[This Transcript is Unedited]

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

SUBCOMMITTEE ON PRIVACY AND CONFIDENTIALITY

February 18, 2004

Hubert H. Humphrey Building
200 Independence Avenue, SW
Room 705A
Washington, DC

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, Suite 160
Fairfax, Virginia 22030
(703)352-0091


TABLE OF CONTENTS

  • Call to Order, Introductions; Opening Remarks – Mark Rothstein, J.D.
  • Banking – Panel 1
    • Kepa Zubeldia, M.D., Claredi Corporation
    • Joy Pritts, J.D., Georgetown University
    • John Casillas, The Medical Banking Project
    • J. Steven Stone, American Bankers Association and the National Automated Clearinghouse Association
  • Banking – Panel 2
    • Tom Dean, The Medical Banking Exchange
    • Anna Slomovic, Ph.D., Electronic Privacy Information Center
    • Thomas J. Gilligan, Association for Electronic Health Care Transactions (AFEHCT)
  • Law Enforcement Panel
    • Robert Gellman, Privacy & Information Policy Consultant
    • Robert C. Williamson, Drug Enforcement Administration (DEA)
    • Christopher Calabrese, American Civil Liberties Union (ACLU)
  • Public Comments
    • Kathryn Serkes, Association of American Physicians and Surgeons

P R O C E E D I N G S (9:05 a.m.)

Agenda Item: Call to Order, Introductions

MR. ROTHSTEIN: Good morning. My name is Mark Rothstein, and I’m the Director
of the Institute for Bioethics, Health Policy and Law at the University of
Louisville, School of Medicine, and Chair of the Subcommittee on Privacy and
Confidentiality of the National Committee on Vital and Health Statistics.

The NCVHS is a federal advisory committee consisting of private citizens,
which makes recommendations to Congress and the Secretary of HHS on health
information policy, including issues related to HIPAA.

On behalf of the subcommittee and its fine staff, I want to welcome you to
our second in a series of hearings on implementation issues under the HIPAA
privacy rule.

I also want to welcome those of you who are listening to our hearings on the
internet.

Before proceeding further, as our custom, we will have introductions,
beginning with members of the subcommittee and staff.

I would invite subcommittee members to disclose any conflicts of interest
they might have. I will begin by noting for the record that I do not have any
conflicts of interest, and we can start with John Houston.

MR. HOUSTON: I’m John Houston from the University of Pittsburgh Medical
Center. I am a member of the committee as well as a member of this
subcommittee.

MR. FANNING: I’m John Fanning from the Department of Health and Human
Services, and I’m staff to the committee.

MS. FYFFE: Kathleen Fyffe with the Department of Health and Human Services,
and I’m lead staff to the Subcommittee on Privacy and Confidentiality.

MR. REYNOLDS: Harry Reynolds, Vice President, Blue Cross and Blue Shield of
North Carolina and a member of the committee.

MR. SCANLON: I’m Jim Scanlon with HHS. I’m the Executive Staff Director for
the full committee.

DR. COHN: I’m Simon Cohn. I’m a practicing physician and the National
Director for Health Information Policy for Kaiser Permanente and a member of
the committee and subcommittee.

MR. STONE: I’m Steve Stone. I’m a Senior Vice President from P&C Bank in
Pittsburgh. I’ll be presenting on behalf of the American Bankers Association
and the National Automated Clearinghouse Association.

MR. CASILLAS: I’m John Casillas founder of the Medical Banking Project.

MS. PRITTS: I’m Joy Pritts. I’m Assistant Research Professor at the Health
Policy Institute of Georgetown University.

DR. ZUBELDIA: Kepa Zubeldia with Claredi Corporation.

MS. SQUIRE: Marietta Squire, CDC, NCHS.

MS. NASER: Cris Naser, American Bankers Association.

MR. DEAN: Tom Dean with the Medical Banking Exchange.

MR. ZELMAN: I’m Jeffrey Zelman with the Office of Civil Rights.

MS. KING: Mary Lou King, Office of the General Counsel, Civil Rights
Division.

MS. GOLDSTEIN: Jody Goldstein-Daniel, Office of the General Counsel, Civil
Rights Division.

MR. ZIRIKOWSKI: Art Zirikowski, FDA.

MS. APPLEBY: Julie Appleby with USA Today.

MS. CATCHMAN: Pat Catchman, FDIC.

MS. WOOK: Nancy Wook, ICC.

MS. MOYEN: Mary Moyen, NCHS.

MS. WATTENBERG: Sarah Wattenberg, Substance Abuse and Mental Health Services
Administration.

DR. SLOMOVIC: Anna Slomovic, Electronic Privacy Information Center.

MR. MC COY: Ian McCoy, National Automated Clearinghouse Association.

MS. HOLLAND: Priscilla Holland, National Automated Clearinghouse
Association.

MR. BRAITHWAITE: Bill Braithwaite, an independent consultant in Washington,
D.C.

MR. RUDY: Dan Rudy, American Health Information Management Association.

MR. ROTHSTEIN: Thank you, and welcome to all of you.

In our first round of hearings in November, we heard testimony on public
health, research and other issues under the Privacy Rule.

The subjects of the hearings today and tomorrow are banking, law enforcement
and schools. We will hear from two panels of invited experts on each of these
three topics, and I will, throughout the day, give you updates, as necessary,
on last-minute changes to our schedule.

In addition, from 3:45 to 4:45 this afternoon, members of the public may
testify on these issues. If you are interested in testifying, please see
Marietta Squire at the registration table.

I would remind our witnesses and listeners that the purposes of the hearings
are to consider whether the Privacy Rule strikes the appropriate balance
between health privacy and other important concerns to determine whether there
are practical problems or unintended consequences that have arisen as a result
of the Privacy Rule and to ascertain whether there are areas in which
additional clarification, education or outreach efforts are needed to
facilitate compliance.

Witnesses are asked to please limit their initial remarks to 15 minutes.
After all the witnesses on each panel, we will have time for broader discussion
and questions.

Witnesses may submit additional written testimony to Marietta Squire within
two weeks of the hearing.

I would also request that witnesses and guests turn off their cell phones,
if they have not done so already.

And, finally, if all witnesses will speak clearly into the microphone, it
will be greatly appreciated by those listening on the internet. It is, I
assume, hard enough as it is without straining to hear what people are saying.

So having dispensed with all those preliminaries, we are now ready to ask
our first panel of witnesses to testify, and we will go in the order that is
listed on the agenda, if there are no objections from the subcommittee members
or requests from the panelists, and that means that, to begin with, we are very
happy to welcome our former member and friend, Kepa Zubeldia, to testify first.

Agenda Item: Banking – Panel 1

DR. ZUBELDIA: Thank you very much.

My name is Kepa Zubeldia, and I’m coming here more than representative of
Claredi, as a former member of the subcommittee. Because I did a lot of work in
this area while serving the subcommittee, I’m trying to bring an overview of
the work that I have done to see if it can help frame the issues and help the
rest of the testifiers today and the subcommittee members.

I bring a lot of questions and I bring very few answers, and the intention
is that the answers will come from the rest of the panelists today.

I’m going to be talking about two different issues. The first is what is the
status of the financial institutions under HIPAA? Are they clearinghouses or
business associate, and what are the different roles that they play?

And second issue is the privacy of protective health information in the
banking system, and the healthcare payment chain.

The clearinghouses under HIPAA are defined as a public or private entity
that does either of the following: Process or facilitates the processing of
information received from another entity in a non-standard format or containing
non-standard data content into standard data elements of a standard – or a
standard transaction or receives a standard transaction from another entity and
processor or facilitates the processing of information into non-standard format
or non-standard data content for a receiving entity.

And I have highlighted a few key words in this definition for the purpose of
these hearings.

First, the definition of the clearinghouse is based on the functions
performed, not the existence, but the functions performed, and the information
handled by the clearinghouse is coming from one entity to another. So a billing
service that uses the information for their own purpose would probably not fit
this definition of clearinghouse. Let me say I am not a lawyer, so I can’t tell
for sure. I’m not sure if the lawyers can tell for sure.

Another key component of this is that a clearinghouse converts from standard
into non-standard either the format and/or the data content of the
transactions, and we’ll see more of that in a minute.

A clearinghouse in healthcare performs multiple activities: Connectivity
among trading partners, data-content validation and rejection, data-content
conversion, converting code sets and identifiers, transaction format conversion
between Legacy and HIPAA formats, transaction aggregation and/or distribution
among multiple trading partners, systems integration, customer support, and,
then, even for clearinghouses, there are value-added functions that are not
part of a traditional clearinghouse, such as different kinds of reports,
patient statements, other management reports, followup tracking transactions
and payments, accounts receivable, management, collections, et cetera.

I want to point out that out of all of these functions that a clearinghouse
performs in healthcare, only two are considered in the HIPAA definition of a
clearinghouse: The data-content conversion and the transaction format
conversion. Everything else, even though in healthcare we call it a
clearinghouse, is not what constitutes a HIPAA clearinghouse.

Under HIPAA, there are two financial transactions, the 820 and the 835. The
820 is a premium payment. Typically, the 820 flows from the employer to the
payer. Could also flow through the insurance broker. The employer could be
paying the broker and the broker paying the payer. In that case, is the broker
a business associate? Is the broker a covered entity? We’ll talk about that a
little bit later.

A clean payment and remittance advice, the 835, typically goes from the
payer to the provider, either directly or through a clearinghouse or through a
payer’s bank, but, in that case, the payment doesn’t necessarily go with the
remittance advice. The payment could be by check, by wire transfer, ACH
transfer, separate from the remittance advice. So there is the possibility of a
dual path.

In addition to the HIPAA transactions, the banking system uses other
financial transactions that generically are called Electronic Funds Transfer,
but there’s different kinds of transactions.

The CCD is what is typically called AFD or wire transfer, although there are
some nuances that the bankers were able to explain between wire transfers and
EFT and all of that.

There is a version of the CCD called the CCD+, CCD+ addenda, that has an
80-byte addenda record that, in essence, is a very brief one-liner explanation
of what is being paid.

And then there’s another version called the CTX, which is essentially the
same as the CCD, but with up to almost 10,000 addenda records, and those
addenda records is with the banks and include a complete description of what is
being paid. Typically, the addenda will encapsulate a full 820 or the full 835.

So if you look at the transactions structure of this HIPAA transactions,
they have two tables, Table 1 with the payment information, and Table 1
describes the payer, the payee, the amount, the trace number, the date of
payment, effective date, all of this banking information.

Both the 820 and the 835 have this exactly the same Table 1 informations,
payment information, and the CCD, CCD+ and CTX contain the equivalent of the
data in Table 1. The format is different. The content may be slightly
different, but it is functionally equivalent to Table 1.

Then, the payment could be as part of Table 1, or, like I said before, the
payment could go by check and Table 1 would refer to the check by check number
and check date and so forth.

Table 2 of the transaction contains what we know as remittance advice, and
it could be the premium payment explaining what premiums are being paid, the
claims that are being paid, appended or denied, and what are the adjustments to
those claims; and Table 2 is the part that contains DHI, if the claims are
being paid.

So whenever a payment goes in a remittance advice, with payment of claims,
they have the – at least the potential – to contain the provider information
and the procedure codes, and, of course, the patient information for the claim
that is being paid.

So if you look at that diagram on the right-hand side, where I have the
structure of the 835, you see Table 1, Table 2. The whole thing is called the
835. I’m going to reuse that diagram.

I’m going to describe five different methods of payment that happen in
healthcare today. The simplest one, the one that is probably used the most
today is where the payer sends a paper check and a paper remittance advice to
the provider through the mail. The check is processed through the bank, and in
the check, you have the payer information, the provider information, but there
is no PHI. It will say, we are paying Dr. Jones $55, and it doesn’t say for
whom.

Typically, the banks offer lock-box services, where the banks aggregate on
behalf of the providers the checks coming from multiple payers and enter them
into some sort of magnetic media or some sort of telecommunications to the
provider system or a consolidated report to the provider system.

These lock-box services typically will receive not only the check, but also
the remittance advice that goes along with the check, and they enter that
remittance advice into a system that the provider can use electronically. That
is a possibility for the lock-box services to get in contact with PHI.

The second method of payment is when the payer sends a paper check and an
835, an electronic-remittance advice, to the provider, either directly or
through a clearinghouse.

In this case, there is a dual path. The payer sends the check in the mail
and the provider, or the provider’s clearinghouse, an electronic-remittance
advice. The check is being processed by the bank, and in that check, there is
no PHI. The electronic-remittance advice typically doesn’t go through lockbox,
although there are some lock boxes that also process electronic-remittance
advice.

The third method of payment is when the bank sends an electronic-funds
transfer of some sort, typically with a CCD or CCD+, to the bank and an 835 to
the provider. This, you can see, is almost identical to the previous one,
except that instead of being a paper check, it is an electronic-funds transfer.
The EFT still doesn’t have any PHI in it.

A fourth method of payment – and here is where it gets a little more
involved – is when the payer sends the payment instructions to the bank as an
electronic-funds transfer, using the banking transaction – not a HIPAA
transaction, but a banking transaction – and inside that CTX, the payer
includes the 835 itself, and I’ll show you a picture of what it looks like. The
addenda contains a complete 835. Typically, these transactions follow a single
path. The payer reduces the 835 and either the payer or the bank drop the 835
with a CTX transaction that flows through the banking system. The provider gets
the 835 from the provider’s bank after unwrapping it out of the CTX, but that
CTX actually contains PHI inside the addenda, because it contains an 835 inside
the addenda.

And, finally, the HIPAA transaction, the HIPAA way of doing things, is where
the payer sends an 835 to the bank, and the bank uses the Table 1 from the 835
as the payment instructions and Table 2 is sent to the provider.

Now, again, this is a single path, from the payer to the bank and the bank
to the provider, or it could be a dual path, from the payer to the bank, and
the payer could be sending the 835 Table 1 only to the bank, which is
equivalent to a CTX, equivalent to CCD – where the bank would effect the
payment instructions, based on Table 1, I would not have access to PHI – or the
payer could send to the bank the Table 1 and Table 2, and then the payer could
send to the provider the 835 or the payer could let the bank send the 835 to
the provider.

So I’m giving you all of these variations because all of this is happening
under HIPAA today.

Now, when the 835 flows through the banking system, typically, it flows as a
part of a CTX – as the addenda of record for the CTX – and you have an 835 with
Tables 1 and 2 – Table 1 has the payment instructions, Table 2, remittance
advice – encapsulated inside the addenda records of the CTX. The CTX has
payment instructions that are identical to the payment instructions in Table 1
of the 835, but the banks – most of the banks – process CTXs by the millions
every day and don’t process very many 835s yet. So they prefer to get this kind
of combination.

I want to point out that the 835 is actually encapsulated inside the CTX.
There is no translation or reformatting or conversion. It is an envelope, and
on the envelope is the payment instructions, and the banking structure is
called the CTX. Okay? So it is not a conversion between one format or another.
It is two parallel versions of the same payment instructions.

Common Data Flow is the payer prepares an 835. The 835 is encapsulated into
a CTX, typically by the payer, but it could happen at the clearinghouse or the
payer’s bank. The CTX is sent through the automated clearinghouse to the
provider’s bank. The provider’s bank will make the payment from the CTX,
unwraps the addenda records of the CTX to get to the 835 and delivers the 835
to the provider or to the provider’s agent, provider’s clearinghouse, perhaps.

So is the bank a covered entity? If we look at the definition of a
clearinghouse, out of all the things that the clearinghouse does, only two are
considered by the HIPAA definition of clearinghouse, Data Content Conversion
and Transaction Format Conversion, none of which are done when the CTX is
merely encapsulating an 835. The 835 is not converted. It is just encapsulated
inside the CTX as an envelope. So according to that functionality, I would say
the bank is perhaps not a clearinghouse.

So is the bank a business associate? Well, it depends. Which bank? What are
they doing? Is the payer’s bank acting on behalf of the payer? Perhaps. If the
payer bank is doing some work on behalf of the payer, they would be the payer’s
business associate. Is the provider’s bank acting on behalf of the provider?
Well, if they are, they would be the provider’s business associate.

Is the automated clearinghouse a HIPAA clearinghouse? Is it acting on behalf
of other banks? Are other banks covered entities?

I said I bring a lot of questions and not answers.

Then there is something called Value-Added Banks or Value-Added Networks,
HIPAA Banks, healthcare banks. What is their role in all of this? Do they
perform this data-format conversion or data-content conversion that would
constitute them into a HIPAA clearinghouse? So we need to look at the HIPAA
clearinghouse functions.

We asked the Privacy Rule and we go back to the preamble of the Privacy
Rule. The Privacy Rule has an interesting statement on page 82,476 in the third
column. The preamble says, we do not consider a financial institution to be
acting on behalf of a covered entity, and, therefore, no business-associate
contract is required when it processes consumer-conducted financial
transactions, blah, blah, blah. Covered entities that initiate such payment
activities must meet the minimum necessary disclosure requirements described in
the preamble to 164-514.

So the preamble of the Privacy Final Rule clearly says that financial
institutions are not considered to be business associates. They are not acting
– let me go back to the previous slide. They are not acting on behalf of the
payer. They are not acting on behalf of the provider.

So what does the banking industry say? The banking industry HIPAA Task Force
has a working paper that is available through the website of the – I think all
of the associations – NACHA, ABA, Medical Banking Project. Everybody has access
to this website.

And there is a couple of determinations that the task force made that are
very interesting. The task force determined that the majority of health banks
are not healthcare clearinghouses and not covered entities under HIPAA, as a
result of payment-processing activities. A small number of banks are healthcare
clearinghouses and covered entities under HIPAA as the result of value-added
services – value-added is my addition – provided in addition to their
payment-processing services. They don’t have these additional services, they
would not be clearinghouses.

They also determined, in the task force white paper, that the banks
providing service to the healthcare industry may often be business associates
of health plans and providers. It seems to be contrary to what the preamble of
the Privacy Rule said.

Banks have a long tradition of protecting confidential financial information
and have security practices that meet or exceed many HIPAA requirements. This
is a determination of the task force, the banking industry HIPAA Task Force.

Section 1179 of HIPAA excludes these financial activities from HIPAA.
Section 1179, in part, says the extent that an entity is engaged in activities
of a financial institution or is engaged in authorizing, processing, clearing,
settling, billing, transferring, reconciling or collecting payments for a
financial institution, this part – which is Part 2 of the administration – this
part and any standard adopted under this part shall not apply to the entity
with respect to such activities, including the following, and there describes
the activities are a part of financial-institution payments and so on.

The impact of this is that a covered entity may discuss PHI to financial
institutions for purposes of payment. That’s part of treatment payment at
healthcare operations. Is this subject to the minimum necessary? Well,
actually, the content of the 835 is not subject to the minimum necessary
requirements, because it is one of the HIPAA standard transactions. So once the
PHI is properly disclosed by the covered entity to the financial institution,
is it still protected health information under HIPAA?

The banking industry says it’s protected by banking regulations. It is not
protected by HIPAA.

The banking regulations – I am going to address one of them, although there
are more ,okay? I’m going to address Gramm-Leach-Bliley. Gramm-Leach-Bliley
protects consumers and customers of financial institutions. Therefore, the
payer and the provider, as customers of the financial institutions, are
protected by Gramm-Leach-Bliley. Gramm-Leach-Bliley protects information
collected about individuals. It doesn’t apply to information collected in
business or commercial activities. That sentence comes directly from the FTC
website on Gramm-Leach-Bliley.

So does Gramm-Leach-Bliley protect information collected about individuals
that are neither consumers nor customers of the financial institution? The 835
contains patients, and inside that 835 there are patients that are probably not
consumers nor customers of the financial institution. The payer and the
provider are the consumers and customers of the financial institution. The
patients inside the 835 are probably unrelated to the financial institutions,
unless, by coincidence, one of those patients happens to have an account with
that particular financial institution. So there could be a problem here.

Of course, the banking system is also protected or regulated by Regulation
E, Regulation P and many other banking regulations that I’m sure that they will
describe in this hearing.

So let’s take a look at some of the potential issues.

Routine payments. The patient makes a check or a credit-card payment to
provider. This is the kind of payments that are specifically excluded by
Section 1179. The banks are not HIPAA business associates, according to the
preamble of the reg. The patient’s bank must protect the patient’s information,
and if the patient makes a payment to a cancer center, an AIDS clinic, an
abortion clinic or any of those other sensitive providers, the patient’s bank
has to protect that patient information, and that is part of
Gramm-Leach-Bliley.

But what other privacy protection is applicable at the provider’s bank?
Since the patient is not the customer of the provider’s bank, the provider’s
bank protects the information about the provider as an individual, and the
provider’s bank used the patient information when the patient is not the bank’s
customer. So this is for the rest of the panel to answer.

Lock-box services. The provider typically contracts with a bank for lock-box
and other value-added services. The lock box receives paper payments and
paper-remittance advice, because most of the payers will send both of those
together. The lock box may also receive HIPAA I-35s on behalf of the provider,
and then the lock box consolidates the paper and/or electronic-remittance
advice for delivery to the provider. As the lock box is converting the 835 to
another format or different codes, the lock box is not a clearinghouse. Now,
the lock box is probably a business associate of the provider. So can the lock
box mind the patient information and datastream? Is the paper datastream
considered PHI when it is never a HIPAA standard transaction? Remember the
consideration of PHI has a linkage to being in standard transactions or being
electronically. So this is paper. Do these business-associate contracts between
the provider and the lock box contain minium necessary clauses? This is between
provider and lock box.

