It is conferring greater autonomy on individuals to decide who should have access to their information and what sort of medical care or research to which they consent, he stated.

Referring to testimony about Arthur Ashe’s HIV status, Ms. Stewart believes it is essential to convince people that their privacy will be protected in order to get them to come get HIV-AIDS testing. She believes that Arthur Ashe’s individual right to medical privacy was compatible with the public good. Ms. Daugherty disagreed, believing that it was important for people to know that a person with Arthur Ashe’s stature and character had this kind of disease. She feels it educated the public about HIV in a way that countless lectures by countless physicians could not.

Ms. Cochran redirected the discussion, saying that the Arthur Ashe story is not the norm, rather, this is about being able to report who the victim was in the car accident on the bypass in a timely fashion on that night’s news. She urged the Subcommittee to focus on the day to day news coverage that before HIPAA was commonplace, was of great use to people and that did not have very much to do with electronic recordkeeping.

Mr. Houston stated that privacy is in HIPAA primarily to allow patients to be confident that their medical information is going to be kept confidential, so it scares him to bend at all with regards to its release. He reiterated the need to look at the public good. In his mind, the balance is far on the side of insuring that people feel comfortable seeking medical treatment. He thinks authorizations could accommodate much of the need described in this testimony, acknowledging that there may be narrow exceptions and better coordination to get information to public authorities for release. Overall, Mr. Houston disagreed with Ms. Cochran’s comment that there were not problems in this area before HIPAA.

Offering to try to draw some brighter lines, Ms. Rush contrasted the situation of licensed professionals as opposed to journalists. It is natural for an attorney to suggest taking problems to official channels, she explained. But a journalist will say that that does not always work, that sometimes the people in the official channels are the problem. In one example, a New York Times reporter was subpoenaed for the name of his source inside a nursing home, who revealed that a doctor was injecting elderly patients with a muscle relaxant. The complaint had first been made through the nursing home channels and through the medical society with no response. The physician was eventually charged with homicide.

Mr. Rothstein tried to work out some satisfactory recommendations. He emphasized that the Privacy Rule only prohibits covered entities from making certain disclosures. It does not mandate that a hospital provide information if they do not want to. The Subcommittee could only recommend clarification that HIPAA cannot be used as a shield to protect people who do not want to disclose information to the press.

Regarding whistle blowers, Mr. Rothstein pointed out the provision in the Rule that states it is not a violation for an employee of a covered entity to disclose PHI about a patient in good faith if it is part of a report to law enforcement officials, to a lawyer to representing that individual, to a regulatory agency or to an accrediting agency. If a fifth provision for the media were added, he asked the panelists, would that be satisfactory?

It would, Ms. Daugherty replied, and she agreed to provide the Subcommittee with examples of other whistle blower statutes that do mention the media or the press by statute, regulation or case law. Ms. Rush was uncomfortable with a distinction of the press from the public. She suggested that the exception include disclosure to members of the press or the public that are reasonably designed to lead to prosecution or enforcement for purposes of bringing a problem to light. Mr. Rothstein felt this could be done without creating disclosure by anybody for any reason. Ms. Stewart felt her organization would disagree with that and that it was a slippery slope.

Addressing another specific provision, Mr. Rothstein brought up allowing reporting to law enforcement officials in emergencies. This would not apply to press coverage or publicity surrounding victims of accidents so that the family would find learn of the incident from the media. He asked the panelists what sort of limited media exception the Subcommittee should recommend and whether it is possible to craft such a provision without opening a can of worms.

Ms. Cochran indicated that they would be glad to work on such a provision. Mr. Rothstein asked about her recommendation number seven, “The rule should not afford the ability to restrict public access to directory information.” Did this mean she recommended that a hospital should be required, over a patient’s objection, to tell anyone who calls that the patient is there? Following a brief discussion, he stated that he took her statement as a motion to withdraw number seven.


Mr. Rothstein recognized lead staff John Fanning, who was to retire at the end of July 2004 after a very distinguished career at HHS as the primary person in charge of all the privacy within the agency. Calling Mr. Fanning “a legend, irreplaceable,” Mr. Rothstein and the Subcommittee members wished him well and thanked him for his years of service.

The concern that Mr. Houston heard out of the marketing testimony is that the Privacy Rule gives varied permission to provide communications to patients. He compared the clearly-defined rules about providers leaving appointment reminders on patients’ voice mail with the less-controlled mailings related to pharmaceuticals, concluding that a lot of good communication about marketing needs to occur.

