James A. Tacci, MD, JD, MPH (FACOEM, FACPM)
American College of Occupational and Environmental Medicine
National Committee on Vital Health Statistics
Subcommittee on Privacy and Confidentiality
Hearing on Possible Expansion of Protections Afforded by the HIPAA Privacy Rules
September 15, 2006
Distinguished members of the panel, my name is Dr. James Tacci. I am an Assistant Professor and Residency Program Director in the Department of Community and Preventive Medicine at the University of Rochester Medical Center. I am the site medical director for one of the largest manufacturing facilities in upstate New York. Also, and perhaps most applicably, I am an attorney and co-author of a nationally published HIPAA compliance manual. Among other activities, I serve as the Co-Chair of the American College of Occupational and Environmental Medicine’s (ACOEM’s) Committee on Ethics.
I am here today representing ACOEM, and on behalf of ACOEM and its members, thank you for this opportunity to provide comments on the possible expansion of protections afforded by the HIPAA Privacy Rules. My comments will in large part be a restatement of prior ACOEM positions which: promote the protection of individuals’ health care information; seek to limit the inappropriate use or disclosure of such information; reiterate the logical role of physicians as gatekeepers of that information; and seek to minimize the undue influence that is sometimes placed upon physicians to inappropriately disclose health information.
By way of background, ACOEM represents approximately 6,000 physicians and is the world’s preeminent and largest organization of physicians specializing in the practice of preventing, assessing, and treating occupational health problems. Occupational and environmental medicine (OEM) seeks not only to prevent and manage occupational and environmental injury, illness and disability, but also to promote the health and productivity of workers, their families and communities.
OEM physicians not only interact with patients, their families, other health care providers and health insurers, but also interact with employers (including CEOs, general counsels, human resources personnel, plant managers, etc.), other health and safety professionals (including industrial hygienists, safety engineers and ergonomists) and workers’ compensation and disability carriers. Our members provide clinical or consultative services in a wide variety of practice situations, including: clinical services; medical surveillance; fitness for duty examinations; pre-placement examinations; independent medical examinations; disease and disability management; analysis of aggregated clinical data; health promotion and wellness programs; occupational illness prevention programs; and employee assistance programs. These activities are performed in the context of myriad federal and state health and safety regulations.
These activities and programs can result in the prevention, early diagnosis and treatment of disease, and encourage employees and their families to practice healthier lifestyles. If medical information gathered from such programs is not kept private, participation in these programs will be in jeopardy. Protecting confidentiality and privacy is imperative to preserving patient trust and employee trust in the workplace.
ACOEM has a longstanding record of advocacy in support of the preservation of the privacy of medical records, particularly employee medical records. This has for many years been a fundamental tenet of ACOEM’s Code of Ethical Conduct. Since 1994, since ACOEM called on Congress to ensure the privacy of employee medical records. On no fewer than five occasions since 2001, it has been ACOEM’s privilege to provide the Department of Health and Human Services with suggestions as to how the long-awaited HIPAA Privacy Rules might be improved to better protect individuals’ health information, or to better equip our physicians to safeguard that information, and we appreciate the opportunity to do so once again today.
Today we have been asked to address three distinct but related questions dealing with the possible expansion of the protections afforded under the HIPAA Privacy Rules:
- What federal and state laws currently regulate the privacy, confidentiality and security of individually identifiable health information (IIHI) used by your organization or those you represent?
- If HIPAA were extended or some comparable legislation was enacted to regulate your use of health information, what effect do you think the law would have on your operations?
- If, instead of receiving all of an individual’s health records pursuant to an authorization, you received only those relevant to your needs, how would this affect your operations?
The questions shall be addressed in the context of either our member physicians, or their employers. For each, where applicable, the potential advantages, disadvantages and possible unforeseen/unintended consequences are presented.
1. What federal and state laws currently regulate the privacy, confidentiality and security of individually identifiable health information (IHHI) used by your organization or those you represent?
On the federal level, many (but certainly not all) of our physician members and/or their employers (based on their activities and the type of transactions in which they engage) are considered “covered entities” under the HIPAA Privacy Rules and/or Security Rules, and are therefore governed thereby. In addition, and apart from HIPAA, nearly all of our physician members and/or their employers operate within a regulatory framework that requires and governs the use and exchange of individually identifiable health information, including but not limited to: the Occupational Safety and Health Act (OSHA); the American’s with Disabilities Act (ADA); the Family and Medical Leave Act (FMLA); and the Mine Safety and Health Act (MSHA). In addition, occupational medicine physicians and their employers have obligations under other federal standards, such as those issued by: the Department of Transportation (DOT), as with commercial driver’s licenses; the Department of Energy (DOE), as with nuclear operators; and the Environmental Protection Agency (EPA), to name just a few.
On the state level, our member physicians are generally bound by rules of professional conduct, typically with oversight by their state licensing boards, state health departments or state education departments. Also on the state level, our member physicians and their employers typically operate under rules governing exchange of medical information and/or mandatory reporting that are promulgated by: state health departments, state insurance agencies, and state workers’ compensation boards, just to name a few. The labor and employment laws of a state may also typically contain rules governing the handling of employee medical information.
The examples contained in the preceding paragraphs were meant merely to provide a sense of the myriad federal and state laws or agency rules that typically speak to the handling of individually identifiable health information, and under which our member physicians and/or their employers typically operate. The list is not intended to be exhaustive.
2. If HIPAA were extended or some comparable legislation were enacted to regulate your use of health information, what effect do you think the law would have on your operations?