The banks also act in a function of accounts receivable. Sometimes the bank
offers services to a provider such as a loan, and a loan between the provider
and the bank may be secured by accounts receivable, and that accounts
receivable security of the loan may have to be exercised if the bank needs to
collect from the collateral because the loan is in a default situation.

Section 1179 excludes from HIPAA financial-institution activities for
collecting payments. So do the minimum necessary requirements still apply?
Seems like Section 1179 excludes any standards under this part, including
minimum necessary. So once the bank has a loan with accounts receivable as
collateral, in order for the bank to collect on that accounts-receivable
collateral, they may have to invoke Section 1179, excluding all of it.

There is a new topic, health-savings account. This is part of last year’s
Medicare bill, and there’s similar issues with something a little bit older
called medical-savings accounts. Only legitimate healthcare expenses can be
paid with these pre-tax HSA, MSA monies. So in order to justify that they are
legitimate healthcare expenses, there is an administration of the
health-savings account that has to occur.

In addition, health-savings accounts typically are backed by high-deductible
coverage. So in the third-party administration of the health-savings account,
there has to be documentation and an audit function through the receipts –
typically, the receipts from healthcare payments or expenses being paid, and
that has to – there’s two functions to that. One is to make sure that only
legitimate healthcare payments flow through the health-savings account, and
second is to find out when you are reaching the limit, and when you reach the
high deductible, then it triggers the secondary coverage policy.

There has been a lot of announcements lately of extensive use of debit cards
to pay for the HHS expenses. Introduces and simplifies the – requirements, but
the credit card has to contain enough health information to make sure that the
documentation requirements of the health-savings account are met. The
debit-card transactions are not HIPAA transactions. You don’t pay a debit card
with an 835. The debit-card transactions are just like credit-card transactions
flowing through the credit-card system, the financial system. So are these
totally excluded from HIPAA? And, obviously, those credit-card transactions
must have enough healthcare information to know that it is a legitimate
health-savings account expense.

We have seen an announcement – I think in today’s paper – that United Health
Care is opening a bank in Utah just to do health-savings-accounts type of
activities. They chose Utah.

Rural banks. Rural banks have limited technologic capability. It is a very
special environment. It’s a low-privacy environment. Everybody knows everybody
else in town. In fact, they probably don’t mail anything. They just
hand-deliver it to their customers.

The NACHA rules require that the banks have to have the capability to
convert 835 to what they call Human Readable Methodology, and Human Readable
Methodology are things like fax, email, print advice, bank statements, software
that can be given to the provider and so on.

The payer, in sending the 835 cannot predict that this will happen at the
provider’s end. The payer sends a payment to – provider. The payer doesn’t know
how the provider’s bank is going to handle the 835, and, therefore, the payer
cannot restrict to the minimum necessary, since the remittance-advice
information will be necessary either by the provider, by the lock box or by
somebody at the receiving end. Besides, the 835 sent by the payer is exempt
from minimum necessary anyway. So what is the provider’s responsibility in this
environment?

I have a couple of other additional issues that are not banking issues, but
are related, because they are part of the payment chain.

Insurance brokers. Insurance brokers get copies of the claims in order to
perform their services. They have to measure utilization. They have to
calculate the risk. They have to establish and renegotiate contracts on behalf
of their clients, and when they get copies of the claims, they have
fully-identifiable health information in their hands. Are they a business
associate? Of whom?

The employer is certainly not a HIPAA-covered entity. So they can’t be a
business associate of the employer. They get the claims from the payers, but I
doubt that the payers would say the brokers are their business associate.

Re-insurance and stop loss. Almost the same issue as the brokers. They have
to get copies of the claims in order to perform the services. They have to do
actuarial risk assessment. They have to identify the high-deductible trigger
point where the stop loss kicks in. They also renegotiate their contracts based
on utilization. Are they a business associate? Of whom?

Again, the employer is not a covered entity. Health plans contract with the
stop loss as part of their operations. They get the claims from the health
plan. Are they a business associate of the health plan? Maybe. That is not for
me to answer. That’s for the rest of my panel. So if you have questions, I may
have to deflect most of the questions to the rest of the panel, but I may be
able to answer some of them.

Thank you very much.

MR. ROTHSTEIN: Well, thank you, Kepa.

The good news is that is the clearest, most comprehensive presentation of
the issues surrounding banking that I have ever heard, and the bad news is I am
now much more confused than I was to begin with, and I regret that you are
sitting on the other side of the table now and can’t work with us on these
issues, but thank you so much.

We’ll have our questions at the end.

Ms. Pritts.

MS. PRITTS: I’ll be just a minute as I set this up.

Good morning. I’m Joy Pritts, and I’m an Assistant Research Professor with
Georgetown’s Health Policy Institute.

I would like to say that I could answer some of the questions that Kepa
raised, but I am probably just going to raise some more questions,
unfortunately. I think this is a very complicated area, and it is one that a
lot of people are very concerned about.

There is a survey done in 2000 that showed that 95 percent of adult
Americans don’t want their health information – banks to have access to their
medical information, record information, without their permission.

So against this is you have a public that is not quite sure how they feel
about banks having access to their medical-record information, and I think that
is primarily just because people don’t like organizations that have some kind
of authority over them to have access to this kind of information.

So against that background, you have a series of laws and regulations that
are in place that attempt in various methods to protect that information as it
flows through the system.

The ones I am going to talk to today – although there are a host of other
ones – are HIPAA, the Health Insurance Portability and Accountability Act of
1996, Gramm-Leach-Bliley Act, which is also known by many people as the
Financial Services Modernization Act, and the recent amendments to the Fair
Credit Reporting Act, which has been called the Fair and Accurate Credit
Transactions Act, also known as the FACT Act. We have to get all of our
acronyms in there.

What you have at least two of the statutes doing is creating these kind of
networks of information for very different purposes. You have the network that
HIPAA attempts to create, which is that – and this is just a small part of the
network that is shown on this slide – but the network is that you are going to
have, ideally, this National Health Information Infrastructure, and within it
health information is going to flow electronically between payers, providers,
hopefully patients and a lot of intermediaries who are going to help make this
system work, including banks.

In contrast to HIPAA, the Gramm-Leach-Bliley Act also encourages networks
for a different purpose and with different organizations.

Gramm-Leach-Bliley was intended to be the – to encourage one-stop financial
shopping. So what it does is it encourages banks and other financial
institutions to affiliate with each other, and one of the ways that you get
one-stop financial shopping is by sharing information with each other, and that
is a large part of what Gramm-Leach-Bliley Act is really about. So you can see
they are overlapping systems in some ways with what I consider to be kind of
different purposes.

And there are some concerns about this, because, in a lot of ways, banks are
in an ideal position to make this system work very well. They have already got
this wonderful capacity, a national capacity, for you to go to any bank and get
your money out of your account. There is really no – there is a lot to be said
for that, but as they position themselves to participate in this system, they
will have increased access to identifiable health information.

I would also like to point out that this identifiable health information, we
are at least thinking that at some point it is going to have a unique health
identifier associated with it, and so it will have the equivalent of an account
number, a Social Security number on it. It will be very easily identified with
a particular individual.

There is – although there hasn’t been a whole lot of – I would say, there
hasn’t been a whole lot of affiliations between banks and health insurers yet.
There has been some, and there is reason to believe that there will be more as
time goes on. There is an increased sophistication in computer technology as to
how you can use and manage data, and people feel – whether they are right or
wrong – that there is a potential financial incentive for using this
information. That is where you get that 95-percent figure from is that your
average consumer is very concerned about these things, and the reason they are
concerned about it is they don’t want the information used against them. It is
the same reason why you have healthcare consumers not wanting employers to have
their health information. At the bottom of it all is a concern of being
discriminated against.

So the goal, at least from a healthcare consumer’s point of view, is to make
sure that the health information is protected adequately as it flows through
the system, and, as Kepa pointed out, one of the questions is are banks even
covered by HIPAA. They are part of this network. Are they covered? And one of
the – in particular, one of the issues is if – what activities do they do, if
anything, to make them a healthcare clearinghouse?

For a long time, while this issue has been debated – and I have heard this
not only from like people who are outside of HHS, but also a lot of people who
have been inside HHS. There was a real belief that if banks did certain
functions, they would be covered as healthcare clearinghouses, and I think we
have seen a little bit of shift in that belief in recent times.

I don’t think that there has been any controversy that when a patient
submits payment – a patient submits a check, it goes to the healthcare
provider, and that goes through their bank, that activity does not make
somebody a healthcare clearinghouse, and I don’t think that there has been much
dispute about that. I don’t think that people have been disputing the fact that
if you have this kind of electronic funds transfer that that would also make a
bank a clearinghouse. I don’t think that those are – those are not really
issues. I think those are fairly settled, but I – again, I may be wrong on
that.

But where people seem to be having a bit of dispute is whether – and I am
going to use this one transaction, because I think it is a kind of easier one
to understand, because if a bank does this – if somebody else did the same
thing and a bank does it, the other person would be covered by HIPAA as a
clearinghouse, and the question is if a bank does the same thing, which is kind
of clear, would they be a clearinghouse? And this is when the bank processes
the remittance advice, the electronic remittance advice, they take that advice
out of the standard format that it has arrived at the bank in, so it is in
HIPAA standard format, and they put it into – I think what Kepa called a human
readable form. Yes, a human readable form. I would call it into plain language,
so that the provider knows what is going on. So they take it, they convert it,
and there is no question, at that point, that they are converting from a
standard format into a different format, and many believe that if anybody else
did that they would be covered by HIPAA.

In a letter that the ADA sent to the HHS, they have taken, I think, a
slightly different position than the task-force paper and said that under
Section 1179 that they would not be covered by HIPAA as long as they are
engaged in an activity of a financial institution.

It is worthwhile going to look at the definition of financial institutions,
the Right to Financial Privacy Act. It is defined differently than it is in
some of the other acts that you may look at. It is definitely defined
differently than it is in Gramm-Leach-Bliley Act. It is a much narrower
definition.

And the second part of this analysis is – all right – if we are engaged in
an activity of a financial institution, we are not covered by HIPAA, so any
activity that has been approved by OCC for a bank is a financial activity, and
that is pretty accurate. I mean, the OCC tells the banks, you can engage in
certain activities because they are related to banking, and it is kind of a
gross simplification, but when you look at the examples that were in the ABA’s
letter and then you go and look at some of the activities that were, this
definitely is broader than when we process a payment – what most lay people
would consider to be a payment, when we process a check, when money flows. It’s
a financial – an activity of a financial institution is much broader than that.

And I am not going to – as I said before I agreed to come here, I’m not
really going to get into the issue of whether they are or – whether 1179
exempts banks or does not, because I think that kind of – I’m happy to discuss
it, but that is not what I wanted to talk about really. I wanted to say, well,
if it doesn’t – because other people have their positions on that, which I
think they will adequately represent, but the question becomes, all right,
let’s assume that they are exempt from HIPAA or if they are exempt from HIPAA,
then the question becomes is the medical information that banks process
adequately protected by other laws, and I think that this is something worth
looking at.

Kepa talked briefly about Gramm-Leach-Bliley Act. It is primarily designed
to facilitate affiliations. It applies only to consumer and customer financial
information. It does not apply to commercial transactions, and the privacy
provisions in GLBA establish limits on sharing financial information, which may
contain medical information.

What GLBA does is it limits the sharing of consumer payment information. So
when we went back to that first picture where we said everybody said that HIPAA
would not cover that, GLBA actually does cover some of that. It imposes some
restrictions on how a bank can share that information with others. It includes
notice in op-out provisions. As someone who does a lot of work in the consumer
area, of course, I’m sure everyone has heard that most consumers do not like
the notice and opt-out structure of things, because we don’t feel that that is
very protective of the individual, but it does have that, and that is more than
what is available under HIPAA.

It doesn’t prohibit banks from using consumer payment information, because
that is not what GLBA is about, and it doesn’t prohibit banks from using or
sharing information from commercial transactions, because this isn’t the kind
of information that is covered by Gramm-Leach-Bliley Act.

In response to that, there was – after Gramm-Leach-Bliley became law, there
was almost immediate dissatisfaction – well, there was immediate
dissatisfaction with the law, including by some of the people who wrote it
originally, and there were a lot of attempts in Congress to go back and recraft
parts of the privacy protections.

Everybody pretty much agreed that reopening Gramm-Leach-Bliley Act was not
politically feasible. I mean, it took a lot to get that act out of Congress,
and so after a couple of tries of doing it independently in 2003, there was a
piece of legislation that clearly was going to move through Congress.

We are all familiar with what happens often in Congress is if you get a
piece of legislation that is moving, then you try to attach things that you
want to happen to that, and what was moving in Congress were amendments to the
Fair Credit Reporting Act, and that is because – not to go into great detail,
but there was a sunset provision in there that a lot of people did not want to
see sunset. So it had to be reenacted, and within that context – this is all
within the Fair Credit Reporting Act, but with a little different context from
Gramm-Leach-Bliley, and a different context from HIPAA. It is within the
context of consumer credit protections. That is what the Fair Credit Reporting
Act is about.

What the FACT Act does is it prohibits a bank and other creditors, in this
case, from obtaining and using medical information for consumer-credit-decision
purposes, except where the banking agencies determine, if necessary and
appropriate, to protect legitimate operational transactional risk, consumer and
other needs; and when they make this determination, they are to make that
consistent with the intent to restrict the use of medical information for
inappropriate purposes.

So that is where we are now. The banking agencies will be making these
regulations to implement this, and they have the power to make exceptions. We
don’t know where that is yet. It’s only in the developmental stage. They may
craft these exceptions very narrowly or they may be broad. They may be
somewhere in between. This is a totally unknown factor at this point.

But the statute itself, given the breadth of it and what its intent to do is
to make sure that – to cover one of the things that consumers have been
concerned about, which is that their information not be used for making
decisions about very important things in their life, their medical information
not be used for making those decisions.

The FACT Act doesn’t prohibit using payment information for other purposes.
Again, this is partially because of what this – you know, the structure of the
bill. The bill is a credit that is consumer – you know, Fair Credit Reporting
Act is all kind of designed around that. So it is possible that there may be
other things out there, but the FACT Act itself, which was designed to plug
some of these holes between Gramm-Leach-Bliley and HIPAA, isn’t designed to
protect against or to prohibit against any particular uses, particularly
marketing, which is another thing that consumers don’t like. I would say it is
not as important as making credit decisions, but it is one of those things that
consumers generally are not happy about.

The limits on sharing medical information under the FACT Act are not clear,
and if I were to try to analyze this for you here, I would confuse everybody,
because it took me a long time to get to this, but let’s just say, under the
best circumstances, it appears to permit banks to share medical information
with affiliates for any purpose that is either permitted without authorization
under the Privacy Rule or that is referred to under Section 1179. So I see this
as being a potential problem, and when this part of the act was written, which
was back in – I think – June of 2003, I’m not sure that the public position had
been taken that anything that banks can do under 1179 would be exempt from
HIPAA. I’m pretty sure at that point we were still under the – if banks are
engaging in really what most lay people consider payment activities, then that
is what 1179 was referring to.

So what you have is you have HIPAA saying if a bank is doing something – if
a bank is doing a financial activity – engaged in a financial activity, it is
exempt from HIPAA, and then when you go to the FACT Act it also seems to
incorporate that. So this does not add any additional protection. It just kind
of loops back to HIPAA, and so I am not exactly sure how that is going to play
out. As I said, I was just going to raise more questions rather than answer
them.

But what it looks like is if the banks are fully exempt under Section 1179,
then the medical information that they receive isn’t fully protected by other
laws, and you still have these other uses other than for credit that can go on.
You still have the potential for sharing, particularly with affiliates that
might happen, and we still don’t know to what extent the use of medical
information for credit purposes will be allowed under the regulations.

People, of course, have the ability to comment on those when the proposed
rules come out and try to make those as tight as possible.

That is only part of the issue, though, and I think this is, again, what –
picking up what Kepa was talking about, which is even if banks aren’t fully
exempt under Section 1179, which there’s been a lot of focus on this, that
doesn’t end the discussion, because you have these intermediaries who are
handling medical information, and you are not really sure what their role is.

So this is – you know, when we are talking about the national health
information infrastructure in protecting health information as it flows through
it, it is still very much a work in progress. We are not anywhere near there
yet. We haven’t begun to answer the questions.

MR. ROTHSTEIN: Thank you very much. I was afraid we were running out of
questions, and you’ve added some more to our list.

Mr. Casillas, would you like to add some additional questions?

MR. CASILLAS: I would love to.

(Pause).

MR. CASILLAS: Okay. Experiencing some minor difficulties. My computer is now
hibernating. Can I do it back over here? Just switch chairs, I guess.

MR. ROTHSTEIN: For those of you on the internet, we are working on our
computer presentations, and we’ll have audio shortly.

MR. CASILLAS: First of all, I want to thank the National Committee on Vital
and Health Statistics for hearing all the issues in the banking space. There
are numerous issues, and they are complex.

Unlike my predecessors, we have made some technical conclusions in these
areas that, admittedly, are in a state of flux and have been for quite some
time. We have held 12 HIPAA-policy roundtables over the last 24 months.

MR. ROTHSTEIN: So they are not sure what the answers are. You are sure, but
your mind is continually changing, is that –

MR. CASILLAS: You know, when Kepa says something – and Joy – I have to
listen, and Steven Stone. So, you know, you are in a state of flux, but I will
say that I think what we will find is that banks are business associates, many
times, of covered entities and that, in some cases – and this is a very limited
number of cases – banks do perform clearinghouse services that are defined
under HIPAA.

I want to just start with what is medical banking. You know, there is an
academic way of looking at it. It really is the convergence of banking
infrastructure with healthcare administrative operations, and when that
happens, there is data – protected health information – which can flow between
the two structures, and which has been acknowledged not just by banks, but also
my colleagues here.

Boy, this is not good.

In layman’s terms, it is utilizing bank IT and knowhow to manage medical
transactions.

The remittance transaction is uniquely suitable for banking infrastructure.
Banks have been managing payments for many moons and there is a very large
value that the remittance brings to the provider when you consider that you
really don’t know what happens to your claim until you actually get the
remittance back, to know whether or not your procedures were paid, partially
paid or fully paid or not paid at all.

The remittance itself becomes a very valuable and powerful transaction for
the provider and has the potential to literally transform the way the providers
do business, and to do that in a very cost-effective way. We estimate that
using banks as processor remittances will save this industry at least $35
billion annually, and we don’t have to go too far to look at case study in this
area. Medicare, when it initiated its electronic-remittance transaction in
1992, really started a whole new niche industry where providers went out to the
fiscal intermediary, grabbed the remittance information and automatically
posted that into their patient accounting system. We break down the aspects of
that – and we’ll do that in subsequent slides – to show what that value really
represents.

In our mantra, Medical Banking Project, since hospitals are delivering at
least $21 billion annually in charitable care, in uncompensated care, we think
that digital savings can be converted into charitable resources, and it’s
really – interoperability is our key focus and not necessarily privacy,
although privacy does have an impact.

What kinds of services are banks providing? Well, there are specialized
cash-management services, managing cash disbursements for a health plan, for
instance. One of the models that is emerging is taking the PHI component – as
Kepa was showing the transaction, there’s Table 1 and Table 2 data. The Table 1
data, which is the payment information, can be executed through the banking
clearinghouse network. The Table 2 data can be removed and introduced or given
to the provider in separate channels.

Lock-box specialization is accelerating in the medical-banking space. We
have seen a number of press releases – latest one was actually yesterday –
where there are banking organizations that are creating specialized remittance
– we’ll call them remittance clearinghouses for the providers – and,
interestingly, the product pathway for this would involve not only sending the
remittance to the provider electronically, but also taking that remittance and
comparing it with the original claim. In banking parlance, that is called AR
matching, but when you do that, what you actually get to see, in as real-time
as possible, which is not the current practice today, is all the areas that the
provider has to follow up with in order to get what they are expecting as a
payment on that claim. So the whole denial-management process becomes automated
as well as you cannot issue a secondary bill until your primary has paid.

The area of secondary billing is now becoming more automated, not just for
Medicare, now. We are talking about for all the other payers.

I don’t have it with me, but I was reading a clearinghouse that submits
primary and secondary claims, that does eligibility searches. The clearinghouse
performed patient-statement processing with a self-paid deductible. It also
permitted you, through a terminal – Okay. This is a little credit-card terminal
that can be placed in the provider’s office to do credit-card processing. All
of those functions are being offered by a national bank. So are banks providing
clearinghouse services? Obviously, they are.

There is another bank – I won’t mention them, but they are in Puerto Rico –
that does eligibility, claims processing as well. So we see this as an emerging
area, and there’s good reasons why.

We have been talking a lot about how it is going to cost a lot of money to
get providers up to steam with IT – administrative IT. Banks have decades of
investment in administrative and transactional architecture, which can be
leveraged by the providers to really ramp into a national health-information
infrastructure. So we see more of this happening, not less. We are certainly
tracking more of it happening and not less.

Other areas are card processing and actually leveraging the bank-delivery
system to reach all those providers that actually are not even submitting
claims electronically by bundling cash-management services.

How does this work? Well, ABC Community Bank concentrates payments and
remittances, two separate things. They are concentrating funds – that is,
actual dollars – and they are concentrating the data related to those funds.
Okay? And it is the data related to those funds that the traditional
health-data clearinghouse provides businesses or has a business with for
remittance processing.