Mr. Rothstein agreed that there is seeming inconsistency in the treatment of similarly situated covered entities in the Rule. He feels the Subcommittee should point out to the Department where they see indefensible inconsistencies and where covered entities are treated differently for no legitimate reason. In those cases, he believes the Subcommittee should make recommendations about how to even out and standardized the burdens and benefits of the Rule.

After discussion of what specifically might be required in the mailings and attempts to clarify what level of disclosure was most desirable, Dr. Cohn put forward that there was not a full representation of testifiers on this topic; the group had not heard from pharmaceutical companies, whose relationships with pharmacies are very complex. He also felt that these issues were closely linked with e-prescribing and asked if there are principles that the Subcommittee can broaden out that might have applicability beyond the relatively segmented issue of direct mail communications between pharmacies and consumers. Mr. Rothstein supported this point, noting that they would have to be careful in phrasing whatever they recommend, considering how it will apply to other groups.

The group might discuss whether payment makes any difference for the issues of concern here, Mr. Fanning suggested. He pointed out that the communication is coming as allowed by the regulation from an organization that properly has information about a patient and that the patient knows has the information. Mr. Rothstein stated that at some level he was troubled by the idea that a company is making profit based on the information. However, he recognized that there are so many ways of indirectly compensating pharmacies and providers that he does not want to create a system that encourages people to work around it.

Focusing the group back on PHI, Mr. Reynolds stated that the Privacy Rule does permit a pharmacy to send information out to all of its customers, not just the customers using that drug, regardless of who pays for it. When PHI begins to be used for directed marketing, he does not think there is much gray area.

The lack of clarity, Mr. Rothstein pointed out, is in the privacy rule’s current definition of marketing and exception for three kinds of communications. He asked the Subcommittee members whether they felt there was sufficient information on which to make recommendations regarding this issue of marketing.

It would be nice to know what the NCL just released relating to this, Dr. Cohn commented. Mr. Rothstein felt that there was agreement on one issue: that any communication under this “unless” clause should not be in a form that indirectly indicates information about the health condition of the individual to other recipients. Dr. Harding asserted that at this point he did not have enough knowledge and suggested stating that there continues to be a problem with the definition of marketing versus disease management versus treatment that requires clarification by the Department and others. He advocated staying on the policy and definition end of the process.

The Subcommittee could say that it heard testimony that there are continuing problems surrounding marketing, Mr. Rothstein proposed, and that there is concern in three areas, that is the definition of marketing and its exception, including whether the covered entity has an arrangement with a third party; second, notification provision concerning the methods by which these communications take place in that sometimes diagnoses and other information are disclosed to other individuals; and third, the lack of methods for individuals to opt out of these kinds of disclosures. He suggested that this would raise a red flag and lead the department to try to figure out how to address these concerns within the framework of the Rule.

Ms. Greenberg emphasized the importance of only giving guidance if it is clear. She observed that HHS and the broader health industry and community take seriously what the National Committee reports. If the Subcommittee feels comfortable in making these comments, she believes there is value in doing so. She identified the real issue as determining the benefit of continuing to try to work on this and getting other testimony. Mr. Rothstein stated that the careful focus that this requires may be outside the time and resources of this group, other than calling attention to the fact that they see a problem here and think it should be addressed.

Although there are some high level concerns that are not well developed, Dr. Cohn concluded that the Subcommittee needs to investigate this further, noting that they have not heard OCR’s perspective on this. He suggested possibly asking OCR to testify. The group is talking about marketing, he observed, but these particular issues quickly merge into a conversation related to the overall issue of handling prescriptions, prescribing and communications. “I would be more comfortable if we figured out what we learned from this, what the next steps are for us to learn more, and then envelope it into a larger conversation related to all of that as it relates to privacy and confidentiality,” Dr. Cohn said. Ms. Greenberg was not in favor of combining this with e-prescribing standards issues.

Dr. Cohn and Mr. Fanning agreed that it is very difficult to write in a legal enactment a distinction between health promotion activities and marketing. Although suggesting notification to mitigate concerns about communications, Mr. Houston agreed overall with Dr. Cohn, that they did not hear enough information to make an informed decision. There was no testimony from a health plan or physician to talk about the importance of these types of communications, especially to people with chronic conditions.