As noted in response to Question #1, many (indeed more likely the vast majority) of ACOEM’s physician members are consider “covered entities” under the HIPAA Privacy Rules. Similarly, many if not most of their employers may be considered, at least in part (e.g. the “hybrid entity”) covered under the HIPAA Privacy Rules.
As with any regulatory compliance, it would entail an expenditure of time and energy on the parts of the newly covered entities in order to put their operations into compliance. Cost estimates for this may be modeled based on the past experience of the health care industry. Presumably, the cost of compliance per covered entity would be less than it was for initial compliance with the HIPAA Privacy Rules, because for many currently covered entities and/or their compliance consultants, the steepest part of the HIPAA learning curve has passed. It should be noted, however, that while there should be some efficiencies derived from past experience in the context of extension of the coverage of the current rules, thereby reducing the per unit cost of compliance, the overall cost to industry for compliance would likely still be substantial, due to the fact that the number of individuals or business entities requiring compliance plans could (depending on the scope of the proposed extension/expansion) be many fold higher than the number originally covered by the HIPAA Privacy Rules. Also, it wound stand to reason (although not specifically substantiated herein with precise mathematical modeling) that the more closely any new or expanded rules matched the original rules, the greater the cost savings to be gleaned through prior health care industry experience, and conversely, the less any new or expanded set of rules resembles the current rules, the greater the learning curve (and in turn per unit costs of compliance) for the new regulatory schema.
Implementation of the original HIPAA Privacy and Security Rules carried with them the promise of ultimate cost savings, due to efficiencies of uniformity in IT, billing codes, medical records etc., with such savings offsets to be realized over the first ten years of implementation. The speed and magnitude of the realization of said off-setting cost savings has been the matter of some debate, which is beyond the scope of this communication. However, it is reasonable to assume that since those cost savings were purported to be derived from enhanced efficiency in the transaction of the health care business, that said savings might be of a substantially lesser magnitude for physicians or employers not regularly engaged in the delivery of health care or in health care transactions, unless some parallel efficiencies could be derived related to their regularly transacted business.
Perhaps the greatest potential negative impacts on the operations of ACOEM’s member physicians and/or their employers, who are not currently or wholly covered by the HIPAA Privacy Rules, are the above-referenced compliance costs and logistics of implementation. However, there are several potential positive impacts as well. They include, but are not necessarily limited to: enhanced privacy protection for peoples’ individually identifiable health information; an expanded scope of said coverage or protections (long advocated for by ACOEM) beyond that which was provided via the “business associate” construct; and an enhanced awareness by those who are not currently “covered entities” of the special status (and therefore requisite special handling) of medical records, IIHI and “protected health information” (PHI).
Of course, as previously noted herein, physicians are held to rules of ethical and professional conduct that are not necessarily shared across professional disciplines, and as was the case with the HIPAA Privacy Rules, not necessarily shared with everyone holding “covered entity” status. It would be hoped that any expansion/extension of the definition of “covered entity” under the existing rules, or creation of new rules that expanded the scope of those covered under some sort of medical privacy rules, would also carry with it an expansion of the legal responsibility for compliance with the privacy rules (much of which currently rests inordinately with physicians and other providers) to all of the newly covered entities, which in turn might help drive the development of enhanced rules of ethical and professional conduct in information handling for those disciplines as well.
One potential pitfall, of course, is a false sense of security that could come from an expansion of coverage of the privacy rules that is not in turn accompanied by enhanced professional standards in records handling by non-physicians or non-health care providers. This risk could be significantly mitigated by strong adherence to the so-called “minimum necessary” standard, discussed in the response to Question #3 below.
3. If, instead of receiving all of an individual’s health records pursuant to an authorization, you received only those relevant to your needs, how would this affect your operations?
It has long been the position of ACOEM, pre-dating of the HIPAA Privacy Rules, that communications related to employee medical conditions between the physician and employer should always be limited to a so-called “minimum necessary” standard. Indeed, ACOEM’s longstanding and consistent positions can be accurately summarized as advocating for: stronger adherence to principles of a minimum necessary standard; two-way responsibility (i.e. on the part of both the requestor and supplier of health records, and not merely the supplier) in restricting the scope of the communication to only the minimum necessary; and more clearly defined (perhaps through standard protocols developed by DHHS) parameters of “minimum necessary” for use by occupational physicians in implementing the minimum necessary standard with respect to work related personal health information. ACOEM appreciates and applauds the efforts of the Department in furthering adherence to the minimum necessary standard as the gold standard for communication of employee health information.
To be sure, adherence to a minimum necessary standard is much more labor-intense (particularly during the implementation phase) than merely transmitting the medical record in its entirety. However, the benefits of adhering to a minimum necessary standard are multi-fold, and truly create a “win-win-win” scenario for employees, employers and occupational physicians. First and foremost, the risk of unnecessary or inappropriate health information about an employee being communicated becomes significantly reduced. Second, as a benefit to employers, the less medical information they possess about employees, the less exposure the employer will have to accusations of making adverse employment decisions based on an employee’s health status. Finally, with allowance for some requisite variation, of course, based on context (such as workers’ compensation versus ADA versus FMLA versus OSHA etc.) the more universal and standardized the approach to adherence to a minimum necessary standard for exchange of employee health information, the less likely it is that physicians will be put under undue pressure (from employers, insurers, third party administrators etc.) to go beyond this minimum necessary standard in their role as gatekeeper of employee medical records.
In closing, on behalf of ACOEM and its members, thank you once again for the opportunity to participate in this hearing. ACOEM, as always, is happy to assist the Department in the ongoing development of sound policy to help protect the most private information of our nation’s workforce.