What does that do? Well you can automate claim functions. In other words,
you can automate cash posting, contractual-allowance processing, reject-note
posting and a whole series of other areas. The total savings to do that
manually versus digital is about $10 per transaction, which is substantial. In
this environment, banks can save the provider industry $35 billion. We call it
IOS, Inter-Organizational System. Basically, in today’s world, the health plan
or the health plan’s bank is actually creating the 835. They are distributing
it electronically through the ACH network or via paper, through lock boxes or
directly to the healthcare provider, and getting that information into the
patient-accounting system is happening, for the most part, manually for
commercial and self-pay dollars. Okay?

In tomorrow’s world, what we see is specialized outsourcing channels that
remove the PHI component, possibly – okay? – from the 835 and moves it through
specialized banking networks.

There is also the possibility – and we think it is a good one – that banks
can take both the data – the payment and the data and move it simply through
the ACH network. If that happens, we believe that that should be done under the
cloak of privacy, HIPAA privacy.

And, finally, to integrate that data requires point solutions at the
provider site that picks up the remittance information and automatically posts
it into their patient-accounting system. Those back-office processes are that
mountain of paper that we are trying to reduce into a digital stream. Okay?

So – and the actual movement towards this in the banking world is called
straight-through processing. The clearinghouse drafted a report talking about
straight-through processing in which they did a survey, over a period of time –
I think it was like over 12 or even 14 months – where they determined that in
order for banks to protect their payment franchise, they need to move data and
dollars together through the banking network. So it’s a competitive mandate, a
strategic mandate for banks as well, and we think it is a positive one for the
industry.

In a survey that we did with 53 of the top banks, we found that 50 percent
said that they actually provide accounts-payable services for health plans.
Accounts-payable services, meaning that the bank is taking in the remittance
information from the health plan and creating the 835 that will be sent through
the ACH network.

Another question in the survey we asked what percentage of payments do you
process for health plans that contain individually-identifiable health
information? And in that, the basic metric here is 14.3 percent of those
responding said none, that 14.3 percent of the banks that responded said that
none of those payments contained protected health information. So the vast
majority do.

On the medical-banking horizon, we see the implementation of these models
fueling credit access. Right now, there’s a lot of non-productive AR assets
sitting in medical providers’ books and records. In fact, one large healthcare
services organization that is very well respected estimated that that was $200
billion annually.

By automating the remittance, we can see the value of a receivable much
quicker, and if we can see the value of a receivable much faster, it is
possible that we can use that data – I say we, as an industry – we can use that
data to actually increase our credit access. I think banks are looking at that.

There are some like boundary-spanning areas, such as how do you ramp
healthcare providers into the national health-information infrastructure? Who
will be the holder of the keys, let’s say in the Santa Barbara County model
where there is actually – a public utility was created to hold the
master-patient index? Who will do that? Okay?

The ATM network is very sophisticated. It allows me to go to my bank and
pull out money out of my account and not HIPAA’s account, for instance. Okay?

The administration of the master-patient index would require much of the
same types of technologies, and, yes, there are banks and banking organizations
that are looking at this as a possible model for implementing the national
health information infrastructure.

What are the loopholes in the HIPAA armor? There are some critical-path
policy issues that we see, and I explained some of them before, and I am not
going to go over those again.

I have seen security of PHIs move to the banking system. That is one area,
and Section 1179 exemption. The two critical areas are banks exempted from
HIPAA under Section 1179.

I want to first talk about Section 1179. We have all heard and read that it
was intended to exempt the processing of consumer-conducted financial
transactions. We have heard from people that have actually crafted and drafted
the regulations that it was not intended to exempt banks. We think even this
small loophole, if you will, for consumer-conducted transactions will emerge as
a more important issue as we get into how banks are implementing HSA
strategies; that is, for the health-savings account. Will the bank get more
involved in claims processing? And we think banks, likely, will get more
involved with claims processing.

Another aspect of this debate is what is called the payment theory, and I
credit Oliver Ireland for verbalizing this, and it is really interesting, and
in Section 1179, it talks specifically about payment activities. Okay? Does
that payment represent dollars and data or does it represent just dollars?
Because we can take all of the functions in Section 1179 – processing,
collecting, clearing, settling. They all refer to the movement of dollars and
not data. So Section 1179, in our view, exempts payment, not remittance
processing. Remittance processing is an entirely separate channel.

Can the business-associate contract alone work? This is a good question. The
issue here – let’s say that Section 1179 exempts banks altogether. Okay? We
still have the business-associate contract which was implemented in the
statutory scheme, so that if a covered entity provided protected health
information to a bank, it would be protected. We have that still, whether or
not we exempt banks. The question is, if that is the case, then why did we name
the clearinghouse as a specific covered entity in the rule? Because every
clearinghouse would also be a business associate following that logic. It’s a
question. If we exempt all clearinghouses, maybe that is a solution or we can
make sure that all clearinghouses comply.

The provider’s bank, in our reading of the NACHA operating guidelines, is
not required to convert incoming remittance data into the HIPAA standard, but
required to convert it to a mutually-agreed-upon electronic format. So there
has been some talk that HIPAA automatically makes some RDFIs clearinghouses
under the HIPAA rule. We don’t think that that is the case.

If we expand the loophole – okay? – from consumer-conducted financial
transactions, what is the macroeconomic impact? We see banks acquiring
clearinghouses. I will tell you that we see that happening whether or not we
exempt banks or not from Section 1179. What HIPAA has done is it has turned the
spotlight, in terms of processing, into this area, and it is revolutionizing
medical-remittance processing.

Clearinghouses may change their charters to become banks. In that case, you
would have clearinghouses that are regulated under HIPAA and bank-owned
clearinghouses that would not be regulated under HIPAA, and in that uneven
statutory terrain or regulatory terrain, how do these few market structures
align with each other? And, really, is that really going to happen? There is a
strong possibility that it would if we exempted banks under HIPAA, which
presents the potential for a two-standard system for HIPAA, one non-HIPAA.

We also think that the progress that we have made may be solved, and we have
made significant process in this area.

The reason why I would stall is because banks may consider, well, if we are
exempt, then do we want to align with a HIPAA clearinghouse? Maybe we want to
do that by ourselves. So there is reason for consideration from a macroeconomic
viewpoint on this issue.

Medical-records privacy is another issue, and there’s panelists here that I
think I’ll let take that issue further, but both electronic and paper
remittances do have protected health information. In all cases, paper – well,
most cases – and electronics sometimes, sometimes not. When lock boxes are
processed, these payments for a healthcare provider, lock-box personnel, you
have access to protected health information. Many times, they are taking that
information. They are putting it in rubber bands. They are putting it into
filing boxes and getting it off to the provider, so that they can manually post
that information.

Other lock boxes have specialized to they are actually taking pictures and
they are imaging all the remittance information so they can provide a CD back
to the provider, and some lock boxes are actually trying to create and creating
the 835 from all that information that is coming to them manually. In that
case, there is a non-standard to a standard conversion, and that may qualify as
a HIPAA clearinghouse.

And there are other lock boxes that go beyond paper. They are actually
collecting the ACH transactions or it is going to an EDI department in the bank
for conversion.

There are ACH issues. The 835 may contain Table 2-protected health
information. When the ACH manages the remittance transaction, will the ACH be
considered a clearinghouse or a business associate? As a result, many banks are
business associates.

And then we talked about the whole area of intermediaries; that is, you have
the health-plan’s bank and the provider’s bank and all the financial
clearinghouses in between, and do they fall outside of the web of protection
provided by HIPAA?

We think that the best thing that could happen is if we encouraged the
bank-based healthcare stakeholder in American healthcare, because we believe
that is how much value banks do bring to this equation. So we think policy in
this area should be created so that it does encourage the stakeholder.

However, there are special cross-industry issues, and there needs to be a
panel, I think you will discover, after you have gone through these two panels,
to discover what these unique policy issues are.

The clearinghouse debate, it would be great if there was a HIPAA gap
analysis of the ACH network. Maybe there are no issues, but we don’t know that,
and that creates a problem for privacy advocates, and probably for the typical
consumer.

Also, healthcare credit practices. This was an area that we brought up some
time ago at our last time when I spoke at a hearing here, where you have banks
that have assets which are secured by the provider’s medical AR, which, under a
bankruptcy situation or under a violation of a loan document, automatically
bring those receivables into the bank. Absent a business-associate contract,
the extension of credit isn’t necessarily a pretense for establishing a
business-associate contract.

The other issue is how does one who is – if someone’s PHI is disclosed, do
they go to the OCC? Do they go to HHS? How do they file or cast a complaint on
that, and how is that followed up?

And, finally, I want to applaud the regulators, because HIPAA has energized
the medical-banking industry. Even with these loopholes, we consider this a
major policy success, because banks are involved, and the macroeconomic effect
of that is we will see reduced healthcare administrative costs as a result of
the banking stakeholder.

MR. ROTHSTEIN: Thank you very much.

Let me just advice people about the change in our schedule, at this point.
We will not be taking a break. We’ll be going to Mr. Stone as soon as I finish
describing this.

We had a change in our afternoon schedule, and the two law-enforcement
panels have been combined into one, which will be from 1:30 to 3:00. We’ll have
our lunch break from 12:30 to 1:30, and then the public-comment period will be
moved forward from 3:45 to 3:15, after a brief break. So we are actually ahead
of time, in case you thought we were behind schedule.

And so now we’ll go to Mr. Stone. Thank you.

MR. STONE: Mr. Chairman, members of the committee, thank you very much for
the opportunity to speak here today.

My name is Steve Stone. I’m a Senior Vice President at PNC Bank in
Pittsburgh, and I’m here today representing the American Bankers Association
and the National Automated Clearinghouse Association.

At PNC, I am the Director of Product Management, and I have responsibility
for our product development and delivery and distribution, all of our
cash-management services, and that includes our suite of healthcare products.

Today PNC has over 1,100 healthcare customers, and in December of 2003, we
processed more than a million claims on behalf of those customers. So we have
some experience in the area.

Before I begin my prepared remarks, I would like to actually comment on a
couple of things that previous presenters spoke about. Mr. Casillas mentioned
the notion that clearinghouses might become banks. I find that a bit difficult
to understand, particularly given the additional regulatory burden that they
would be exposed to, the capital requirements, the governance issues, the
public accounting, the oversight. It would be an enormous burden for a
clearinghouse to move from a fairly unregulated environment to a
highly-regulated environment. So while it is possible, it strikes me as highly
unlikely.

Several of the commentators have mentioned that the ACH transactions, an 835
payment could contain PHI going through the ACH system. That is absolutely a
possibility. We think in reality, however, that happens relatively infrequently
today, frankly, because the payers are uncomfortable about whether or not that
is, in fact, an accepted practice.

So while we can support it, as can a number of financial institutions, we
have no customers at the PNC Bank today who are using that particular payment
methodology, nor have we talked to any of the major cash-management or
healthcare originators who are using it, but there probably are some out there.

However, most of the payers that we have talked to are taking a very
conservative approach until they understand whether or not this is an
acceptable practice, and that is part of the reason we are looking for some
support from HHS.

And, finally, I guess just to kind of clarify some issues regarding the ACH
process – I apologize. I wish I had brought a Power Point. I normally love
Power Points. If I get to come back, I’ll bring a Power Point next time.

We did bring some handouts, and, frankly, at a high level in an ACH
transaction perspective – I think the committee members may have a copy of this
attachment – the ACH process is really fairly straightforward. The number of
intermediaries that may be introduced in the ACH process are actually
relatively few. There is an originating customer. There’s an ODFI, originating
depository financial institution. There is an ACH operator that sits in the
middle of the transaction that is generally either the Federal Reserve or the
Electronic Payments Network in New York is a receiving depository financial
institution, and there is a receiving customer, and, by and large, those are
the participants that are defined under the ACH rules, and those are the
participants that normally are going to handle an ACH transaction.

We have also provided to the committee – and, Kepa, you can check me on this
to make sure that we did this correctly. If there is a mistake, it is mine, not
one of our EDI people. This is actually what an 835 that contained a healthcare
transaction would look like. The yellow information is the ACH information. The
blue information is the Table 1 information, which actually has specific
payment guidelines on it, and the green information is the Table 2 data, which
would be the PHI.

Now, lacking a translation utility of some type, the PHI in this transaction
would be difficult for anybody to decipher. It is not easily read in this
format, which is why so many people are looking for some human-readable or more
understandable plain English version of what a healthcare transaction would
look like. So we provide that just for your information.

Let me jump back into my prepared remarks here for a few minutes, and I’ll
be fairly brief here, I think.

We do appreciate the opportunity for the banking industry to state its case
directly to this subcommittee. A lot of people outside of the industry have
attempted to speak for us, and we feel it is important that we be heard
directly.

And, at the outset, we would like to make the following points which we will
elaborate on further as we get to the rest of the testimony.

First, financial institutions are not trying to avoid the privacy and
security requirements contained within the HIPAA regulations.

Second, the ABA and NACHA are unequivocally opposed to data mining ACH or
other financial institution records for medical information.

Third, only financial institutions are examined for compliance with numerous
privacy and security regulations, and those examinations occur on a regular
basis.

And, finally, the processing of electronic remittance advice is just one of
two parts of a payment, along with an electronic-funds transfer. Those two
parts together are, in fact, the definition of a payment, an electronic funds
transfer and a remittance advice together. As such, it is part of the payments
process, and banks engaged in the payment processing are, we believe, exempt
from the HIPAA transactions standards rules under Section 1179.

The banking industry fully supports the protection of consumers’ private
medical information under HIPAA, and, indeed, consumers’ sensitive financial
information of any sort.

First and foremost, we understand, and we appreciate the sensitivity of
protected health information. Indeed, the personal financial information that
financial institutions have long protected is equally sensitive. Financial
institutions exist for one reason, because the public trusts us to protect and
preserve their assets, their information. If we fail in that mission, if we
violate that trust, we will not be in business for long.

So let me state for the record that financial institutions are not trying to
avoid the privacy and security requirements contained in the HIPAA regulations.

Our critics have misconstrued our position on the scope of the exemption for
financial institutions in 1179 as meaning that the HIPAA Privacy Rules will not
apply to banks’ handling of PHI, and that is simply not the case. We fully
expect that financial institutions that have access to PHI will be business
associates under HIPAA, because they have customers that are covered entities,
and, as business associates, will be subject to HIPAA’s privacy and security
rules, and although we may not be covered entities, our responsibilities,
particularly in the area of privacy, will be virtually the same as the duties
of any covered entity.

In 2002, the ABA and NACHA formed a committee, the Banking Industry Task
Force to address HIPAA’s impact on financial institutions and worked with HHS
and groups across the country to help financial institutions prepare.

As part of that effort, we modified the HHS model Business Associate
Agreement to take into account the many different laws that apply to our
industry. The Task Force also developed a privacy checklist for financial
institutions that are or that will be business associates, to coordinate that
work with their Gramm-Leach-Bliley Act privacy, and a copy of that document has
been attached to this testimony as well.

Recently, there have been some unsubstantiated allegations concerning
financial institutions’ use of consumers’ private medical information. The most
notorious example is the one referenced in the preamble to the first HIPAA
privacy proposal describing the banker who, when he learned at a county
health-board meeting that certain individuals had cancer immediately called
their loans.

However, according to the Wall Street Journal, the government’s source of
this anecdote, C. Peter Waegemann, Executive Director of the Boston-based
Medical Records Institute, acknowledged recently that he heard the story from a
source that he trusts, but was never able to verify it, and I quote, AI tried
many times for many organizations to retrace it, but I never found the banker.@
This story may well be apocryphal.

Privacy advocates have alleged that financial institutions have expressed
strong interest in data-mining information they obtain through transactions and
in using this information for marketing to their existing customers, finding
new customers and evaluating credit risks. As we have stated previously, there
is no evidence of strong interest in data mining of personal health information
by financial institutions.

Moreover, the ABA and NACHA wish to go on record as stating that we
unequivocally oppose data mining of ACH or other financial institution records
for medical information.

Concerns have also been raised that credit-card users must have data-mined
credit-card information in order to provide their customers with annualized,
individualized categories of credit-card spending, including medical products
and services. In fact, credit-card companies merely aggregate such charges
based on the merchant category codes that are assigned to those merchants when
they apply to accept credit cards initially. Credit-card issuers send these
statements to their customers as a convenience, particularly at tax time, so
that card holders can have a consolidated list of various types of expenses.

Financial institutions are currently examined for compliance with the
privacy provisions of the Gramm-Leach-Bliley Act covering nonpublic personal
financial information and its implementing rules on a regular basis. In
addition, financial institutions have long been subject to the highest
standards of information security. Particularly in areas where funds are
actually being transferred, the availability of information and equipment is
strictly limited to those who must have access to it to perform their jobs.
Failure to do so – failure to restrict that access could provide enormous
opportunities for theft of funds, and any third parties to whom banking
functions are outsourced must agree to the same security and confidentiality
requirements as the financial institution itself. In addition to the banking
agencies’ rules, NACHA’s rules separately require that ACH departments be
regularly audited.

In June 2004, regulations implementing the medical information provisions of
the recently enacted Fair and Accurate Credit Transactions Act, or the FACT
Act, will become effective. The FACT Act prohibits creditors from obtaining or
using consumers’ medical information, as that term is broadly defined, when
making a determination of initial or continuing eligibility for credit, other
than as exempted by federal regulators. The agencies are currently drafting
these new standards and are considering the appropriate use of medical
information generally in the form of debts to medical providers received in
applications for credit. Thus, in June, financial institutions will be
prohibited from improperly basing credit determinations on medical information,
if they ever did, which we strongly doubt.

Section 1179 says, in essence, an entity that engages in the activities of a
financial institution is exempt from the HIPAA transactions, privacy and
security rules. Congress placed no limitations on these activities, but rather
enumerated certain payment-processing activities to ensure they would be
covered by the exclusion. The provision of the regulation has caused
considerable speculation among members of the healthcare community. Would this
give financial institutions an unfair advantage? We think not.

A payment is composed of two parts, according to the regulations- an
electronic funds transfer, or EFT, and an electronic remittance advice, or ERA.
A number of people want to use payment and EFT synonymously, but they are, in
fact, different. A payment, as its name implies, there is a known debt between
two parties, and the funds are being exchanged to reduce or to eliminate that
debt. For the party receiving the payment to recognize it and apply it
properly, it has to be accompanied by some level of remittance information, and
the more complex the relationship between the parties, the more remittance
information is needed for the payment to take place. A funds transfer without
explanation does not constitute a payment because the receiving party cannot
apply it.

Moreover, the Office of the Comptroller of the Currency, or the OCC, as long
ago as 1988, determined that transmitting patient-treatment information between
insurers and providers was Aincidental to the business of banking@ under the
National Bank Act. Since that time, there have been many other OCC precedents
related to healthcare insurance-support services. In addition, in 1994, the
Federal Reserve Board determined that the operation of a medical-payments
network, including the processing and transmission of medical and coverage
data, to be a permissible activity for bank holding companies. As a result of
this history, we can only assume that Congress must have been aware of these
interpretations when it enacted HIPAA in 1996.

We believe that the exemption from the HIPAA regulations when engaging in
payment activities, such as the processing of 820s and 835s, clarifies some
oversight and some enforcement issues, but it does not diminish the protections
of PHI that are required under HIPAA. Moreover, in terms of volume, the 820s
and the 835s are but two of the eight approved transaction types, and not even
the most numerous of the types of transactions that might be handled under
HIPAA.

Importantly, financial institutions that venture into areas of eligibility
testing, claims submission, et cetera, have moved outside of the protected
payments space created by Section 1179 and would be subject to applicable HIPAA
regulations like any other clearinghouse.

In summary, the ABA and NACHA wish to reiterate that financial institutions
are not trying to avoid the privacy and security requirements contained within
the HIPAA regulations. Moreover, ABA and NACHA are unequivocally opposed to
data mining of ACH or other financial institution records for medical
information. Only financial institutions are routinely examined for compliance
with numerous privacy and security regulations, and are subject to significant
penalties for failure to ensure compliance. Processing ERAs is a part of the
payments process and is exempt from HIPAA transaction standard rules under
Section 1179.

And, finally that exemption confers no competitive advantage on financial
institutions vis-a-vis other healthcare clearinghouses. In fact, our
responsibilities with respect to privacy and security will be virtually the
same as any other covered entity.

We think Congress and the drafters of this legislation recognized rightly
that financial institutions play an integral role in payments processing and
wanted healthcare payers and providers to be able to retain those
relationships.

Again, we thank you for the opportunity to present our views.

MR. ROTHSTEIN: Thank you very much, and we will begin our questioning now.
So members of the subcommittee? Anybody have questions?

Mr. Reynolds.

MR. REYNOLDS: No one on the panel seemed to state – why wouldn’t it be good
for banks to be included in the HIPAA law? We hear all the discussion and – you
understand the 835, looking at your chart. The 835 contains everything that
came in on the 837, which is different than the current remittance processing
that is going on in most of the industry now. So it’s just a question.
Everybody raised a lot of questions, but why wouldn’t that just be the easiest
thing to do?

MR. STONE: Let me take a shot at that, since I represent the banking
industry here.

As we have looked at the issue regarding banks as clearinghouses and banks
being covered under HIPAA, there are a couple of difficulties in terms of
reconciling regulatory positions that we would have to deal with to make that
operable. We have a question of who has regulatory preeminence, whether it is
going to be HHS, and/or OCC and the Federal Reserve, in the case of
state-chartered banks, and so there is still a regulatory oversight
coordination effort that has never been resolved. We think having banks
excluded from HIPAA, frankly, takes that issue off the table, eliminates that
question as to who has oversight responsibility for financial institutions.