The Subcommittee can conclude that there is an issue, Mr. Houston stated, and we need to delve deeper into the issue and to get a more balanced view to possibly develop a more comprehensive recommendation.

After discussion of several alternative letter approaches regarding conclusions about marketing and further study by the Subcommittee, the group turned to discussing Ms. Greenberg’s proposed approach to OCR to clarify outstanding issues that impact this issue.

The letter could state that there is not enough information and that the Subcommittee is having some difficulty engaging OCR in this work, Ms. Greenberg suggested. Such a letter would go on the Web site and be discussed in the public meeting. She felt that asking for specific feedback on what OCR is hearing or how many complaints they have had on this issue, trying to engage them, would be reasonable and would require some kind of a response.

Rather than focus on complaints, Mr. Reynolds was concerned with the administration of a law so that all involved in that law can understand. That is the transmission of information that is not occurring, he asserted. Dr. Cohn identified the more fundamental question as whether the regulation needs to be modified or whether OCR can further clarify. He felt that Ms. Greenberg’s concept of a letter was a good vehicle and raised the consideration of sending a process related letter, one that talks to OCR about participation, interaction, ongoing agenda setting, etc., rather than an issues letter about marketing and privacy. These process elements would be discussed at the executive committee retreat, Mr. Rothstein stated.

Mr. Rothstein asked for a vote on the Greenberg letter, which he summarized as follows: the proposal is to send a letter from the full Committee to OCR, stating that there have been recent hearings with two witnesses and many others in prior hearings on the issue of marketing. These raised several issues that resonated with the Subcommittee and Committee. The three areas of interest are disclosure of arrangements in marketing, the methods of communication with patients and whether they should be restricted to avoid unnecessary disclosure of PHI, and whether it would be feasible to have some sort of opt out provision in these notification areas. The Subcommittee thinks these are important issues that involve many consumers and that they have not heard from all the stakeholders. More hearings could be held to pursue this but this group would like to know OCR’s interest in this area, possible actions in this area, and guidance as to how to be most helpful to OCR on this topic. Mr. Rothstein noted that all Subcommittee members would have an opportunity to work with the language.

Members mentioned specific questions for OCR: how many complaints in this area, the opt out issue, but Mr. Fanning noted that those did not fit the overall letter. Dr. Friedman asked whether the OCR was expected to write a response or make a presentation to the committee on these particular questions. A presentation and dialogue might be preferable, according to Ms. Wattenberg, because of the complexity of the issues. Mr. Houston asserted that the Subcommittee should have the dialogue with OCR, “a good old sit down meeting with them,” rather than go through the Committee itself, with a formal structure. To this Ms. Greenberg suggested that Mr. Rothstein invite OCR to his breakout session in November.

Discussion followed regarding the scheduling, approval and sending of the letter by the Subcommittee vs. through Executive Committee channels. Mr. Rothstein pointed out that the letter as originally described, from the Subcommittee, has value beyond its delivery because it will be posted on the Web site as a public record that the Subcommittee is interested in these issues and that they need to be resolved.

A kind of tension between OCR and NCVHS over certain privacy issues has been observed by Mr. Houston. He proposed a less formal communication to OCR asking them to come in and do some planning, discuss some potential issues related to fundraising, emphasizing that this group does not want to get it wrong. The NCVHS mission is to be an advocate for certain positions that we think are in the public’s interest, Mr. Rothstein responded, and they may not necessarily align with OCR’s perceptions. He agreed that it would be nice to work with OCR but advocated putting forth independent views on various issues.

For this letter, Mr. Reynolds asked, since there are no recommendations and it is more of a request, if Subcommittee members could give proxy rather than each person editing. Ms. Greenberg suggested that Mr. Rothstein draft the letter and get input before the Executive Subcommittee meeting in August. Then there would also be the possibility of asking OCR to meet with him in his breakout in September, certainly in November. Mr. Rothstein noted that the Subcommittee would have to delegate authority to members who would be in attendance there: himself, Dr. Cohn and Ms. Greenberg. Dr. Harding stated his belief that the Subcommittee would support the chair and its other members to do what is right and expedient.