There are also a couple of areas in the requirements for clearinghouses that
a bank may not be able to honor, and, at the same time, fulfill its other
fiduciary responsibilities as a bank.

For example, there are situations where a clearinghouse, because it may be
the holder of a designated record set, has to make amendments to certain
records that are in its possession.

A financial institution, on the other hand, because it is handling payments,
cannot really amend the record of a payment that has been previously processed.
A clarifying or correcting entry could be submitted and the bank could process
that as well, but the bank cannot go back and historically change the record of
a payment that has been successfully handled already.

So there are several other examples like that. There are some notification
requirements that clearinghouses may be required to make that financial
institutions either would not normally make or might be inconsistent with other
reporting requirements that financial institutions have. So there’s a lot of
work that would need to take place there.

Then, I guess the last issue is a quick reminder here. On the receiving
depository financial institution side, that last party in the transaction that
gets the data, that party has a responsibility for making that data available
to the ultimate customer in a format that is mutually acceptable. Now, that may
be, in the case of a sophisticated customer, a straightforward 835
non-translated original-form transaction, but for many providers, particularly
smaller providers, that is going to take some other form. It is going to be a
simplified record, a human-readable record. That would potentially put that
bank in the position of inadvertently becoming a clearinghouse and the bank is
basically going to be caught in an untenable situation if the bank is kind of
stuck between these competing sets of rules – I’ve got to provide this
information, but doing so makes me a clearinghouse. Making me a clearinghouse,
then, makes it impossible for me to meet other responsibilities that I have.

MR. ROTHSTEIN: Mr. Stone, let me follow up on that by asking you a couple of
questions, based on your testimony.

As I understand your written and oral testimony, some banks, in your
judgment, perform in the role of a business associate or as a clearinghouse,
and I believe that was Mr. Casillas’ testimony as well.

The question that I have is when those banks assume those roles, is it your
information that they comply with all of the requirements under the Privacy
Rule that apply to covered entities, in the case of clearinghouses, or do they
execute business-associate agreements when they act in those roles?

MR. STONE: We have recommended to financial institutions that they
participate in and execute business-associate agreements when they are engaged
in healthcare processing. The responsibility for obtaining a business-associate
agreement lies with the covered entity. So the payer or the provider really has
the responsibility of soliciting and obtaining that information prior to the
release of PHI to its business-associate partner, financial institution or
otherwise. So we recommend it. We strongly recommend it. We have drafted
language to help financial institutions understand what they should be prepared
to commit to if they are going to be a business associate.

In terms of what those organizations have to do if they are a clearinghouse,
there are only a couple of banks in the country that have kind of voluntarily
declared themselves to be healthcare clearinghouses. As to what those banks
have done for their own compliance, I cannot speak to that directly. I can
speak to what we have done from a compliance perspective, but I have no idea
what the other banks have done.

MR. ROTHSTEIN: Well, let me open it up to the other panelists, and I’ll
repeat the question. From your experience, the banks that engage in practices
that would make them business associates, are they asked to? Do they, in fact,
sign these business-associate agreements, not who has the responsibility for
soliciting it? Is that a common practice or is the concept of business
associate sort of alien to the banking industry?

DR. ZUBELDIA: We just came from Puerto Rico a couple of weeks ago, from a
clearinghouse that has been acquired by a bank, and they are fully cognizant of
HIPAA, and because they have a clearinghouse, they have set up the barriers to
separate the clearinghouse from the bank, and it is an arms-length relationship
with the full HIPAA protections that a clearinghouse has to make sure they have
in place. HIPAA says that when a clearinghouse is part of a larger entity, they
have to have the barriers between the clearinghouse and the rest of the entity,
and we know that is, in fact, the case, in this specific institution in Puerto
Rico.

MR. CASILLAS: That is also the case for another large bank that classifies
themselves as a hybrid covered entity, where they are implementing the policies
and procedures of HIPAA for that entity, creating sort of like Chinese
firewalls between them and the rest of their operating units, so that they will
comply fully with the HIPAA regulations for that entity, but they don’t have to
– the whole bank does not have to do that.

Just to follow up on the business-associate question, there are a number of
banks that have called the medical-banking project about the business-associate
contract, and my sense from listening to them talk is that they are executing
and signing business-associate contracts when asked to do so.

MR. ROTHSTEIN: Okay. I have a couple of questions for Ms. Pritts as well.

I know that your organization routinely gets inquiries and complaints and
the like, questions from consumers, and the question is do you have any
evidence of the improper use or disclosure of protected health information by
anyone in the banking system?

And sort of the second part is even if the first answer is no, do you have
any evidence that consumers, fearing the misuse of that information, are
reluctant to undergo medical procedures because they are afraid that this
information would be available?

Sort of the background of that is we know that from various consumer surveys
that 70 to 80 percent of people say they would be reluctant to undergo genetic
testing if their employer could get access to the result.

Has this banking issue reached consumers, patients, to the extent that they
might act on that in their healthcare decision making?

MS. PRITT: Well, I am going to answer your first question first, which is I
don’t think that there are any documented stories out there of banks misusing
people’s medical-record information. I have – other than the one that had been
used in the Senate – in the hearing that was – Wall Street Journal fellow
followed up on. That is the only story that I am aware of, and that proved to
be – they were not able to document it.

But I will say that I have a few points to add on to that. One is that I
think that sometimes perception of people is almost as important as reality,
and I would be – I tell you, when you talk to people – you know, they did this
survey and they say 95 percent of adults don’t want banks to have access to
their medical information without their permission. People have a very visceral
reaction to anybody who is in a position to make very important decisions about
their life having access to their medical information. They don’t want their –
they don’t even want their health insurers to have all the information, and
they are an integral part of the system. They don’t want life insurers to have
all the information. They don’t want banks to have the information. They don’t
want their employers to have the information, and the reason is that these are
institutions that they perceive as being able to make really important
decisions about their life.

So I think that sometimes when you are dealing with the public, you need to
recognize that their perception is very important to them, and although I think
people trust banks in certain ways, in certain aspects, they trust them to
handle their financial information, but they also trust them that they are
going to get – you know, when you’re dealing with a credit-card company you are
going to get 10 solicitations in the mail for other products, and they are not
so sure they want their medical information treated quite the same way.

You had a second question. I’m sorry. I went on so long, I forgot about it.

MR. ROTHSTEIN: Oh, you were actually answering the second question.

MS. PRITTS: Okay.

MR. ROTHSTEIN: (Laughter).

MS. PRITTS: The other thing is that most people right now don’t know that
banks may be in a position in the future to be processing health claims, and I
think that takes it to a different level for most people.

You also had asked, I do recall this, about whether people avoid treatment.

MR. ROTHSTEIN: Right.

MS. PRITTS: I don’t know that they avoid treatment. I think they might avoid
– they are very careful how they phrase things, and I have heard this from a
number of different sources. I have dealt with a number of different what I
would call consumer-disease organizations of people who have certain diseases,
and what they almost – whether or not they need to do this is, again, the
question, but what they do is when they tell somebody, oh, you’re refinancing
your house? Whatever you do, don’t tell them you’ve got cancer. So this is what
is the kind of thing that is out there. It makes people anxious. Whether or not
they are avoiding treatment, I don’t know. I think it is more likely that they
are very careful with how they treat their health information when they apply
for a financial product.

MR. ROTHSTEIN: But I think in – probably in the normal course of medical
treatment, I would guess – and I’m happy to be corrected – that in the standard
notice of privacy practices, few healthcare providers disclose that
information, you know, PHI could be revealed in the payment chain. Kepa, is
that your sense?

DR. ZUBELDIA: The ones that I have seen say that the information will be
used for payment –

MR. ROTHSTEIN: But not necessarily to a bank. I mean, assuming that it would
be like the health-insurance company or HMO or –

DR. ZUBELDIA: Yes, they don’t specifically go into the details as to what
happens and who will have access to it as part of the payment process.

MR. ROTHSTEIN: I have one last question, and this is a legal question, and
that is do you think – suppose that we wanted to ensure that the banking
system, in all of its permutations, would be clearly subject to HIPAA, given
the language of 1179, do you believe that it is possible for the department –
that is, HHS – to construe 1179 as limited more narrowly to the consumer side –
you know, consumer pays with a credit card, et cetera, et cetera – or do you
think it would require an amendment by Congress to 1179 to have a broader
coverage of banking transactions – I don’t want to get into exactly what I’m
talking about – within the ambit of HIPAA?

MS. PRITT: And you’re asking that question to me –

MR. ROTHSTEIN: Well, this is a legal question, so –

MS. PRITT: Well, okay. I am a lawyer. I have looked at 1179, and, in all
honesty, I think that it depends on what legal hat you want to put on.

If you were Justice Scalia and you read Section 1179 – for those who are not
into the judicial scuttlebutt, Justice Scalia is a very strict constructionist,
and he would look at this and he would say, there is nothing on the face of
this statute that indicates that it is limited to consumers, and he may stop
right there.

If you were before Justice Stevens or Briar, they would look at this and
say, when you look at the whole schematic of how this works – and there are
some additional problems with the way 1179 is written that causes additional
problems, because it doesn’t say to the extent you are engaged in the same
financial activity for which you originally received the information, for
example.

So the exemption, when you read it, is really very broad, and they could
say, this doesn’t really make sense. To read it on its face does not make
sense, and, at that point, you get into the legislative history of it, and I
think if you get to that point, it is pretty clear that – well, I won’t say
it’s clear. Everybody has their opinion, but there is a significant indication
that it was meant to be read as being consumer-oriented transactions and that
when financial institutions were doing some other sorts of things that they
would be subject to HIPAA.

Following that up, I have a question here that I wanted to ask about that,
because I’ve got this letter that ABA sent to HHS where it says, as clear from
the above, the plain language of the statute exempts from any regulations
promulgated under the admin – any entity engaged in the activities of the
financial institution. Nothing in Section 1179 restricts exempted activities to
those involved in the payment system.

So, to me, that statement was a lot broader than what I heard today, and I
would be really curious to hear a clarification of it, if I could.

MR. ROTHSTEIN: Well, we may get that for you from one of these witnesses,
but I would like to give Mr. Casillas and Mr. Stone an opportunity to comment
on the original question that I asked about, whether you think that there is
sufficient statutory authority – depending how you construe 1179 – to more
closely regulate the banking transactions. Mr. Casillas?

MR. CASILLAS: We believe – and we have taken each one of these words,
literally, and have plotted them. You cannot clear and settle a remittance. A
remittance is – you can clear and settle a payment, but clearing and settling
is not done with remittances.

So if you look at the statute in aggregate and look at all the functions
that are listed, I can show you where each one of those words in the financial
arena – okay? – means something with respect to processing dollars – okay? –
and not the remittance that accompanies those dollars, and it is the remittance
that accompanies those dollars, obviously, where we have this problem with
privacy.

So we believe that you can – it is a view – you can take Section 1179 and
exempt just consumer-conducted financial transactions.

MR. STONE: We went back and looked at this. We tend to think that literal
constructionist versions, strict interpretation, would, in fact, suggest that
there can be no limits placed on banks in their ability to process payments
under HIPAA. The banks should be – payment processing should be excluded from
the regulation.

If, in fact, that interpretation were to change, that – my opinion – I am
not an attorney, but in my opinion, they would need to modify it or amend
Section 1179.

We actually engaged Peter Schwayer(?), who is today a partner of Morrison
and Forester and a professor of law at Ohio State University, and formerly was
Privacy Counsel in the Clinton Administration, when this regulation was passed,
to ask him his interpretation, because he was at the table; and his
interpretation is, frankly, consistent with the banking industry’s
interpretation that this was not – while it may have originally been initiated
by advocates who were trying to exempt certain kinds of consumer payments, in
its final writing, the intention was that financial institutions would be
exempted from this legislation.

So his participation in the process would tend to support our general
conclusion from having read the language of the legislation.

MR. ROTHSTEIN: Well, lucky for us, we actually have the drafter of 1179 here
who has graciously agreed to explain what it was he had in mind, and with the
consent of my colleagues, I would like to ask –

MR. GILLIGAN: Excuse me. I’m the person who worked on Section 1179, then had
it – was instrumental in getting it included in the –

MR. ROTHSTEIN: How do you know I wasn’t referring to you? (Laughter).

DR. BRAITHWAITE: I’m Bill Braithwaite. I was working for the –

MR. ROTHSTEIN: If you would like to comment, we certainly would appreciate
your comments as well. So if you would like to come to the table, we’ll hear
from you next.

DR. BRAITHWAITE: I was working for the professional health staff of the
Senate Finance Committee at the time that this language was drafted in 1994.
It, along with most of administrative simplification language, finally got
attached to HIPAA when it was passed in 1996, and as Tom has sort of mentioned
offline, the original language was proposed by him representing the Visa and
MasterCard organizations that he was lobbying for, and, after some negotiations
about the actual words, was adopted with the intent to exclude consumer
payments, either those by credit card or those by check, from the standards
being set by HIPAA. It was not intended to exclude anyone else for any other
purpose.

MR. ROTHSTEIN: Okay. And could you identify yourself for the record, please?

MR. GILLIGAN: My name is John Gilligan, and, at that time, I represented
MBNA, which is a credit-card company based in Delaware. With MBNA came Visa and
MasterCard, and we lobbied Congress and the Administration on this issue for
several years.

One of the other things that is in the legislative report language is that
it refers to an individual making use of the payment system, the credit-card
system, what have you, in the use of the word individual, rather than the word
person. Definitely, person would have meant – could have included a corporate
person, but individual, definitely, in my mind, and I believe the mind of
others, it’s clear that this was consumer personal use of the payment system.

MR. ROTHSTEIN: So am I correct in saying that the two of you agree that it
was intended to be for individual credit transactions? Is that your –

MR. GILLIGAN: Credit cards and checks.

MR. ROTHSTEIN: Credit cards and checks.

MR. GILLIGAN: In other words, a transaction in the financial institution
where the consumer signed the bottom of the check –

MR. ROTHSTEIN: Right.

MR. GILLIGAN: – or signed a credit card transaction –

MR. ROTHSTEIN: And that’s –

MR. GILLIGAN: – authorizing a use of the payment system to get his bill
paid.

MR. ROTHSTEIN: Okay. So –

DR. BRAITHWAITE: And I agree.

MR. ROTHSTEIN: All right. So we have a difference of opinion from people who
were at the table when that language was drafted, and the subcommittee will
take note of that.

We have a few more questions. John.

MR. HOUSTON: Yes. Get down to brass tacks. I’m still trying to search for
what – are there any changes required to the Privacy Rule? Obviously, 1179
might require some clarification, but I’m still trying to understand whether
there are specific issues that we need to make recommendations regarding with
respect to the Privacy Rule. Is there something else broken that needs to be
dealt with, and are there ways to deal with 1179’s unintended consequences with
regards to having some type of a recommendation with regards to increasing the
scope of what a business associate is or a clarification of a what a business
associate is to cover this gap?

DR. ZUBELDIA: My first recommendation would be that until this issue is
settled, there should be a recommendation to healthcare providers and payers to
consider the financial system as potentially not in accordance with the spirit
of HIPAA privacy, and perhaps a requirement that there be business-associate
agreements to protect the privacy or they would have to avoid sending PHI
through the financial system.

MR. ROTHSTEIN: Is there any way that the banking industry and the payment
chain can do what it needs to do with less PHI, in your judgment?

DR. ZUBELDIA: I believe they can. It’s only in those value-added services,
such as lock box and value-added clearinghouse services they need the PHI. I
believe that in order to accomplish the payment purposes of those transactions,
they don’t need the PHI part, and that is why, for instance, the CCD and CCD+
which effect the majority of the electronic-funds transfer in the country don’t
have addenda records – more than just one addenda record, and they can effect
payments with the Table 1 of the 835 and Table 1 of the 820 without ever seeing
Table 2, and that would work perfectly well for the banking system, except that
if they want to get into value-added services, which would perhaps classify
them as clearinghouse services, they would need those Table 2s.

MR. ROTHSTEIN: John, did you have further questions?

MR. HOUSTON: Just for a followup, though, I mean, I thought the designation
as a clearinghouse is a fairly specific event, though, in a way. So I can’t
imagine a bank sort of on an ad-hoc basis sort of expanding its role without
some type of agreement from the covered entities on which they are performing
these transactions that that is, in fact, what they are. So –

DR. ZUBELDIA: The definition of clearinghouse is strictly data conversion or
format conversion. So you have lock boxes that get paper remittance advice. You
have banks that could be getting 835 with Table 2, just to route the table to a
provider without converting anything, that would be exposed to PHI without ever
being a clearinghouse.

MR. HOUSTON: Right. But they could always be a business associate, even if
they do certain functions that could be characterized as clearinghouse
functions, correct?

DR. ZUBELDIA: Yes.

MR. HOUSTON: And so, therefore, it would still keep them within the
framework of being a business associate and put the agreements in place,
appropriately control and protect PHI on behalf of the covered entity.

DR. ZUBELDIA: So perhaps guidance to the providers and the payers would be
appropriate, that they have to have those business-associate contracts in place
in order to use these non-HIPAA clearinghouse services that are value-added
services that are very efficiently done by the bank.

MR. ROTHSTEIN: Okay. Mr. Reynolds.

MR. REYNOLDS: Yes, we have noticed that as the states recognize what would
be considered loopholes in HIPAA they are passing law. Have any of the
panelists seen implementations across the country that would relate to this
subject of states stepping up and doing something differently than what we have
talked about here this morning?

MR. CASILLAS: Yes, we actually did a little study, actually, on a
state-by-state map on protected health information as HIPAA defines it and have
found a very – it is very uneven in terms of what a bank can even when you sell
a receivable or you hold it – you collateralize a loan against it, the
transferring of that receivable would not be allowed under some state
regulations.

So another aspect of your question, though, which is interesting in this
area, is you cannot stop a bank from accepting deposits – okay? – it’s almost
constitutional theory. You cannot do that, and to the extent that HIPAA’s
preemption scheme permits all these different regulations across the state or
the country and that does impact deposit taking, it would be very hard to
implement HIPAA for those banks, if that makes sense. I mean, in other words, a
bank will always be able to accept deposits, according to that interpretation.
I guess that is all for that.

I would say one other thing, that I think that if you just affirmed – if CMS
simply affirmed the current regulation as is, I think all the other
difficulties would take care of themselves in our study, but what we are being
asked to do is exempt banks – okay? – and we think that is where we run into
difficulties.

MR. ROTHSTEIN: Well, I want to thank all of the witnesses and our extra
unscheduled guests for sharing their expertise with us.

We will take a break until 11:30, and then the second panel, which only has
three witnesses, will go from 11:30 to 12:30 and then we’ll have lunch from
12:30 to 1:30.

So we are in recess.

(Brief Recess.)

Agenda Item: Banking – Panel 2

MR. ROTHSTEIN: Having raised a number of fascinating issues in Panel number
1, we are going to be able to solve all of them in Panel number 2, and our
first solver of issues is Mr. Tom Dean.

MR. DEAN: My name is Tom Dean, and I am here to further muddy the waters, I
think. I’m not sure.

Let me just tell you my background is I have a lot of experience in the
processing of payments. I have held various management positions at a number of
companies that service banks and help them to process payments.

Most recently, I hold a position as Executive Vice President of Advanced
Financial Solutions, and Advanced Financial Solutions processes payments for
and/or facilitates check processing for 7,500 of the 20,000 banks in this
country, and we have a subsidiary organization, Medical Banking Exchange, that
I am the President of, and so I come to you today as neither a privacy expert
or – in the banking industry or the medical industry, per se, but, really, in
hopes – what would be my purpose then? I’m hoping that I can help frame the
discussion a little bit and to try to help you understand the growing role that
I think banks are playing in the whole administrative – process, and hopeful
that the framing of your discussion and thought processes related to privacy,
business-associate agreements, covered-entity status will be framed properly,
given the role that I see banks playing today and in the future.

One of the disadvantages of following people like Kepa and John Casillas is
they have already said most of what you are going to say, and they have
articulated it better than you can. So I’ll try to be brief on some of the
things that have happened, but, essentially, one of the things that we see
happening is a great focus on the remittance area. There has been some
administrative simplification related to electronification of claims, automatic
adjudication, and, now, what is the big next step is to simplify or automate
the whole remittance side of the world.

And, in doing so, we need to realize – and I think it is inherently obvious
– that financial institutions are the entities that get to transfer and settle
payments, and payments are inexplicably attached to the remittance data; that
is, the patient-accounting data, the private-health information that we are all
concerned about, when it is attached to a remittance is also attached to the
payment or the transfer of funds, and the only entities that can do that are
banks. So banks cannot be necessarily excused from the discussion, regardless
of even if you separate the private-health information and the payment and they
take different paths, because someone has to reconcile the money in the bank to
the remittance data that is received by a provider, and the only entity that
really could do that effectively, is a bank.

Banks are, today, performing clearinghouse functions. Again, the best
example of that is a lock box that opens a paper remittance, deposits the
associated check and then is asked by a provider to extract the detail, data
from that paper and put it into a format, when that provider says, well, gee,
since I get electronic remittances in an 835, 40-10 format, why don’t you just
take that data off of the paper, extract it off the paper, and then present it
in the same format? Banks are transferring, and this is happening today, and
there are many different banks that are doing this today. They are taking that
information for some of their provider customers, and they are formatting it
into an 835.

In addition – and Kepa explained the ACH transactions very well – one form
of an ACH transaction is a CTX. In a CTX, you can encapsulate an entire 835.
However, many providers – and providers come in all shapes and sizes – are not
equipped to handle the 835 EDI data.

If you look at other industries – that is, industries that have effectively
used EDI for quite some time – many of them are going to – the trend is towards
XML formats. XML formats are just a new way to format data that is more easily
handled by – from one system to another system. So, for instance, we have
customers of ours that are today taking in 835 data and reformatting into XML
formats for their provider customers. That is a case, obviously, where a bank
is converting non-standard data to – or standard data to non-standard data, and
that is a clearinghouse function under HIPAA.

What gets to be more interesting is the natural evolution, in my mind – if
that place of business can give me an electronic version as a bank, an
electronic version of the invoices that they send, then when I process the
remittances, I will attempt to match the invoices and the remittances and
report on the discrepancies for that entity.

Given the difficulty that providers have in properly posting their
remittances, providers are great candidates for this, what in banking terms is
AR magic. Okay? A claim is the invoice in the provider world, and those claims
are electronified, for the most part. So the bank simply says, boy, if I could
get a hold of that claim data in electronic form, and I could match it with the
electronic remittance data and then report to you on the dispensation of the
original claim as versus what was actually paid against it, would not that be a
good service to offer you? And the answer is yes. Providers could use that
service.

So when I describe these things, I am an advocate for leveraging
infrastructure that exists in banks to help the providers, but when that
happens, the bank will find that it is not so easy, necessarily, to get the
electronic 837 data. So more and more what banks will do is suggest to
providers why don’t you somehow or other process that claim through the bank so
that I can get a hold of it first? Doesn’t mean the bank is actually going to
act as a clearinghouse per se. That bank may go ahead and pass that information
through some clearinghouse, but that is going – in our mind, that is going to
happen more and more. So we are talking about banks potentially processing
claims as well as remittances, in my mind, in the very near future.

There is a movement afoot. The suggestion is wouldn’t it be great – and I
think the answer is certainly yes – if we could do what is called real-time
claim processing, and most of the focus thus far has been on the idea that if I
am a patient, I go to my doctor, and before I leave the office, that doctor is
able to submit a claim in an electronic form to an insurance company in some
format where in real time they could adjudicate that claim, and my suggestion
is that if, in fact, that occurs, we are sort of halfway through the process.
Why wouldn’t – if I can adjudicate it and I know what I am going to pay, why
wouldn’t I then automate the process in real time and make the payment in real
time? But in order to do that, I have to make the payment in real time, and I
also have to submit back the remittance data in real time in some format that
can be handled by the provider and automatically entered into their practice
management system or patient accounting system.

Banks are the only entities that would be able to facilitate that
transaction, because there is a payment associated with it, and banks are the
only entities that could associate the original claim, the remittance data that
contains the private health information and the payment. So there is no other
choice, in my mind, my humble opinion, that would allow for that to take place,
except to include banks.

I think Mr. Casillas also mentioned briefly – and I will just echo his
sentiment – there are point-of-sale devices that – you know, not too long ago,
in the credit-card world, we had to deal with paper or credit-card slips, and
then someone said, well, why would you do that? Why don’t you just put at the
point of sale some small terminal that allows for that credit-card transaction
to be recorded and hook it to an electronic network? And many providers are
able to take credit-card payments from their patients.

Someone then said, well, why can’t we explain the functionality of that
small point-of-sale device to include things like eligibility checks and
claims? And so that with one small device, I have helped a provider –
especially a small provider – electronify their world in more than just the
payment side of things. Okay? So the natural distribution of such a device is
through the banking network. Okay? And that device exists today and is being
distributed by, I think, around 200 banks.

In addition to processing payments, banks do make loans. I think this is
very important, because, from my point of view, the practical tradeoffs here
are we need to experience the savings as a country that administrative
simplification can give us. At the same time, we need to be very aware that
there are real private-health-information issues, and how can we reconcile the
two? But involved in this whole equation, when you get involved with it, and,
certainly, if you look at the banks, is this whole idea of the fact that –
unlike other businesses, providers have the same issues – they face the same
issues as other businesses; that is, they need to make capital investments to
improve their business, but the problem is that a good segment of the
providers’ receivables cannot be accurately valued, and so, therefore, a bank
has a challenge as to how to properly make loans against the asset that a
provider has, and a great deal of the total assets a provider has is wrapped up
into their receivables. Okay?

My suggestion is, as banks get more involved in processing both the claims
and the payments, it is natural that they have the information. It would allow
them to properly model what the real value of any given claim is because, over
time, historically, they can warehouse that data and then they can mine that
data. From a privacy standpoint, when people talk about data mining, they
always view it as some kind of a bad thing. In this case, it’s some kind of a
good thing. Okay? It’s really good, because if, in fact, a bank could do that,
then they could properly value receivables, then there would be more liquidity,
and there would be more of an opportunity for doctors to do things like invest
in technology that is necessary for administrative simplification, and the
whole country is better off. Okay?

So this is a big issue, but the point is how do banks do this in other
areas? How do they value and what banks typically call score receivables? Well,
they do that by getting historical data and analyzing it. Many times what they
do is they share that data amongst themselves, so that they can build even
better models, because this is all about predictive modeling, and the more
information I have, the better I can model. Okay? So if you said to the banking
industry, how are you going to do this? That is essentially the answer that
they would come up with, but there’s all kinds of issues related to the sharing
of that information when it contains private health information.

We touched a little bit on clearinghouses becoming banks, and I would just
say this: I don’t believe that clearinghouses would want to subject themselves
to all of the overhead that is required by banks – the regulatory overhead –
and I agree with that assessment, except if the tradeoff was that in some ways
it helped me streamline my business.

So involved in the discussion related to different states in different
statutes – Let’s assume for a second that different states have different
statutes related to mandating what clearinghouses must do and must not do.
Okay? In fact, the State of – I think the State of Maryland says if you are a
clearinghouse in this state, then you have to be certified by certain
organizations, as an example, but other states don’t have that same
requirement.

If it helps me as an entity to become a bank, so that I can streamline my
business and maybe adhere to one specific set of requirements, then I might
just do that, and examples exist out there, and probably the best example I
could just think of off the top of my head was that many department stores and
oil companies and consumer-credit organizations have become banks in this
country, and the reason why is because if I am not a bank – a
nationally-chartered bank – then I have to deal with every different state’s
usury laws, but if I am a bank, then I have one set of – a nationally-chartered
bank – I have one set of laws I have to adhere to. Okay? So as a matter of
convenience, let’s call it, it is conceivable and possible that clearinghouses
would either decide to become a bank or decide to have some kind of specific
and special relationship with a bank, so that somehow their transaction part of
their business would be simplified. I do believe that is possible.

Banks are important stakeholders, in my mind, and so that is where this
gets, I think, even more interesting, and I have just listed a few reasons why
I believe that is the case. If the medical community can leverage the
infrastructure that exists in the banking community, I believe that some very
important things can happen.

First of all, not just one, but many different interoperable infrastructures
and networks exist for banks to be able to communicate with other banks, all
kinds of different data, mostly related to payments, but those infrastructures
already exist.

In addition, if you look at the volume of transactions, we have – banks have
made large investments in high-speed transaction processes and databases and et
cetera, and, finally – and I think this is very important to note – healthcare
is local. There is a local bank everywhere where healthcare is dispensed. Okay?
Physical presence of a local bank, and I think that that is very important when
we frame the discussion.

Thank you.

MR. ROTHSTEIN: Thank you very much.

Dr. Slomovic.

DR. SLOMOVIC: Thank you for the opportunity to testify before you as you
consider issues related to banking and health information.

My name is Anna Slomovic. I am a Senior Fellow at the Electronic Privacy
Information Center in Washington, D.C. EPIC is a public-interest research
center established in 1994 to focus public attention on emerging
civil-liberties issues and to protect privacy, the First Amendment and
constitutional values. EPIC has a long-standing interest in privacy protection
for health information handled by the financial industry and has testified in
Congress on the subject.

In September 2003, a coalition of privacy groups, including EPIC, sent a
letter to Secretary Thompson to express concern about discussions being held
between the banking industry and the department about a proposal that would
permit banks to handle and transmit protected health information with what, in
our view, are inadequate privacy protections. These discussions involved the
status of banks under HIPAA and permissibility of sending PHI via the ACH
network without encrypting PHI, so that it can be accessible only to the final
intended recipients.

It is our view that banks which handle PHI contained in a premium-payment
transaction and the remittance advice should be covered healthcare
clearinghouses as defined in the Privacy Rule and that PHI should be
additionally encrypted, so that it cannot be accessed by those with access to
the ACH network, but only by the final intended recipient. These issues are
gaining in importance as the banking regulators prepare to write the new
regulations under the FACT Act.

I will briefly address our concerns as described in our letter and the
response provided by the ABA and NACHA as well as some additional issues.

First, on banks and HIPAA. We have heard quite a bit about it this morning.
Applicability of the HIPAA Privacy Rule to banks arises from the fact that HHS
has adopted a transaction standard in which banks normally not regulated by HHS
engage in activities which could make them, by definition, healthcare
clearinghouses within the scope of HHS regulation.

Although some banking activities were explicitly exempted under HIPAA in
Section 1179 of the HIPAA statutes, there is obviously disagreement about the
extent to which this exemption applies.

The HIPAA Banking Task Force, a joint initiative of ABA and NACHA, has asked
HHS to agree that all activities of a financial institution are exempt under
Section 1179. Under this interpretation, banks would not be designated
healthcare clearinghouses, even though they convert ACH transaction data from
standard to non-standard format for their clients. ABA and NACHA have further
stated that banks should not be considered clearinghouses because they perform
such conversions only because their clients do not have their own conversion
capabilities.

Privacy groups and the Medical Banking Project, as you heard this morning,
have taken the opposite position on the basis of our reading of congressional
intent behind Section 1179. As stated in the conference report on the security
and electronic signature standards, the Congress intended to apply the
exemption in Section 1179 only to consumer-oriented payment transactions, such
as credit- and debit-card transactions.

The ABA and NACHA have rejected this interpretation because they believe the
statute language is clear on its face. They have also rejected the notion that
clearinghouses exist precisely because some providers and health plans do not
have their own capability to convert data between standard and non-standard
formats.

The ABA and NACHA have stated that as long as business-associate agreements
are in place between financial institutions and their covered-entity clients,
bank will meet their obligations under HIPAA.

We do not believe that business-associate agreements provide the same level
of protection for health information as covered-entity status.

While covered healthcare clearinghouses must comply with the privacy rule as
spelled out in paragraph 164, 500-B, business associates must comply with the
rule only to the extent of their business-associate agreements. As a result,
permitting banks to be a business associate would create a situation in which
potentially different tones govern the same transaction at the originating end,
where a bank might be a health plan’s business associate, and on the receiving
end, where a bank might be a provider’s business associate. Depending on the
terms of the two contracts, permitted uses and disclosures might be quite
different, and the terms of the contract would very much depend on where the
power lies in a particular negotiation.

Additionally, if banks are business associates, individuals who believe
their privacy has been violated would have no recourse, because they are not
party to business-associate contracts between covered entities and the
financial institutions.

Furthermore, banks would not be subject to oversight by the Office of Civil
Rights, and would be exempt from civil and criminal penalties under the Privacy
Rule, complicating enforcement actions based on complaints about violations of
privacy.

Now, on transmitting protected health information via the ACH network, the
HIPAA Banking Task Force has requested HHS permission to move PHI through the
ACH network without additional encryption to make PHI accessible only to the
final recipient. This, in spite of clear statements in the preamble to the 2000
Privacy Rule that requires additional encryption of PHI as it moves through the
ACH system.

If permission is granted, large amounts of PHI would potentially be
available to those with access to the ACH network and could be subject to
abuse. Our greatest concern is that ACH transactions would be subject to data
mining for marketing and credit evaluation, and we focused our concerns, our
discussion in our letter to HHS on this specific concern.

We heard today that ABA and NACHA are unequivocally opposed to such use of
health information and transactions, but there are two additional issues. The
first is the problem of network security breaches, and the second is the
problem with ACH transactions being captured and stored in the intermediary
codes of the ACH network.

ABA and NACHA have stated that ACH network is encrypted and secure. However,
there is increasing evidence that the amount of fraudulent activity on the ACH
network is rising as criminals become increasingly familiar with all networks
and with the ACH network in particular.

The problem is compounded because banks are generally reluctant to report
security breaches of their networks, so as not to undermine the faith in the
soundness of the financial system.

If banks transmit PHI through the ACH network without additional encryption,
and if they are designated as business associates, they would have an
obligation under the privacy and security rules to inform their covered-entity
clients about inappropriate uses and disclosures of PHI, including network
security breaches. This would be a significant change in the way they do
business today.

Our final concern has to do with the fact that as transactions go through
the ACH network they are captured in stores in intermediary codes. As I
understand, this is necessary in order to trace network problems and verify
transaction integrity for financial transactions.

Unfortunately, it also means that PHI that is part of those transactions
will be captured and stored in the intermediary codes as well. This PHI will
not be protected by the Privacy Rule either through the direct application to
covered entities or through contract business-associate agreements. Additional
encryption is the only solution that would protect PHI in this instance, should
a break occur someplace in an intermediary code.

As we heard, the ABA and NACHA have stated that they oppose the use of
personal protected health information for any purpose other than that for which
it was obtained, and that they oppose data mining of health information for
marketing and other purposes.

It seems to us that this position would be considerably strengthened if they
also agreed with the need to provide additional encryption to PHI flowing
through the ACH network, given the number of potential problems that could come
from within and outside the banking system.

In summary, different groups disagree about the interpretation of Section
1179 of the HIPAA statute and the preamble to the December 2000 Privacy Rule.
These disagreements take on greater importance as the banking regulators and
the National Credit Union Association prepare to issue rules for use and
disclosure of medical information under the FACT Act.

In light of this, we recommend that this committee take the following
actions: We ask the committee to recommend that the Office for Civil Rights and
officials with responsibility for HIPAA transactions and codes work with the
banking regulators to resolve questions about the applicability of HIPAA to
banks and on the permissibility of sending PHI through the ACH network without
additional encryption.

We also ask the committee to recommend that the Office of Civil Rights work
with the banking regulators and the National Credit Union Association to ensure
that the rules promulgated under the FACT Act are consistent with the HIPAA
Privacy Rule and provide an appropriate level of protection to PHI after the
PHI enters the banking system.

Thank you.

MR. ROTHSTEIN: Thank you very much.

Mr. Gilligan.

MR. GILLIGAN: God love you.

Good morning. My name is Tom Gilligan. I deeply appreciate the opportunity
to be with you this morning to testify on the subject of medical banking.

I currently represent the Association for Electronic Health Care
Transactions. I have also represented MBNA, the credit-card company based in
Delaware. In the mid-90s, I represented MBNA on healthcare privacy issues. Visa
and MasterCard worked with us closely. Together, we figured prominently in the
effort to include Section 1179 in the HIPAA statute.

For MBNA, we also lobbied healthcare privacy legislation on Capitol Hill
introduced by Senator Bennett and others. That legislation died because of
abortion-related issues.

Not long after the enactment of HIPAA, MBNA, Visa and MasterCard also
visited the department – I think Bill Braithwaite was here at that time, as was
John Fanning and Jim Scanlon – about the subject of the HIPAA privacy
regulations and how Section 1179 could enter them.

A word about AFEHCT. AFEHCT is a healthcare IT vendor-industry advocacy
group with a focus on federal public policy as it relates to the application of
EDI, Ecommerce, the internet and healthcare IT software to the solution of
problems associated with the delivery, financing and administration of
healthcare in both the public and private sectors.

We were founded in 1992, basically, to give the vendor community an
energetic voice for advocacy with respect to HIPAA. AFEHCT serves software
vendors, healthcare clearinghouses, healthcare IT companies, remediation
companies and others who share the goal of promoting the application of
healthcare IT, et cetera.

AFEHCT members have been working with providers and payers to make the
implementation of HIPAA a reality. AFEHCT members are also actively involved in
a wide variety of other healthcare-related activities.

AFEHCT’s interest in this particular issue is, first and foremost, the
privacy of the protected health information, and, second, a level competitive
playing field for the participants in processing and transmitting the
information.

Section 1179 actually opens up and says, to the extent that an entity is
engaged in the activities of a financial institution, as defined in the Privacy
Act, or is engaged in the authorizing, processing, clearing, settling, billing,
transferring, reconciling or collecting payments for a financial institution,
this part, and any standard adopted under this part, shall not apply to the
entity with respect to such activities, and then there is more language that
goes beyond that.

The conference report clearly alludes to consumer-related activities where
such a payment is made by a debit or credit card or other payment card or
electronic-funds transfer, and it references – in the second paragraph there
are when an individual utilizes a payment system.

It also states, in the last part of the paragraph, this part does not apply
– if a company clears healthcare claims, the healthcare claims activities
remain subject to the requirements of this part.

The ABA posits that because of the language that says to the extent that an
entity is engaged in the activities of a financial institution, period, that
any activities of a financial institution do not apply to HIPAA. I disagree.
When lobbying for this language before Congress, the position of MBNA, Visa and
MasterCard was that the exemption applied only to the functions listed, and
once a credit-card company or a bank stepped outside of these functions that
that activity was fully covered.

The report language goes on to, again, document that what was being
referenced here were made by check debit or other payment card or account
activities or such other means, which are traditionally consumer-conducted
transactions, and, again, when an individual – it also references when the
individual utilizes a payment system that makes it clear that the exemption
applies to consumer transactions, because if the word individual is used and
not person, which could be interpreted to be a corporate person, then the
language makes it clear that this exemption was directed at consumer
transactions.

If the ABA’s supported interpretation is allowed to stand, it would apply to
more than just the HIPAA transaction and activity, and the remittance advice,
which is being the focus of much of today’s conversations. It would exempt
financial institutions from having to apply HIPAA privacy protections to PHI
when financial institutions refinance accounts receivable, collateralize loans
or letters of credit with accounts receivables, and, in many instances, when
they go into this collateralizing of loans or refinancing accounts receivable,
they take physical possession of the PHI and then do their own analysis of it.
That was alluded to earlier. All of that would be exempt from the HIPAA – all
that activity would not be protected by HIPAA, if the interpretation that the
ABA supports is allowed to stand.

The report language also makes reference to claims activities. It says,
however, this part does apply. If a company clears healthcare claims,
healthcare claims activities remain subject to the requirement of this part.

If the definition of the term payment in HIPAA regulations is so broad – and
it is very broad. It includes claims. It includes utilization review. It
includes a whole host of things not necessarily thought to be part of the
payment process. Could the term claims activities be construed so broadly as to
include payment and remittance advice?

Let me deal with the clearinghouse issue. Although the ABA posits that a
total exemption from the administrative simplification provisions is warranted,
this is not the relief we are seeking from HHS. The relief the ABA is seeking
is not to have receiving depositary financial institutions deemed to be
clearinghouses when they receive a remittance advice and translate that
remittance advice into a format of content that can be dealt with by the client
provider.

The argument put forward that an RDFI is not a clearinghouse under HIPAA,
and, therefore, not covered by HIPAA privacy and security standards, is a
tortuous one, but at least three elements – three threads are present in the
argument. One has to do with payment in the statute among the list identified
transactions is the healthcare – is at Section 1173A, 2E, healthcare payment
and remittance advice.

An argument is made that the definition of payment in HIPAA rules includes –
check payment and the remittance advice, and, therefore, the idea if I should
be allowed to process both without becoming a HIPAA clearinghouse. They can
process both without becoming a HIPAA clearinghouse. It is when they change,
when they translate the data of the format they become subject to the
definition of a HIPAA clearinghouse.

The payment that is dealt with by the department in the preamble to the
final rules says that the payment and remittance advice are part of the payment
process, but the two transactions are separable, and we agree with that, and,
as it seems, so does the ABA, because in a letter to the Secretary, it says if
financial institutions are prohibited from sending PHI through the ACH network,
the only beneficiaries will be those institutions in business to be healthcare
clearinghouses and who are not authorized to send electronic payments along
with remittance advices. So the ABA is agreeing that they are separable.

Another element in this argument is that HHS couldn’t possibly have intended
to include financial institutions in HIPAA. The argument is in diametric
opposition to the structure of the definition of a clearinghouse and the
structure of the privacy regulations.

The definition of a clearinghouse is – just lays out a set of functions, and
if you perform those functions, you are a clearinghouse. You don’t perform
those functions, you are not a clearinghouse.

Much of the privacy regulation is set up the same way. If you receive
information from a private entity and do certain things with it, you are
covered as a covered entity, and the functions you perform – the regulations,
in many cases, do not specify by name which entity has to do with.

A third element was that just because an RDFI has no control over whether or
not they received admittance advices – Financial institutions should not become
healthcare clearinghouses just because they receive payment and a remittance
advice. A healthcare clearinghouse in an identical situation would have to
comply with the healthcare privacy and security regs or go out of business.

To answer a question you asked at the end of the last panel, perhaps the
best way to handle this would be to ask the banks to lay out the specifics of
where their problems lie and then deal with those specifics in the privacy
regulations.

I believe Mr. Stone mentioned having to amend certain pieces of information.
Banking institutions – if the department were presented with those kinds of
situations, I’m sure the department could be flexible with respect to the
banking community.

Thank you.

MR. ROTHSTEIN: Thank you very much, Mr. Gilligan.

And the floor is now open for questions from colleagues on the subcommittee.

Dr. Harding.

DR. HARDING: Thank you all for very good testimony this morning.