Mr. Rothstein then asked for a vote on whether to draft and approve a letter to OCR as previously described for the Executive Subcommittee retreat in Princeton in the first week in August, 2004. At that time the chair of the Subcommittee along with Dr. Cohn can present the letter to the Executive Subcommittee as an indication of something under consideration, and ask for input from the Executive Subcommittee in the context of a broader discussion of the relationship between the Committee and Subcommittee and OCR. Mr. Houston seconded and the proposal carried.

Dr. Cohn and Dr. Friedman gave a brief presentation on e-prescribing. Under the Medicare Modernization Act, Dr. Cohn reported, NCVHS was asked to advise the Secretary on e-prescribing standards. They are beginning to get industry requests for a more in depth discussion on possible privacy and security issues related to this issue. He noted that this topic has many layers of complexity, one of which is marketing. This can either be a privacy issue or more of a general “what’s right to do in the world of e-prescribing,” he stated.

It occurred to Dr. Cohn and Ms. Friedman that the Privacy and Confidentiality Subcommittee could take leadership to hear from the industry and better understand the concerns in order to advise the department on any issues and potentially mitigating strategies. Although this is considered a high priority item, initial investigation can begin after September, he stated.

Dr. Friedman expressed her hope that hearings in July and August 2004 with stakeholders in this issue would result in recommendations to the full Committee for consideration in September. Hearings farther out into mid-March will be aimed at solidifying the recommendations and adding others that were not addressed early on. She noted that there are implementation issues for successfully launching e-prescribing in Medicare Part D and elsewhere, and she views privacy as an implementation issue more than a standards issue.

The Subcommittee will need to hear the industry’s concerns and issues, Dr. Cohn stated, so if the group agrees, the Subcommittee can work with the chair to determine the optimal time for a first hearing and then work back from the final goal date for information. He added that e-prescribing is a 2004 issue, whether September or later in the year and suspects that the themes are similar to those that have been discussed, since “privacy is privacy after all.” Dr. Friedman noted that they will get a sense of the industry’s emerging issues in July and August.

Returning to the topic of fundraising, Mr. Houston summarized the testimony that the Privacy Rule has impacted fundraising, both in terms of additional effort and cost but also a substantial decrease in fundraising dollars, which has had a pronounced effect on non-profits engaged in health care fundraising. Emphasizing the testimony that these fundraising dollars support research as well as treatment, Mr. Houston advocated that the Subcommittee recommend allowing the patient service department to be made available for fundraising purposes because of its documented impact on fundraising. He was inclined to wait for the final written opinion from the Health Policy Institute on including this additional piece of information for fundraising.

Recalling that the Subcommittee had made a recommendation on this in a prior letter to the Secretary in March of 2000, Mr. Rothstein observed that it was a broader recommendation but did not include that particular point. If there is agreement, he suggested that a letter should reference the prior letter and say that the Subcommittee renews its recommendation along particular lines and describe the issues of particular concern.

Although Mr. Houston felt the letter should emphasize the documented detrimental impact, Mr. Rothstein did not feel sure that there was enough direct evidence, so he suggested saying that there is evidence of a decline and the professionals in the field think this is attributable in no small part to the Privacy Rule. The Rule has definitely cost fundraisers more money and given them less access to donors, Mr. Reynolds pointed out. Mr. Houston felt it fair to cite the panelists’ statistics or at least the fact that they have statistics.

Mr. Rothstein also advocated making the argument that patients of specialty hospitals may receive a letter asking to contribute for cancer research, but that at Hopkins, fundraisers cannot be told that patients are in the oncology department and must send out a general fundraising letter unless the patient signs a specific authorization. The recommendation could state that PHI or other information can be disclosed to fundraisers at the hospital and their business associates and would propose adding the service department information. Mr. Houston reminded them that it also must say that fundraisers can use the information. Other Subcommittee members indicated the need to address why they want it.

The original rationale for not allowing point of service in a general hospital was to protect especially sensitive issues: infectious disease, genetics, psychiatry, some types of reproductive issues and others, Dr. Harding stated. He asked whether this is no longer a valid issue, though stating that he did not want to stop research and gathering of money for hospitals.

Mr. Fanning explained that the sensitivities are still there but pointed out that the institutions involved have every incentive to get it right from the privacy and intrusion standpoint, or they will not get money. Mr. Houston then suggested recommending that materials must be appropriately packaged to maximize privacy protections. A recommendation could be included that says special care and professional standards need to be closely followed in fundraising for sensitive or stigmatizing conditions, Mr. Rothstein suggested, and Dr. Harding concurred.