One of the reasons that we are having hearings – one of them – is to look at
unintended consequences of HIPAA and of the privacy regulation. Do any of you –
I mean, I’m kind of hearing that it hasn’t had much consequence on the banks
and so forth because they have chosen to say that that is not really a part of
our problem in some way. It’s not quite put together that HIPAA really applies
to all these transactions. There is a debate about that.

I’m wondering if you all have had any unintended consequences in your
experience of HIPAA in the areas that you all represent?

And then I would ask Dr. Slomovic if you really feel that encryption is the
answer? You mentioned encryption and improving that. Is that the answer that we
are looking for to safeguard HPI and so forth in the future?

MR. DEAN: I can answer unintended consequences of a minor degree, but I
think it cumulatively could be fairly significant.

I mentioned that healthcare is local. That means that a lot of providers
provide services in very small communities and they deal with the community
banks. So were they all just to deal with someone as learned as PNC or someone
like that, that would be one issue, but they are not, and those community banks
and the indecisiveness related to what do they have to sign, what kinds of
business-associate agreements do they have to sign, et cetera, when they are
faced with trying to figure out how to help those providers with the EDI
information that might come in in an ACH, and I could give several examples – I
won’t – of situations where those community banks are smaller. Medium-size
banks have been asked by both providers and payers in a particular community
can you help facilitate these transactions, and part of the reason that they
are not doing it is not because they are not technically capable of doing it.
It has more to do with they really don’t understand the nature of what they
have to do in either a BA agreement or if they are a covered entity what does
that really mean to them, how will they be regulated, all that.

You know, banks are very highly regulated, and one of the things that occurs
to me is that somehow a reconciliation where the banks’ already existing
regulatory agencies adopt standards so that there is no discrepancy between
what is expected under HIPAA and what the bank needs to do in order to
facilitate the payment and the handling of the remittance data. It seems to me
that somehow if that could occur that might be the answer, not a separate
organization with a somewhat separate set of rules. The privacy issues are
real, but the banks, right now, I think, cumulatively, across the country,
there is less administrative simplification, because this issue exists than
there could be, let’s put it that way.

DR. SLOMOVIC: Let me start with the unintended consequences question, and I
am actually not sure whether this is intended or not intended, but prior to
coming to EPIC, I was a privacy officer for a large healthcare company, and I
can tell you that the vast majority of people outside the industry have
absolutely no idea what happens to their health information. When they see a
privacy notice that says, we will use your PHI for payment, they don’t have any
idea that that could mean that the PHI could go to medical transcription
companies, to billing companies, to mailing houses, to all kinds of places
under business-associate agreements, and that is even before we get to banks
and what the banks do with PHI.

So whether intended or not, the Privacy Rule seems to have institutionalized
our current system and done it in a way that it doesn’t add a whole lot of
transparency from the consumer’s point of view, despite the notice provisions
that I think were intended to clarify what actually happens to PHI.

As to whether encryption is really the answer here, it would certainly help,
because if PHI is not additionally encrypted, we have a system which can be
compromised both from the inside, which is what happens most often, and from
the outside, and both financial information and PHI would be at risk.

In the preamble to the December 2000 Privacy Rule, OCR already stated that
they want PHI to be additionally encrypted, whether or not it goes through the
ACH network. Why not simply affirm that guidance and put in an additional layer
of protection? It’s simply setting up a system with better social hygiene.

MR. GILLIGAN: On the issue of encryption, what is the risk? And there are a
lot of instances where healthcare clearinghouses and healthcare providers
transmit data over dial-up lines, and the department currently does not require
that data which is going from point to point to be encrypted, and we would
encourage you to keep that policy in place, because there are no examples where
that data has been intercepted, and the likelihood of it being intercepted is
really rather remote when you consider that in order to intercept the data, you
would have to know where the person – what provider an individual went and saw,
hospital, a doctor, what time that doctor or hospital is going to transmit that
data over a telephone line, and then you have to have all the equipment that
the receiver of that information has in order to intercept that data and then
make the data in a form that is useable for you. It is easier to take $5,000
and bribe a clerk to get you the data. So I don’t think encryption would help
in that kind of a situation.

MR. ROTHSTEIN: Other questions?

Please identify yourself for the record, please.

MR. STONE: Mr. Chairman, my name is Steve Stone from PNC Bank, an accredited
ACH professional, former Treasurer of the National Automated Clearinghouse
Association.

The question regarding encryption in the ACH network is a bit of a misnomer.
In the original proposed document, the preamble to the Privacy Rule, there was
a comparison of the ACH network to an open network like the internet. In
subsequent meetings with HHS, we reviewed with them the controls that are
around the ACH network, how transactions are routed, the control points, the
validation steps, and HHS acknowledged that the ACH system in no way resembled
an open network like the internet, and, consequently, dropped that requirement
from the final rule. That is why it is not in the final rule anymore. So it’s a
little bit misleading to talk about encryption in the ACH system as a solution.

I will acknowledge, and Dr. Slomovic is correct, that ACH data, when it is
stored in certain depositories, including the Federal Reserve, and/or
electronic-payments network, it is stored in a non-encrypted fashion, but we
showed you a sample of what a non-encrypted CTX would look like. It is not
anything that would be easily read or interpreted or understood. It is not
casually translatable. One would have to do a tremendous amount of searching.
It’s a needle-in-a-haystack kind of a phenomenon. There are over 500 million
ACH addenda records, I think, that are processed annually, billions of ACH
transactions processed annually. So to find among those billions of items and
hundreds of millions of addenda records the record or records that pertained to
healthcare activity would be exceedingly difficult. It would take a
massively-large computing effort to locate those.

So there is no encryption while it is stored, but we are not sure that
encryption is warranted. The system is highly secure. There has never been a
reported incident of a breech of network security in the ACH system.

MR. HOUSTON: Let me ask –

MR. GILLIGAN: Could I add to his –

MR. HOUSTON: Well, I wanted to follow up a relevant question here.

Is there, as part of being a member of the ACH, is there an agreement that
obligates a member to keeping information confidential, whether it be in
transit or at rest within their environment?

MR. STONE: Yes, the ACH rules obligate financial institutions to protect the
confidentiality of the information. So that is already incumbent in the ACH
rules. The ACH rules are incorporated into Federal Regulations, as part of 31
CFR 210. They are recognized by the Federal Reserve as the rules that govern
the payment network. So they are – the NACHA-operating rules are widely
recognized as the rules that govern this transaction.

MR. ROTHSTEIN: Mr. Gilligan, you had a point.

MR. GILLIGAN: In earlier conversations about this, I was told that it takes
as long to decrypt an incoming transaction as it does to process it, and then
as long again to re-encrypt it, and I know you are only talking about seconds,
but these things go through at the speed of 1.5 seconds or 1.2 seconds. If you
add encryption to the mix, you are not just adding two more seconds on there,
because if you run into killing(?) theory, this thing – a bottleneck starts to
be – then you are into multiples of resources needed along five, six or seven
times the resources you have now. So –

MR. HOUSTON: Was there ever any study done to determine what the cost would
be from a – even from a computational perspective to just –

MR. GILLIGAN: Not by us.

MR. STONE: Data that is in movement between a financial institution and its
ACH operator is already encrypted. So all data that is in movement is
encrypted. It is only non-encrypted when it is stored position.

Frankly, you can’t process the data unless the data has been unencrypted
because you need to be able to see it to process it. So the step that is not
taken is the re-encryption of stored data and nobody has ever studied that.
That is correct.

MR. ROTHSTEIN: Well, I want to thank this panel, and please be available if
we have additional questions for you. I know it is going to take some effort
for the subcommittee to sort these things out, and we can – I hope – rely on
your additional expertise.

The hearing is adjourned for recess, and we will resume promptly at 1:30
with the combined law-enforcement panel consisting of Mr. Gellman, Williamson
and Calabrese.

Thank you.

(Whereupon, a luncheon recess was taken at 12:30 p.m., to reconvene at 1:30
p.m.)


A F T E R N O O N S E S S I O N

MR. ROTHSTEIN: Good afternoon, everyone. We are back with the third of our
panels.

Agenda Item: Law Enforcement Panel

MR. ROTHSTEIN: The third of this afternoon’s panel is on law enforcement,
and for those of you checking your agendas, Mr. James Polley was unable to
testify today. So we have combined Panels 1 and 2, and so we will have Mr.
Calabrese as part of the first panel.

So without any further ado, I want to welcome our former member of the
subcommittee and friend Bob Gellman, who will be our first witness on the issue
of HIPAA and law enforcement. Bob.

MR. GELLMAN: Thank you, Mark.

I have been asked to sort of provide an overview of the law-enforcement
provisions, and I will do that and add a few teeny-tiny comments of my own
about what I think of the rule in this regard.

However, to begin, I just want to – I was at one of the hearings of – I
think this committee – this subcommittee anyway – on some of the implementation
of HIPAA, and I just want to offer a couple of comments which actually go to
some of the law-enforcement things, although not directly, and that is it seems
to me all of the complaints about HIPAA fall into one of four categories.

The first are transitional problems. These have to do with people not
understanding the rule, not being up to speed, getting bad legal advice, all
the usual things. This happens with every privacy law everywhere around the
world. Indeed, it happens with every law of any sort everywhere around the
world, and it takes a long time before people get used to it. These are things
that are effectively not problems, but it will take a while before everybody
gets used to it.

Secondly, there are problems that are the result of poor drafting and poor
guidance or inadequate guidance, and these are things that are probably a
little bit easier to fix, especially on the guidance side.

Then you have a set of problems that are – really reflect policy
disagreements. People say that the rule has bad policies. It doesn’t require
consent or it doesn’t preempt state laws or whatever you happen to think. These
are the hardest things to try and deal with, because there are often
significant fundamental disagreements and lots of hard choices are involved.

Finally, the fourth category is the one that I really want to emphasize, and
that is changes that have been made as a result of HIPAA. The world has changed
because HIPAA came along. Until HIPAA, for the most part, the medical
establishment paid only lip service to privacy and did nothing – or very little
– to protect the privacy of patient information, and just to illustrate my
point, I don’t think you found very many hospitals that had privacy policies
before HIPAA came along or that trained their staff or that did any of the
things that HIPAA has required.

And one of the things that has changed as a result is that many covered
entities have looked at their policies, they have looked at HIPAA, they have
said, the requirements of HIPAA are not very strong and that we can do better
in protecting privacy, and institutions, covered entities, IRBs, others have
established policies that are stronger than HIPAA. If you repealed HIPAA
tomorrow, I doubt many of these policies would change, because once you focused
on privacy issues and you raise questions about the respective rights of the
various parties and the liability of the various parties, all of a sudden you
don’t go back to the policies of the past, which were basically giving records
out to almost anybody.

So I think that all of the complaints that you guys are likely to hear
through these hearings will fall in one of these categories, and I think
probably it is perhaps the task of this subcommittee to figure that out and
decide which things are higher priority and which aren’t.

I want to turn now to the law-enforcement provisions. HIPAA provides for
disclosures for law-enforcement purposes in a variety of ways, and Section
164.512 F of the rule has a variety of specific law-enforcement disclosures,
disclosures to law-enforcement officials, and I want to start with the
definition of law-enforcement official, and there it is up on the screen. I am
not going to read it, but you’ll notice that it is extremely broad. Virtually
every federal, state and local government agency qualifies as a law-enforcement
official if they have the authority to investigate or conduct an inquiry into
any potential violation of law. There is no differentiation in the definition
between a Medicare fraud investigator and a school crossing guard. They are
both law-enforcement officials at the same level under this. There is nothing
in this definition that creates any nexus to help. So anybody who is conducting
any law-enforcement activity of any sort qualifies.

There are six subdivisions of 164.512 F that allow law-enforcement
disclosures without patient consent. I am going to go through them.

The first is the worst. The first one has a couple of sub-elements. It
allows disclosures for gunshot-wound-reporting laws. I don’t think those are
controversial, at least not if the laws aren’t. It allows disclosures for
judicial subpoenas and warrants. Those tend to be not controversial. Even those
who want all disclosures to be done with subpoenas want them to be done with
judicial subpoenas, and if there is independent involvement and review of what
is going on, that is generally viewed as less controversial.

Another area are grand-jury subpoenas, which I think are more controversial,
because grand-jury subpoenas are abused by prosecutors, and it would be nice if
there were more controls, but I have to say that I don’t expect the rules to
tackle the grand-jury subpoena problem which is much broader than this.

My real focus of attention is on the administrative-request part of the
rule. An administrative request includes an administrative subpoena, a civil
investigation, investigative demand or virtually anything else. I am about to
give you an example of an administrative request.

I am a cop. I qualify under HIPAA for getting records. Turn over records to
me. That is an administrative request. Nothing more than that is required. The
rule does not require a subpoena. It does not require that the request be made
in writing. It does not require that the request be approved by a supervisor of
the law-enforcement official making the request. It has no requirement or
provision in here for there being an emergency or for there being a lack of
other procedures to follow.

The rule, I don’t believe, has any meaningful standards, and there are no
procedures at all. All a law-enforcement official seems to have to do is to
say, I qualify under the rule. You do not have to provide a showing to the
covered entity that the information is relevant and material, specific and
limited in scope and that you can’t use the identified data. All you have to
say is, I qualify, and I think that that is – I would like to say that is the
worst single feature in the rule, but it is probably only in the top three.
(Laughter).

Number two, the second category has to do with identification and location
for locating a suspect, fugitive, material witness or missing person, and the
disclosures are limited, as you can see. I think the limits are good. I think
the predicate here of suspects, fugitive and missing persons are a little
easier than material witness. We have seen some abuse of the material-witness
authority in connection with some of the terrorism investigations, and I am not
sure exactly what a material witness is under this.

I think what is missing here is any sense of urgency or emergency in the
rule. If I am looking for Judge Crater – a person who disappeared, I think, 100
years ago – it is exactly the same. I can make the same request as if I am
looking for a child who was kidnaped an hour ago. There is no distinction in
this rule – in this provision with respect to that. There is no administrative
process required. There is no writing, and I think that more could be done in
this rule to strike a balance, although I readily admit that I think that in
emergency conditions there needs to be greater flexibility in providing limited
access to medical information for suspects or fugitives or perhaps even missing
persons, but there’s got to be an element of urgency to it.

The third category has to do with information about the victim of a crime,
and there are two parts to this. One is with consent, and consent cures all,
and the second is without consent, and I think this is a very interesting
provision.

In order to make disclosures without consent, law enforcement has to
represent that the information is not intended to be used against the victim.
This is a very important limitation, and I am going to come back and talk about
this again at the end and emphasize the importance of it.

Law enforcement has to represent that the delay would materially and
adversely affect the activity that they are engaged in, and it says expressly
that disclosure has to be determined by professional judgment – meaning by a
physician or other medical professional – that the disclosure is in the best
interests of the patient.

Now, what is important here is that this provision illustrates three crucial
things. One, limits can be placed on whether information can be used against
the victim. This is a limitation that is absent in the rest of the rule.

Second, it illustrates that disclosures can be regulated, based on the
presence of emergency situations, and I think there needs to be more of that in
the law-enforcement provisions.

And, finally, it illustrates that the rule can say that medical judgment can
override law-enforcement requests, and, indeed, the entire rule, the entire
law-enforcement section is discretionary. None of these disclosures is
mandatory, and so medical judgment is relevant in all of these. This is the
only one that emphasizes that. I think that is something that needs to be said
in other contexts as well.

The fourth provision allows disclosure in the case of suspicious death. I
think this is just a fine provision with a small caveat that the policy in the
rule is that dead people have privacy rights that last until the sun runs out
of hydrogen, and I think that is a policy that doesn’t make much sense, but,
notwithstanding that, I don’t have anything much to say about this provision.

The fifth provision allows disclosures in the cases of crime on the premises
of a covered entity, and I think this is a perfectly fine provision that is
basically okay.

The sixth provision is sort of the same thing, but it is when there is a
medical emergency that did not occur on the premises of the facility, and this
thing really has to do with 911 calls when information – you get a 911 call and
you have to disclose information or you have a reason to disclose information,
and I notice that this is something that is contingent on an emergency
circumstance, which I think is a valuable thing. So I don’t think that this is
as controversial as others.

Having gone through all six of the law-enforcement provisions, I want to
emphasize that those are not the only provisions of the rule that allow
disclosure to law-enforcement agencies. Here is a list of some of the other
non-consensual disclosure provisions that allow law enforcement of various
sorts to get access to the records.

So we have to be careful not to look at any one law-enforcement provision
and evaluate it solely on its own. When you evaluate it in context, you may
discover that the overly-broad access that HIPAA allows for law enforcement
might already be covered somewhere else and that a narrowing of the
law-enforcement provision would not necessarily unduly undermine an important
law-enforcement activity, and, in many cases, there is a particular kind of law
enforcement request for information that will fall under several of these, and
let me give an example.

If you are doing a fraud investigation, you may be able to get
non-consensual access to records under the payment provision, under the
healthcare-operations provision, under the health-oversight provision, under
the law-enforcement administrative-request provision or under the
required-by-law provision. So if you are a law-enforcement official of the
right type and you want to get records for fraud investigations, you simply
sort through the rule and find the one that is easiest. One of them has a
procedure or a standard that you don’t want to deal with, well, just use
another one. I think that this gives law enforcement too many bites at the
apple and that for people who are engaged in the same kind of activity, they
should have one route and one standard for getting access.

That sort of summarizes the basic provisions, but there is one more thing
that is not in HIPAA that turns out to be particularly relevant here, and it is
Executive Order 13181.

Bill Clinton, on his way out of office, signed this Executive Order, and
what the Executive Order does is it recognizes that there are many times when
records are obtained for health-oversight purposes, fraud investigations, where
the subject of the investigation is a doctor or a hospital or a health plan,
and the patient is not involved in whatever health-care fraud is alleged or
occurred and is a wholly-innocent bystander. Yet, every law-enforcement
official I have ever met when posed this question – namely, if you get records
in this fashion and you discover that the patient is, independently of what
you’re doing, engaged in some kind of criminal activity, say abusing
prescription drugs or taking illegal drugs, do you also want to prosecute the
patient? And the answer from everyone is yes.

So what the Clinton order does is it says – it recognizes that
health-oversight investigators may uncover information about wrongdoing that is
unrelated to what they are doing and it establishes a procedure that requires a
review and an approval before the information can be used against the patient,
and the procedure is that you’ve got to get approval from the deputy attorney
general in order to do it, and there is a standard here that the public
interest and need for disclosure clearly outweigh – a pretty strong standard –
the potential for injury to the patient, to the physician-patient relationship
and to the treatment services. This provision – this Executive Order really
helps, to a significant degree, to make the law-enforcement provisions in the
rule fairer and better and more protective of privacy.

So we’ve got a standard in the Executive Order that isn’t terrible. The most
important thing in the Executive Order is that there is a formal procedure.
When you say to people, you’ve got to go to the deputy attorney general and get
approval, that means you’ve got to wade your way through a number of levels of
bureaucracy, and that, by itself, dissuades people from making requests that
are trivial, and there is also in the Executive Order a requirement for an
annual report, and I would recommend that this committee get that report when
it comes out – presumably in a couple of months – I don’t know how long the
report will be delayed after the one-year anniversary – and see what it tells
us about what is going on in this area. I have no idea what the facts are.

However, there are some bad things about this Executive Order that really
limit its effectiveness.

First of all, it only applies to federal agencies, federal activities. So if
you are a prosecutor and you discover that a patient is engaged in some kind of
illegal activity and you try and get approval from the deputy attorney general
and you fail, you simply pick up the phone and you call a state official and
give them the information, they are not bound by this, and they can go
prosecute the person. So you end up with the same result you were trying to
avoid.

Secondly, the Executive Order expressly provides that the provisions of the
Executive Order are not enforceable by the individual. So this means that if
the deputy attorney general’s auto pen makes all of the decisions and simply
every request that goes to the deputy attorney general is approved by his auto
pen, there is no appeal, there is no right to question that. This is not
enforceable.

And the third point is that the procedure is really not as good as it is in
18 USC 3486. Now, 18 USC 3486 is a provision that was added to the code in
HIPAA. It is a HIPAA provision. It is not related to the privacy stuff, and
this provision says the Attorney General of the United States can get access to
every healthcare record in the country for health investigations, period. You
go to your doctor and pay cash, the Attorney General can get your record. You
go to a free clinic, the Attorney General can get the record. There is no limit
to the Attorney General’s ability. This is why these protections against using
records against individuals are so important.

In the statute, in the statutory provision, if the Attorney General wants to
use information against the individual, the Attorney General has to get
conditional approval, and that is a very important difference. It means that
the law-enforcement community is not making the decision wholly on its own.
When you are making a balance between privacy and law enforcement, you would
like to have a neutral decision maker here, and that is what the courts are
for. Under the Executive Order, the decision is made entirely by the Attorney
General, a deputy attorney general, who, of course, is a principal
law-enforcement official. So whether you will get an even break out of this
remains to be seen.

On the other hand, the standard in 18 USC 3486 is not quite as strong as the
standard in the Executive Order. So there are some – there is at least one
difference there where the Executive order comes out a little better.

And I think this is a very important issue, and I think particularly for
NCVHS, considering and working on all of the electronic healthcare and national
health-information infrastructure stuff, you look down the road, and we are
going to have a healthcare system that is going to turn out to be a
law-enforcement surveillance system, because disclosures to law enforcement for
fugitives or suspects or witnesses are always authorized under this, and when
we have everything computerized, those law-enforcement people – especially
people like the Medicare IG – are going to be directly plugged into the same
computers that everybody else is. They will be able to run programs and look
for evidence of illegal activity by patients, and any time a patient goes to
see a doctor, there may be a flag that goes up, says, this is someone who is
wanted for not returning a library book in St. Louis, Missouri, and they can
come down, notify the police in real time and, without better protections here,
we run the risk of having an electronic medical-record system, and an NHII
becoming a surveillance system for law-enforcement purposes, and if we don’t
have better standards than we have in HIPAA, that is probably what is going to
happen.

Thank you.

MR. ROTHSTEIN: Thank you, Bob. Gives us a lot of things to think about and
to discuss with you during the question phase of the hearing.

We’ll proceed now with Mr. Williamson.

MR. WILLIAMSON: My name is Bob Williamson and I am from the Drug Enforcement
Administration.

I think I had made some notes and I will go into the things that I have
prepared for today’s meeting, but I think maybe I’ll spend a little bit of
time, first of all, to tell everybody in the audience what the DEA does and how
we get involved in healthcare oversight.

Talking to some of the planners and people that kind of got us involved in
this, I learned that probably most of this audience doesn’t know what we do in
Diversion, really doesn’t know the difference between a DEA Special Agent and a
DEA Diversion Investigator. We have at least Dr. Harding. Dr. Cohn is not here.
I would imagine Dr. Harding would know what a Diversion Investigator does,
because we get involved with position oversight. So I want to talk a little bit
about what we do and how we do business, and then I will make the few comments
that I have in terms of how HIPAA has influenced and impact our program and
what we do in the DEA.

Everybody knows about the DEA. Of course, you know DEA is a fairly visible
organization, mostly populated with DEA special agents, and DEA special agents
are law-enforcement officers, and they work primarily investigations of illegal
trafficking on a global basis, and the paradigm, the image of the DEA agent
that you will see in movies or whatever else is, of course, not exactly right,
but they are federal police, and I’m not a DA agent. DA agents do not usually
get involved in doing investigations of physicians or pharmacists, and DEA, by
and large, does not, even, in my program, does not get involved in
investigations of individuals, unless the individuals are involved in something
that is fairly well organized and are involved in an organization to traffic
drugs – prescription drugs illegally.

Within the DEA, there is a small component of investigators that are
specifically trained to enforce federal laws and regulations that pertain to
the legal use of controlled substances.

Now, we are going to have to talk a little bit about terms. Viagra is not a
controlled substance, okay? Propecia is not a controlled substance. There are a
lot of problems with exchanging these drugs and buying them over the internet
and all types of problems with legitimate oversight, but they are really not
DEA problems. We have no jurisdiction, and I have no real expertise in the
movement of these drugs.

We all do know the controlled substances. These are the drugs of abuse.
These are the hard narcotics and the soft narcotics. These are drugs like
Xanax. These are depressants or sedatives and they are stimulants.

These drugs are regulated by the Federal Government, and we, the Diversion
Investigators, are the guys that do the regulation. There are about 500
Diversion Investigators in the United States – really, around the world. We do
a number of things in the program.

Like to talk a little bit about the types of records that we would normally
want to take a look at, and I would like to mention and underscore that many of
these records are required under the statute to be maintained and accessible to
DEA Diversion Investigators. Now, we will talk, I suppose, if you would like,
or maybe I will a little bit, about entry and how to get the records and how we
do business, because how we do business is how we do business. There could be
other ways, but we have a culture and a way of doing business in the DEA that I
think is relevant.

There is a concept in the laws – the Controlled Substances Act, the Harrison
Narcotic Act, before it, going back almost 100 years – and this concept is is
that individuals – businesses, corporations, researchers, anybody that would
like to or intends to use a controlled substance in a legitimate fashion – has
to come to the Federal Government and get a registration, and we do register
doctors. Dr. Harding may have one. If not, he probably would like to have one,
because it’s a big deal to have a DEA number. Register about a million docs a
year. We register companies. We register pharmacies, not pharmacists, and we
register importers, exporters, manufacturers.

Once you are registered with the DEA, if you are a doctor, you can prescribe
drugs and you do not need to keep a record for us of the prescription, but the
pharmacist has to keep a record for us for the prescription. It’s in the law.
Okay?

If you are a doctor and you buy drugs and decide to dispense drugs or be a
businessman and have inventories of drugs and get involved in distributing them
here and maybe sending them overseas, all of these increases and decreases to
inventory, you have to have a record of those things. You have to take an
inventory of the drugs every two years. You have to use special forms for like
your Percodan that you might want to ship overseas. Dr. Harding wants to order
some Percodan for his office, he is going to have to use a special form issued
by the DEA. Again, these are concepts that go way back. I used to have
yellow-carbon order forms. Now, in DEA, we have green-carbon order forms, and
we are going to get rid of the order forms and do it all electronically, but
these are concepts that are out there.

So I say all of this to tell you that in the DEA, in the Diversion Program,
we have always sought to look at these records that are required to be kept
anyway.

I wanted to mention also – and I will get into a little bit with this – the
impact of HIPAA on the way we do business. Diversion Investigators in the DEA,
we have been around for 30 years, and we do have certain health-oversight
qualities to our program, and what I mean by that is that we do some auditing
and some simple accounting of registrants to make sure that the drugs that they
have ordered and dispensed or distributed that they can account for them. This
is not a law-enforcement activity, not usually done at the practitioner level,
not usually done at the pharmacy level, but there could be many reasons that a
Diversion Investigator would want to go into a pharmacy and take a look at all
the Schedule 2 prescriptions. Maybe we want to see how many prescriptions for a
certain drug are in a locality or maybe we would want to see who the
prescribers were or maybe we would want to see whether the pharmacy was
accounting for their drugs.

These things do not present themselves through a Diversion Investigator in
the field as a law-enforcement activity. However, there are those times and
those days and those situations where that evidence that is kind of looked at
for a regulatory function gets hot. You know, you find out that the records
show a particular doctor or a patient or whatever is getting drugs in a way
that you think is suspicious, and DEA Diversion Investigations do, fairly
routinely, jump around within the following categories: We have investigations
that are regulatory in nature, where we might think that initially we were
going to just see if the registrant was handling the drugs in a way that made
sense, and if they weren’t really doing it exactly right, we would send them a
letter, you know, and you always get nasty letters from the DEA. We would call
that a Letter of Admonition, and it would scare him, but it’s really just a
kind of a wake-up call that, you know, take it into consideration, do a better
job.

Then there could be situations where the evidence that gets developed is –
it shows evidence of impropriety with the doctor, primarily, to a lot lesser
extent with the pharmacy, and then we might decide that there is a kind of a
public-health problem with the way that the registrant is doing business and we
might then go after that DEA number. Now, that is a very big thing, but it is
not a criminal thing. Call it administrative inspection or administrative
investigation, and you have a right to a hearing before an administrative law
judge, if we go at you like that, and standards of law are a little different,
you know, whatever, but it is one of the things that we do.

And then there is the situation where the target of the investigation
becomes really a target of a criminal investigation. In this particular
instance, the authorities, the DEA, usually we work with other agencies. We’re
too small to work with ourselves most of the time. We will have concluded that
there is diversion, that there is trafficking. If it is a physician, the
physician is just a pill pusher. He is no longer practicing medicine, or she is
no longer practicing medicine, and then we will go to indict them in federal
court, and this is a very big thing, just for the record, because this comes up
a lot.

Out of the million doctors that we have registered with the DEA, one
fraction of one percent of them will ever be indicted in the federal system for
drug violations. That is one quarter, maybe one half of one percent. So that is
a very small percentage. Most of them will actually – and very few of them are
actually investigated, really, by us, but most of them will end up having a
licensing restriction.

That’s a brief overview, and I feel like, you know, I could go all day
talking before this audience a little bit more about what we do and how we get
involved in this law. So I don’t have a lot of time, and I don’t want to
overstep my time, and, hopefully, maybe I can refine some things with the
Q&A.

I want to move from there a little bit or not – I want to move from there
into how HIPAA has impacted our program.

From the outset, I think the DEA Diversion Investigators that became exposed
to HIPAA and these provisions to get into these records, we were kind of
confused. We found it to be a confusing law.

The two areas that I think, early on – I have actually had some access to
comments that were made by people that work in my shop before I got up there –
but the DEA wanted the Diversion Program to be listed as a health-oversight
program and to be kind of named, to kind of be placed there, rather than
characterized as a law-enforcement program, but we were unsuccessful.

I will tell the end of my story not at the end, because it really fits in
here, but right now, while I am here testifying or talking or discussing about
these things with you all, we have a lady from HHS that is addressing all of
our senior program managers on HIPAA rules because we needed to get them on the
agenda. Part 3 asks about outreach, is there need for more outreach. Well,
there certainly is over at the DEA. I’m over here and she’s over there. So I
would like to be over there, so I could learn more about HIPAA, but I’m over
here telling you all the things we don’t know about HIPAA.

One of the things that happened, though, is, in typical DEA fashion, I sent
an email up to a couple of the bosses to just let them know what I was going to
kind of talk about, and she ended up getting the email and called me last week,
and so I learned a little bit from her, but one of the things that I think is
becoming more clear to me now is that the Division Program probably needs to
operate within both the health-oversight category and the law-enforcement
category, technically. We are there to do some health-oversight operation. We
can probably go in like that. If it becomes criminal, then we have to start
acting like we are law-enforcement officers, which is okay.

But let me tell you what has happened. It really doesn’t matter, because in
the industry, DEA Diversion Investigators, whether they are doing anything
related to regulatory activities or not, are really being treated as if they
are law-enforcement officers. It is not the end of the world. The way we have
done this is we have used what they call administrative subpoenas to satisfy
their request and to get access to the records that we need to have access to.

Administrative subpoenas are government subpoenas. They are – I don’t know,
we did have an attorney do kind of a legal background on them. DEA is one of
the first and fewest modern agencies to have administrative power. They are
usually used for things like telephone records, third-party types of things,
and we have been reluctant to abuse the right to use administrative subpoenas,
and they are still used for basically third-party types of things where we
would like to maybe take a look at prescriptions in a pharmacy that we would
have a right to get anyway, and so we would use an administrative subpoena.
They can be challenged. There are some approval requirements that the Diversion
Investigators need to go through in the field to get the subpoenas, but it is
not catastrophic. We are not losing investigations because of the subpoenas. So
that would be the main point, I guess, that I would make about the impact.

There are some concerns, too, like I mentioned about prescription surveys,
where we would routinely go into a pharmacy to take a look at what drugs were
prescribed – maybe it’s the new diversion trend – and we would need to do more
work to get the administrative subpoenas to do that.

So that is basically, I think, the way it has impacted our program is that
there has been a reluctance to provide DEA Diversion Investigators with records
that we have a right to under the law without some sort of paperwork, and we
can provide the paperwork. We are kind of covering everybody’s you-know-what.
That’s what they want.

And, you know what? If I were them, I would be the same way. I would be
worried about it. So we are doing that.

Let me talk about the unintended consequences or perhaps they are not. One
of the things that we have – and maybe this is legally okay – but we have a
program called the Prescription Monitoring Program, which we encourage state
governments to adopt. We actually are in the process of administering a federal
grant program jointly with BJA, Bureau of Justice Assistance, to give the
states money to implement these programs. There’s about 20 of them in existence
right now. Over half of the doctors in the United States and over half of us as
patients are treated in states that have prescription-monitoring programs. Been
around a long time. I think some of the first ones go back almost 1940.

These are programs, now, that are handled electronically and, really, the
way it works is that when a prescription is filled for a controlled substance,
pharmacies have all this information electronically in their pharmacies one way
or another, and under a prescription-monitoring program, they would have access
to a software package that would transmit a certain variety of data elements to
an agency in the state. The state agency would then evaluate the information in
terms of patients that were doctor shopping – going to more than one physician
– and sometimes they would evaluate the information to talk to a physician
about his prescribing practices.

They vary from state to state. They are not federal programs, but they have
been supported by the DEA, and they are becoming more and more supported by the
DEA and the DOJ and others that are concerned about prescription drug abuse,
because there are lots of correlations about the way drugs are prescribed in
states that have prescription-monitoring programs. Abuse of certain substances
seems to be less in those states, as opposed to states that do not have these
programs, and the concern has come up from time to time as to whether or not
these programs – whether the people that are participating in these programs
are violating some HIPAA rule by telling a state agency about them.

I did hear about this exemption, I believe, that, you know, you can tell an
agency something if it is required by law. So that probably is the ticket that
would allow the state governments to escape that, but, in this world – this
HIPAA world – everybody is nervous and nobody really feels like they know it
all exactly. So that could be a concern, if, indeed, there is a prohibition
that would effect these programs, and, meanwhile, the DEA and the Department of
Justice and everybody is out there, you know, saying, yea, let’s go ahead and
do more of these things. We don’t want to encourage people to break another
federal law.

Here’s one that I got caught with. I was in San Diego. This is an aside, but
it is relevant and probably – I imagine everybody is sensitive to it, but pain
management is a very big medical thing right now in terms of the use of
narcotics to more aggressively handle pain, which is under-treated, mistreated.
It’s a real thing. DEA understands all of the medical dynamics that are in
place.

So there is a growing number of physicians that treat pain more
aggressively, and they have a really tough situation, because even the most
legitimate, the brightest of the brightest, the most proper of the most proper,
if they prescribe hard narcotics aggressively they may see somebody from the
DEA. They may see somebody from the Medical Board, and let me assure you, they
do not want to see anybody from the DEA. Dr. Harding is probably comfortable
seeing me today like this, but he would not like to see me in his office, and
so they are constantly preparing – the legitimate chronic-pain specialists –
and we talk about the legitimate ones and the ones that aren’t legitimate in
the DEA. We know what we do for a living and we know the ones that we go out in
a big way and they are not legitimate, but the legitimate ones they may see us,
and we need to clear a path for them, and we need to be able to say, it’s okay.
We need to be able to do the right thing. They are constantly, constantly
trying to make sure that they don’t get in trouble with us – with us or the
Medical Board or whatever else. One of the ways that they might do that is that
when a patient they are treating aggressively with narcotics becomes
suspicious, they will not be part of drug abuse. They will make provisions for
the patient to get drugs in another area or whatever, but they will turn them
away.

And I had a doc ask me at a conference, he said, can I call the DEA to
report a suspicious patient? And me, you know, I said, well, of course. You
know, there’s a long body of feeling that DEA, we never encourage any
registrant to become part of drug abuse. Now, you can have problems with the
authorities if you turn that blind eye to something that everybody and their
brother would know it was not a correct situation.

But I don’t know now. I read through some of these complicated laws, and I
said to myself, if it’s a suspicion, if that is all, he is suspicious about a
patient, if I were him, I don’t know that I would call the DEA. Of course,
then, he might have the DEA coming in and saying, why didn’t you tell us about
this guy? You know, he’s got a ring. He’s distributing drugs in three states.
So how do we handle situations like that? You know, I really don’t know. I
don’t think that this law was intended to harm well-meaning health-care
professionals that want to do the right thing.

We have a similar thing with pharmacists. Pharmacists provide tremendous
amounts of leads to the DEA. They know a lot. They see the prescriptions come
in. They have groups sometimes that will communicate among themselves. So that
is another unintended consequence.

The outreach thing, I’ve already said. There’s a lot of need for more
outreach. We have had a lot of questions that have been unresolved, and we are
really trying to have them resolved, really work with the HIPAA people.

Thanks.

MR. ROTHSTEIN: Than you very much. I’m sure we’ll have a number of questions
for you.

Mr. Calabrese.

MR. CALABRESE: Thank you.

Chairman Rothstein, members of the committee, thank you for giving the ACLU
the chance to come and talk about the law-enforcement exemptions.

My name is Chris Calabrese. I am the Program Counsel for the Technology and
Liberty Program. The ACLU, as you know, is a nationwide, non-partisan
organization of almost 400,000 members dedicated to protecting the principles
of liberty, freedom and quality set forth in the Bill of Rights.

For more than 80 years, we have fought to strengthen and preserve privacy
for all American citizens, most recently for Rush Limbaugh in the State of
Florida, and his – well, his dispute with the state over gaining access to his
medical records.

My testimony today is divided into two parts. First, I am going to talk
about all the things we think are really bad about the HIPAA regulations and
law enforcement, and then I am going to give you a real-world example of how
far you can go and still be a law-enforcement agent and still be within the
HIPAA regulations. I am also going to talk a little bit about changes we think
should be made.

The law-enforcement exemptions promulgated by HHS under HIPAA appear to
establish limits on law-enforcement access. Those limits, frankly, are
illusory.

We believe that government agents should have to obtain judicial approval
and have a meaningful probable-cause standard before they are granted access to
a patient’s medical records.

If the police want your medical records and they are sitting in your desk
drawer at home, in your house, they have to get a warrant. It has to state why
they want the records – i.e., that they have probable cause that they display
evidence of a crime – before they can come and get them. We think, pretty
simply put, that that same standard should be in place for doctors and
insurance companies. This type of Fourth-Amendment-like protection enhances
both patient privacy and engenders trust between doctors and patients.

There are cases when law enforcement is going to have a compelling need and
they are going to have to gain access to these records. Nobody disputes that.
The Fourth Amendment doesn’t say that – it is not a bar to law-enforcement
investigations. It simply says that we have to balance the interests of
individual rights with those of law enforcement. The current regulations don’t
reflect that balance in any way.

I have six specific areas where we have problems. The first is there is no
meaningful requirement of judicial review. As Bob noted, I mean, the
regulations give law-enforcement agencies the choice of obtaining records
through a warrant or a court order or a grand-jury subpoena or – and, of most
interest to us – through an administrative subpoena, summons or civil
investigative demand. These last three legal instruments are issued without
judicial review.

Naturally, law-enforcement agents, especially in the beginning part of their
investigation, are going to use the least restrictive means to gain access to
records.

As Bob noted, I mean, essentially, you are talking about here is my badge. I
want the records. I mean, that is how unrestrictive we are talking about.

As Justice Cardozo noted, the often-competitive enterprise of ferreting out
crime means that law enforcement has a lot of incentive to push the envelope in
this area. It is impossible for them to neutrally balance the competing needs
of law enforcement and privacy.

Even when judicial review is sought, the standard is not meaningful or not
adequate, excuse me. It’s meaningful, but it’s not adequate. Regulations would
need to assert probable cause that the records are relevant and material to a
legitimate law-enforcement inquiry, specific and narrowly drawn as is
reasonably practicable, and de-identified information could not reasonably be
used. This standard, obviously, falls short of the traditional probable-cause
standard, namely that the records contain evidence of a crime. They don’t call
for balancing, and, frankly, the bar is set too low.

Third, the regulations do not require individuals whose records are about to
be searched to receive notice. This kind of notice is consistent with due
process and our ideas of an adversarial proceeding. If there is any risk, of
course, that this notice is going to result in records being destroyed, notice
could be waived, but, in an ordinary investigation, an individual should
receive notice, either in the case of a court order or a law-enforcement
warrant to let them know that their records are being searched.

Fourth, the proposal contains an over-broad identification exemption. The
regulations allow for release of patient information any time the police are
trying to identify the suspect or fugitive. Bob did a good job sort of
elaborating on what the specifics are of that, but I think he made the most
important point which is that once records are computerized, it is no longer an
individual flipping through paper. It’s a search run by either the doctor’s
office or law enforcement. So when standards are as weak as these, we have a
blood type for a suspect, we want to do the search for everybody who has that
blood type. These don’t have to be narrow. They don’t have to be practically
drawn. They just have to say, we are trying to identify a suspect. There’s no –
I mean, these types of databases are not law-enforcement databases. They are
databases of private law-abiding citizens, and they shouldn’t be turned into
databases.

Fifth, and this is something Bob didn’t touch upon, but the regulations
contain blanket exemptions for these very minimal procedural requirements for
intelligence and national-security activities.

Current law enforcement already provides special procedures for
intelligence-gathering activities, but there is no precedent in the code for a
blanket exception for law-enforcement procedures for agencies engaged in
domestic law enforcement. This kind of carte-blanche authority is unnecessary
and inappropriate.

Six, evidence obtained in violation of the legal standard of regulation
should be inadmissable at trial. HHS may not have the authority to mandate such
a rule, but we think this approach should be endorsed in the preamble to the
regulation.

It’s always nice when we can talk a little bit of real world at some point.
So I am going to try to do that a little bit. This lack of appropriate privacy
controls leads to disturbing and dangerous results.

For almost three years an initiative named the Strategic Medical
Intelligence Unit has operated out of Pittsburgh, Pennsylvania. This group of
volunteer doctors is a pilot program that operates as a conduit between local
doctors and law enforcement, specifically the FBI. Their stated goal is to act
as an early-warning system in cases of bioterrorism. The SMI doctors possess
security clearance and are briefed by the FBI. Under the system, local doctors
notify the SMI when they encounter a suspicious event. This term is completely
undefined, but seems to run the spectrum from an unusual rash to a loss of limb
due to explosion.

The SMI team then determines if the event is a potential terrorism event and
refers such events to the FBI. The SMI receives one to two referrals a week and
has forwarded the individually-identifiable information of at least three
people to the FBI. Patients may or may not be told that their medical
information is being forwarded.

Senator Arlen Specter has stated that he will seek federal funding to expand
SMI. We are mystified by the rationale for this dramatic violation of patient
privacy. We can only assume that SMI and the FBI believe their actions to be
covered by the law-enforcement or national security exemptions.