Mr. Houston moved that the Subcommittee recommend to the full Committee that the fundraising provision be clarified or amended to allow for the provision of data related to patient service department for the purpose of fundraising. Mr. Rothstein added that they might include in the letter their own definition of patient service department as broad areas of service. The Subcommittee voted unanimously in favor of the recommendation.

Regarding process, Mr. Rothstein told the group that Kathleen Fyffe is on temporary reassignment and Mr. Fanning has moved to fill in for her through the end of the month, but they do not have a lead staff person or someone with whom they have worked in the past to construct a letter. Noting that he would be assembling the initial marketing proposal in the next ten days, Mr. Rothstein asked for a volunteer to draft the fundraising letter, and Mr. Houston agreed to do this. Ms. Greenberg noted that the group could agree on the fundraising letter via e-mail.

For the letter, it was agreed that the Subcommittee would ask that, at its discretion, OCR either modify the Rule to add department of service or release guidance. Then it will be OCR’s decision to change the regulation once they consider other opportunities.

Discussion moved to the panel on privacy and the media. These panelists believe that investigative journalism should be considered research, Ms. Wattenberg stated. Mr. Houston agreed, but noted his concern over one panelist’s attitude that public figures are fair game, which he feels goes well beyond the bounds of investigative journalism of some egregious issue. He also believes that journalism is often politically charged, pointing out that researchers are able to get at patient information—by going through extremely rigorous controls—only for something that is absolutely clearly to pursue the public good and further medicine.

Ms. Wattenberg raised the issue of whistle blowers and penalties and Mr. Rothstein reviewed the existing whistle blower provision, which does not include the press. The Subcommittee explored ways in which that language might be amended to protect people who report misconduct to the press from civil and criminal penalties. Mr. Rothstein believes this is not just making the media’s job easier, but has a real public interest. There are no government controls for the media, Mr. Houston stated, fearing that disclosing information as a whistle blower activity could become a pretense and be used to potentially litigate matters in the media.

One of the most troubling things Mr. Rothstein found in the testimony was that the media should have not only access to medical records of public officials but also the people who fly airplanes, drive buses, “and if you go down that route, who sit on federal advisory committees.” Mr. Fanning pointed out that risks will increase if pilots are discouraged from drug and alcohol abuse treatment by publicity.

Although Dr. Cohn felt it was reasonable to alert OCR that HIPAA is being used as an excuse by people who are not covered by the Rule, Mr. Fanning believes that OCR is already clear about all this and it is not desirable to emphasize that other institutions are not subject to a privacy rule. Ms. Wattenberg brought up panelists’ need for clarifications regarding state law preemption: that open record laws are open record laws, HIPAA is HIPAA, and who is a covered entity.

The one recommendation that Mr. Houston felt was actionable related to getting out information on patients being treated after a disaster. He suggested a recommendation that OCR provide guidance on setting up processes for documentation so that in the event of a disaster it would be clear that the media could go to public authorities rather then hospitals and that information could be disclosed to those public authorities for further dissemination to the news media. Mr. Rothstein pointed out that it is already clear that this can take place under HIPAA. The media wanted to change that because they felt public officials were too slow in reporting and family members and the press could not get enough information from the public officials, so they wanted to get it directly themselves from the hospitals.

Mr. Reynolds emphasized that the law exists to set due process in place to provide the information needed for a specific reason, not because it is important to have it on the 6:00 news. He encouraged the Subcommittee to protect that due process, pointing out that subpoenas and everything else can speed up some processes. Mr. Houston summarized the situation as a person having privacy rights and choosing to exercise them and the media not liking it.

The panelist on archiving and historians raised some different questions, Ms. Horlick pointed out. Mr. Rothstein suggested making that a topic to consider on new issues.

Some of the panelists on the whistle blower issue are planning to send a letter to this Subcommittee, Mr. Rothstein stated, advocating that the four categories of permissible whistle blower contacts should be expanded to a fifth one, covering the media and other people. He recommended waiting on any actions in this area until the letter. Noting that he did not hear support for any of the other specific media provisions, it was concluded that the Subcommittee would simply continue to monitor this area in the future.


Identifying the new issues as e-prescribing and archival information, Mr. Rothstein summarized the presentation on medical archives: the panelist believes the Rule is preventing important historical research at medical schools or hospitals, because they are covered entities. The archives association sent a letter to the Secretary in 2003 asking for clarification but have had no response and in other areas there has been an overzealous use of the Rule to deny access.

Dr. Cohn reminded the group that the previous day’s presentation on security was intended to be a preview to some sort of an additional investigation or hearing from the industry. Mr. Houston felt that security needed immediate discussion in order to flesh the subject out for testimony. His impression was that the only substantial issue was a small amount of concern over medical equipment. This was partly due to the flexibility of the guidance.

If the department comes up with an FAQ on medical equipment, Dr. Cohn suggested, this Subcommittee needs to make sure from the industry that it is sufficient. He added that if they have not produced an FAQ, this group will need to learn about the issues from the industry. No further issues were raised relating to the security presentation.

Mr. Rothstein introduced two new issues for the Subcommittee, beginning with the use of PHI as a commercial asset in the bankruptcy of biotech and biobank companies. Any privacy and confidentiality agreements associated with the human specimens held by these companies were abrogated by the bankruptcy filing. Another use of PHI is as collateral for health care financing, collateral in putting deals together in mergers and acquisitions and all sorts of commercial transactions. He is concerned with the legality of this practice.

Mr. Rothstein’s final issue for future discussion was that, in doing constituent work, elected officials at all levels of government and their staff members call agencies that may be covered entities and inquire about the health status of their constituents. In response to this, PHI is being disclosed without authorization to people who are presumably acting on the patient’s behalf.

An issue from Dr. Cohn was that the new coordinator for health information technology has as part of his charge developing an evaluation document relating to EHRs and privacy and confidentiality in the current HIPAA privacy rule. He suggested they have a conversation with Dr. Brailer, who will be at the Executive Subcommittee meeting, to see how they can assist and also determine whether public hearings are needed on this issue.

The long-standing issue of CMS using the internet for personal health information was the second issue from Dr. Cohn. He proposed having CMS come and discuss its policy and the reason for it as well as hear views from others in the industry. Ms. Greenberg and Mr. Fanning felt that this might instead be a Standards and Security issue, and Dr. Cohn concluded that they should talk to the Executive Subcommittee to determine this.

Ms. Greenberg introduced the issue of the EHR and the NHII and the need to uniquely identify individuals. She clarified that this is not just the unique identifier for individuals, but “the need to identify a person uniquely in some way so that you know that you’re exchanging information about the same person, and all the different ways that that might be done.” Dr. Cohn thought this might be interrelated with e-prescribing, which the full Committee will discuss.

Another issue originating with Mr. Rothstein, for which he would like to put himself on the agenda, is to explain his deep concern with the direction of U.S. health privacy policy. He summarized his thoughts as follows: “Our policy has been geared toward preventing the intentional or negligent disclosure of information…but most of the privacy violations or intrusions on individuals are perfectly legal and happen through the compelled authorized disclosure of information by individuals.” He gave the example of a prospective employer making it a condition of employment that a person sign an authorization releasing all of his or her medical records. That is legal in 48 out of 50 states, and legal under the federal Americans with Disabilities Act, he pointed out, adding that this is also legal for a health insurer, life insurer, mortgage company and a whole range of others with leverage over the individual. He believes this is the most important privacy issue of the future and is closely linked with the development of the EHR system.

The list for the Subcommitee’s future discussion and hearings consisted of: e-prescribing, archival records, privacy issues under the Security Rule, public health information in bankruptcy and commercial transactions, disclosures to elected officials, unique identification issues in electronic health records and NHII, privacy, and electronic health records including or related to or as a subset of information held by non-covered entities.

Once the Subcommittee members voted, Mr. Rothstein stated that he would report to the Executive Subcommittee that this group would plan hearings in fall 2004 dealing with the issue of e-prescribing and privacy issues under the security rule, then after January 1, 2005, on archival records and unique identification. Follow up hearings may be needed, so they would address longer term, bigger picture privacy issues in spring 2005 at the earliest.

Dr. Cohn added that the EHR focus is probably determined after discussions with Dr. Brailer and that group. Mr. Rothstein grouped this either with unique identifiers in the winter or with long term privacy issues in the spring. Discussion of dates then took place. Subcommittee members agreed that their chair would poll the Committee for two days each on e-prescribing and security.

I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.

/s/ 5/9/05


Chair Date