It is an understatement to say that this type of information sharing has a
chilling effect. An individual who knows that a doctor visit may trigger an
investigation by the FBI is less likely to go to the doctor. I mean, this is
common sense. No one wants to be under the law-enforcement microscope whether
they are guilty or innocent.

The problem is exacerbated by the complete lack of standards in this
program. A very limited type of similar communication is currently allowed in
the case of gunshot wounds and suspected abuse, but this type of program
dramatically expands reporting and turns doctors into government informants.

Further, the program is completely unnecessary. This same type of
information could be compiled in a de-individualized manner. The reporting of a
certain number of similar symptoms from different patients would trigger a
bioterrorism investigation without violating the privacy of individuals.

SMI is a perfect example of what is wrong with the law-enforcement
exemptions to HIPAA. The state has abdicated its responsibility to balance
privacy and security. Naturally, in such an environment, law enforcement
chooses security, even if there is an equal or better alternative that respects
individual rights. The police rightly expect us to be the ones making the
public-policy judgments. Their job is to catch lawbreakers. They are going to
do that with whatever tools we give them.

At minimum, the HIPAA regulations must be strengthened. Medical records
should only be released in the face of a warrant or a court order with notice
asserting that the police have probable cause to believe that the requested
records contained evidence of a crime. While some provision may have to be made
for national security, we believe access to records under this provision should
still be subject to independent oversight. The current HIPAA regulations assure
that the flimsiest security rationale trumps personal privacy. That harms
patients, doctors and public health.

Thank you.

MR. ROTHSTEIN: Thank you very much. I’m sure my colleagues all have
questions, and who wants to go first?

MR. HOUSTON: Interesting that I’m from Pittsburgh and I never knew about
SMI. That’s –

MR. CALABRESE: Need to get more press, obviously.

MR. HOUSTON: Excuse me?

MR. CALABRESE: We need to obviously do a better job of promoting it in the
press or –

MR. HOUSTON: That’s right.

I would like to say, though, that, interestingly enough, though, that there
is actually a program that was developed at the University of Pittsburgh that
does, on a de-identified basis, do bioterrorism monitoring.

MR. CALABRESE: And it is very interesting, many of the articles that discuss
this program discuss that program as well, and the connection hasn’t really
been made that I think that that de-identified program may perform a better
function than the SMI program.

MR. HOUSTON: Right.

MR. CALABRESE: I’m sorry. Please –

MR. HOUSTON: No, but I just wanted to say that because that was sort of
interest.

One of the things I guess I’m very concerned about, because it is something
that I have had to deal with very directly has been – and this seems to be on
the rise – is the concept of doctor shopping, a patient going to multiple
doctors to get prescription drugs, often the same ones. Obviously, there is
some type of dependency going on, and, frankly, it is an area that I know
within my whole system there is great turmoil. What can we do? What are we
supposed to do? And, frankly, at this point in time, I don’t think that there
is adequate guidance as to how to react. We’ve gone to the various sources and
asked what our rights were and what we should do and haven’t gotten good
answers. I would sort of like to understand exactly what everybody sees as the
balance of patient privacy versus patient safety and what is appropriate in
terms of reporting in order to ensure that that patient isn’t abusing
medications. It’s a complex issue, which I’m not sure I understand how we
should view those types of situations.

MR. CALABRESE: Well, I think it is interesting, because we think, obviously,
that there is not a lot of meaningful protection here, but your question
highlights a very important byproduct of the lack of meaningful protection, and
that is that hospitals, I think, and doctors tend to sort of recognize that and
be concerned about it. So, in some ways, they retreat to sort of bureaucratic –
we don’t know what we should release. We’re not sure what to do for law
enforcement. So if there are very real problems like doctor shopping, they get
obscured in this – we are not sure what you – you know, what you want this
information for, and we’re not sure it is really legitimate.

MR. HOUSTON: Well, it’s us actually knowing that a patient has shopped for
multiple doctors and saying, do we have the – is there that right or is there
that obligation to, say, go to law enforcement with that information –

MR. CALABRESE: And that is precisely my point is that you lack – really, you
lack very real guidance on these kind of important issues because it is lost in
the thicket of these sort of over-broad regulations.

I mean, specific exemptions can be created, specific situations can be
addressed within the regulations, I think, without – sort of without these
over-broad provisions. I mean, I know I haven’t answered the specifics of your
question. I just sort of – that is the ACLU’s take on some of these specific
inquiries.

MR. ROTHSTEIN: Mr. Williamson, would you like to comment?

MR. WILLIAMSON: I would like to talk a little bit about that, because that
is really in my backyard, not only being in the DEA, but being a DEA Diversion
Investigator, and I did mention this briefly in my presentation, but this is a
hard nut to crack under HIPAA, and, you know, some of these doctor-shopping
organizations are organized.

The DEA does not usually investigate individuals. They can be subpoenaed.
They can be witnesses in trials, and they can get a little bit damaged, you
know. I mean, if somebody – if we’re working a doctor and then we have somebody
that was going into the doctor to get drugs and then they’re dealing with the
drugs, they can become a witness and turn state’s evidence, et cetera. So it’s
not like it’s never going to happen, but that is not what the DEA is about. We
just don’t have the manpower to do those investigations.

MR. HOUSTON: That is what we have heard, and that’s unfortunate, because
there is a patient-safety issue that is really quite important.

MR. WILLIAMSON: Well, and it is a major way that drugs are diverted. These
drugs are becoming more and more typical law-enforcement drugs, where it’s not
the prescription drugs that were just kind of like for the Diversion
Investigators. These drugs, you have state narcotics units, and it will
leverage out, and the way these cases are put together, they generally do
require, what? A suspect, some sort of evidence that the suspect was going to
multiple doctors. Well, how do you think you establish that? You go to the
doctors and say, was this patient a patient of yours? What time did he come
here? Did he come here yesterday? Because he went to Dr. Smith’s office
yesterday, too. So these are kind of common-sense things that the investigators
need to be able to do. They need to be able to pick up those prescriptions.
They need to be able to do a time line and a spreadsheet, et cetera, and if we
are not going to be able to do that or if the state police officers and the
locals in the working partnership – I mean, I kind of perceive this as a bigger
problem for them.

You know, what we do in the DEA, we will never go to a doctor’s office and
try to get a medical record under an administrative subpoena. I mean, we would
get that under – it is just not the way we do business. I thought all of that
stuff was protected anyway. We would use a search warrant or we would do a lot
higher, go get an individual record.

Now, the medical boards, they can go. They have a right to get individual,
but we really don’t. So I’m not familiar with people just going to do that, but
if, indeed, you know, there is going to be more protections, this is the place
to have the exemptions and to have them spelled out, and, really, to facilitate
the local police officers be able to do their job on something that is really a
very simple investigation. It just requires a little bit of an operational
procedure.

MR. ROTHSTEIN: I would like to follow up. We can come back to – on the
prescription-monitoring issue.

Kentucky is one of the 20-or-so states –

MR. WILLIAMSON: Yes – (inaudible) – program – the money that is coming in
from that.

MR. ROTHSTEIN: – and I think there are some clear privacy issues raised by
prescription-monitoring programs.

Our state, the way it works is something like this – and there is
legislation pending in the legislature to actually expand it, but when a
scheduled substance is prescribed for a patient, that information will, in real
time, go to – at the moment, it is the health department. Now, there’s some
consideration about moving it to the state police to –

MR. WILLIAMSON: What state are you from?

MR. ROTHSTEIN: Kentucky.

MR. WILLIAMSON: Okay.

MR. ROTHSTEIN: And the physician also has the opportunity to get software to
actually check on the patient’s history. So I have a patient in my office, and
he is complaining about back pain and wants Vicodin, I say, well, excuse me a
minute. I’ll be right back, and I go in and, now, I can find out the
prescription-medication history of that individual.

So there, I think, are two sets of – besides the privacy issue –
disincentives.

Number one is the disincentive to the physician to prescribe this, knowing,
as you described earlier, the physician is now being monitored in the system
for writing these prescriptions for painkillers.

And second is possibly a reluctance of individuals to seek medication
knowing that they are automatically being put in the system, and it seems to me
that we need to try to explore alternatives to weigh the – or balance the
legitimate interest in avoiding the diversion of drugs and the doctor shopping,
et cetera, and, on the other hand, protecting the legitimate interests of both
physicians and patients.

One thing that I would like to ask you to comment on is whether, in fact, it
is necessary to report physicians by name when you already have DEA numbers for
all these prescriptions. So, in other words, from the doctor’s point, why do
you need to send Dr. Harry Smith from such-and-such town in – we can just put
the prescription was issued by Dr. 23579?

And another possibility is to also assign a DEA-like number to each patient
who receives these medications. So, in other words, I would have my own
prescription med number for only prescribed – for scheduled substances, and so
when I get a prescription for a painkiller – Dr. No. 5 prescribes a drug for
Patient No. 7 – then the computers can match that and find out if there is a
problem with the doctor prescribing or the patient shopping or maybe somebody
trying to get a duplicate number, and, now, you can do – or the state can do
its own investigation, but I am troubled by the fact that every single
prescription for every scheduled narcotic or controlled substance is now
automatically in the system. I would like you to comment and then maybe the
others.

MR. WILLIAMSON: Yes, first of all, the programs are not uniform among the
states, because it is not a federal program. They have been around long before
this grant money was available, and I think what stimulated an interest in the
grant program was the abuse of Oxycontin in Kentucky.

They are gaining a head of steam. A number of things. Number one, the
chilling effect of the doctors and the patients. That has really not been
corroborated in terms of the numbers of prescriptions that are written. In
fact, most of the time, these programs become fairly popular with the
physicians, and the reason for that is that they can find out where their bad
apples are by looking at the program themselves. They can find out where their
patients have been doctor shopping.

In every case, the privacy issues are debated in the state legislatures as
the enabling legislation comes forward to provide for these programs, and they
do differ among the states in terms of how much access law enforcement would
have or does have. I do believe law enforcement has access to the programs in
each and every state. There’s a permission, a threshold, and that does vary a
little bit from state to state in terms of how it is designed.

In terms of de-identifying the data, I don’t believe that that would matter
to anybody in terms of assigning a number. The mechanics, the technology –
right now, we are talking about technology a lot in DEA, because there is a lot
of talk about doing a national program, and the DEA kind of feels like it would
be kind of heavy handed. We don’t know how well it would be administered. We
really like these state programs. They tailor their program to their drug-abuse
situation. Obviously, there is a lot bigger prescription drug-abuse problem in
Kentucky than there is in someplace like Montana.

And I can’t shut up once I get to talking, but I will tell you this, I had
to go down to Florida and make a presentation on these programs, and,
fortunately, I followed a doc from Kentucky that was an oncologist and he was
talking about how great that program in Kentucky was, and I was able to get up
and say, if it was really a bad program, he wouldn’t like it because
oncologists are going to have some problems with law enforcement. So some of
these dynamics can be taken care of.

Again, the technology about one of the things that we are talking about,
making sure the programs can communicate with each other across state lines, so
that the program in Kentucky, there are people who go to Tennessee, they can
find out about it in Kentucky. So we really don’t have any problems with a lot
of the concepts. They just need to be worked out.

MR. ROTHSTEIN: Well, let me ask Mr. Gellman and Mr. Calabrese if they would
want to comment on this aspect of the drug-diversion programs and whether you
might have separate objections to the reporting by numbers or other issues.

MR. GELLMAN: Well, let me make a couple of comments in response to your
question and John’s.

First of all, I think that – I don’t mean to suggest that any of this is
easy or that there aren’t conflicts between different principles here, but the
provision in HIPAA already says that if you believe, in good faith, that you
have information that constitutes evidence of criminal conduct that occurred on
the premises of the covered entity, you can disclose it to the cops. That is
what HIPAA already says. Unless state law says otherwise, then, if you have
evidence –

MR. CALABRESE(?): The argument – it isn’t on the premises of the physician
office –

MR. GELLMAN: And what is evidence?

Well, I understand, and that may be –

MR. CALABRESE(?): And by the way, the other issue is forging of scripts,
which is also something that is an issue that doesn’t happen on physician
premises, but is a growing – a trend that’s –

MR. GELLMAN: But it happens. If you turn in a forged prescription to a
pharmacist, you now have evidence that occurred on the premises of a pharmacist

So, anyway, I am not saying that this is a complete solution or easy to
apply. There is a provision in here that deals with it, and if you don’t meet
the standards of this, then maybe you shouldn’t be disclosing it.

Secondly, if physicians – and they do – if physicians are going to rat on
their patients to the cops, then I think there ought to be better disclosure. I
think there ought to be a sign in a physician’s office or an express box and a
notice that says, if you come in here and we find evidence of child abuse, we
will, and are compelled by law, to turn that information over to various
authorities. If we are going to do that for drug abuse, fine. Let’s make a
decision and do that, but tell people what we are doing. I don’t think – I want
to know exactly what is going to be reported and what qualifies here.

Secondly, with respect to your suggestion for – you know – making this more
anonymous in some fashion, I think that that – in some ways it helps and in
some ways it makes it worse.

I want to look at the comprehensive fair-information practices that apply to
this information. If it is being collected for a very express limited purpose,
let’s have a set of rules that say it is going to be used only for that
purpose. It is not going to be available to anybody else for any unrelated
purpose, and that the data that we collect will be discarded after a suitable
period of time when it is no longer relevant, and I think that is more
important than having some kind of quasi-anonymization process which will be
easily seen through when we find somebody who we have agreed – either a
physician or patient – who is clearly abusing the law and needs to be
investigated further.

And, finally, with respect to the idea of some kind of patient identifier, I
don’t know if you remember, but, you know, the issue of patient identifiers has
come up before this committee in the past –

MR. ROTHSTEIN: I understand. This would be a very limited use.

(Laughter).

MR. GELLMAN: I believe – that, of course, is what they all say, and as soon
as you create a new patient identifier, everybody would want to use it, and I
might remind you that there is an appropriation rider I think is still in the
law that prohibits HHS from spending any money to adopt – in the direction of
adopting a new patient identifier, and I don’t know whether your proposal
violates the –

(Laughter).

MR. ROTHSTEIN: No, no – Thank you for that insinuation, but – (laughter) –
this would be pursuant to state law. I think the states are free to set that
up, but I’m not sure, and before I advocate something like that, I just wanted
to see whether people are comfortable with it.

Personally, I would have a problem, and do have a problem, that every
prescription that I get in Kentucky goes not only to the health department, but
to the contractor of the health department, who is the IT person who puts
together looking for matches and patterns and all this other stuff, and who
knows who they are, and as well as the – you know – the state law-enforcement
people. I just think that we are paying a tremendous civil-liberties price for
I’m not sure how much payoff, in terms of law enforcement with regard to
Oxycontin or any of the other problems that are especially difficult in our
state, but –

MR. GELLMAN: Can I just make one more point?

MR. ROTHSTEIN: Sure.

MR. GELLMAN: Before I went down that road, I want to make sure that I know
what the costs are and what the benefits are of this and if there are other
ways of solving the problem, if there are other ways of creating
non-identifiable identifiers, if you will – I can take your name and put it
through a one-way hatch(?) that I can match up different prescription records
on that basis, so that the person doing the matching doesn’t know who it is,
just knows that these three prescriptions have been given to the same person,
and we haven’t created a new identifier –

MR. ROTHSTEIN: Yes, wouldn’t necessarily have to be a permanent identifier.
What I am saying is some sort of encryption or something, because just – I
don’t want my name floating around there as a potential drug diverter.

MR. CALABRESE: Mr. Chairman, you have so aptly encompassed the
civil-liberties concerns that I don’t have a whole lot to add, except to say
that there is always creep on this type of program. Whenever we collect
information, it seems like it never gets thrown away. It just gets aggregated
with other information, and I think that with the increasing computerization of
medical records, you are going to see that to a greater and greater degree, and
I think that means we have to be really careful about what it is that we
collect and what it is that we hold onto because it is very rarely only used
for what it is collected for in the long run. I mean, everything from Social
Security cards to a million things.

MR. HOUSTON: I have never personally heard of – and working for a large
health system – of cases where the authorities have come in and the purpose –
you know, for the express purpose of culling through our records to find
information –

MR. CALABRESE: Well, can I – Sure.

MR. HOUSTON: – and I think that there’s – I’m also concerned, because we are
moving down the path of creating a – purely a paperless environment, which –
you know – very advanced clinical-decision support, very advanced
clinical-information systems, which we think is absolutely vital for improving
quality of care, and, clearly, it sounds like there are some – things are at
odds here, because we will absolutely want to collect more and more information
about patients and have – you know, not just episodic data, but across – you
know – cradle-to-grave data for the purpose of delivering as good a quality
care as possible, and yet –

MR. CALABRESE: I am a patient, too, you know. I go into hospitals, and I
want them to have my information, so I don’t – you know – or my son’s
information, so I don’t have to explain to them again that – you know – what
condition he may have had when he was three months old, and I understand, and I
understand that that is a lynchpin to providing quality health care, but it
only underscores why we need better protections, because when you have all this
information, you’re right, it is incredibly rich. It is incredibly detailed and
it is incredibly valuable. That makes it a magnet for law-enforcement
investigations when there is no, what we would consider to be, adequate
probable-cause standards in place to protect it.

I mean, it is only going to take – I don’t want to speculate, and I don’t
want to – but I believe that it is going to take a limited amount of time
before a law-enforcement officer realizes how useful this information may be,
and once that happens, you know, their first stop for a crime where they have
biological evidence may be the local hospital, because that is the best place
to match up biological evidence with individuals.

MR. REYNOLDS: First, I’d like to thank the panel. Very enlightening. I
thought I understood privacy in looking at it from the industry, and it’s
pretty amazing what you all have covered.

But I think with the idea that HMOs tend to have failed in the United
States, so we are going more to everybody going to whatever doctor they want
to, obviously opens a door, the fact we’re using more PBM, Pharmacy Benefit
Managers, to consolidate data. I know there are pilot projects for medication
lists, wherever you go for care, as drug costs rise, we are all looking closer
and closer at those things. So you raised an awful lot of issues, and then how
the data is available.

Mr. Williamson, I wanted to ask you a question. You mentioned that the DEA
would have rather been a health-oversight group, not part of law enforcement
and I didn’t understand what that was –

MR. WILLIAMSON: In the Diversion Program, we felt like it was a better fit
for us to be as a health-oversight group rather than law enforcement –

MR. REYNOLDS: What would that give you – a different capability or a
different way of doing –

MR. WILLIAMSON: You would be allowed to have access to the records without
having to use process. I think that’s what they call it. It’s just – it would
be nice for them to have laid out – include this group DEA Diversion
Investigators, as opposed to the DEA Diversion Investigators and the industry,
you know, having to guess what we are. In practice, we are law enforcement.
That is the way they are treating us and that is the way we are doing business.

MR. REYNOLDS: Mr. Calabrese, from the standpoint of these new things that
are coming along, the medication lists that emergency rooms would get an access
to, electronic medical records, where do you see a line being drawn for that
use as care versus use for other reasons?

MR. CALABRESE: The Fourth Amendment, I guess. I mean, that is a very glib
answer, but the probable-cause standards that exist right now, and those are
not – you know, pretty simply put – evidence that I have – what I am looking
for, the record, the information is specific evidence of a crime. All right. I
mean, we have no problem with that, and we think that – I mean, that is very
important that police have access to that information, but not for fishing
expeditions, not to troll through the records, looking to see if we can match
up something we found from a scene with something in a medical file. Have a
specific evidence of a crime, put it in a warrant, take it before a judge and
then give it to the doctor or hospital.

MR. ROTHSTEIN: I would like to try to get a bigger picture of where we are
in the law-enforcement area, and it seems to me that there is an unusual aspect
to this whole area. Under HIPAA, the general principle is that federal law
applies, unless there is a state law that is more protective of privacy rights.
In the law-enforcement area, it seems just the opposite. In other words, under
the provisions of 512-A, which allows for disclosures required by law, states
can enact laws that are restrictive of privacy rights under the theory that
they are law enforcement, and they are, in effect, exempt from HIPAA, and so
that the states have a very wide leeway to enact all sorts of
law-enforcement-type provisions and thereby cut into the protections that
normally would apply.

Let me give you an example. Suppose that California decides that because of
their high number of plastic surgeons in the state that they might become a
haven for terrorists who want to change their identities, and, therefore, they
enact a law that says that every plastic surgeon in the state must get before
and after photographs of every patient undergoing plastic surgery in California
for possible law-enforcement use. I believe that under 512-A, that would be a
lawful disclosure of PHI, and yet it seems to me that individuals in the state
who are contemplating – you pick the surgery – might be rather reluctant to
have their before and after photographs taken by their plastic surgeons now in
some file somewhere for law-enforcement purposes and shared who knows with what
agencies, and that seems to me a rather sort of unusual twist on the general
provisions or principles underlying the kind of federalism involved in HIPAA,
and I was wondering if anyone on the panel wanted to comment on that.

MR. GELLMAN: Well, yes, I think your analysis is exactly right, and if the
California law required that the pictures be printed in the local newspaper,
that would also not be inconsistent with HIPAA.

However, just to point out, the plastic surgeons of California would
probably lobby very heavily against that law. Patients would go to another
state to have plastic surgery done, and I don’t know whether the political
process of California would support the passage of that law, but even if it
did, the real problem here – and I think you have put your finger on a real
issue – is that in constructing a policy here that interfaces both a federal
standard and state law, there are a large number of state laws that go all
across the spectrum that require the disclosure of some health information or
some program. Most of those laws probably have a pretty good justification,
because they’re – you know, DEA is a good example. There are state programs
that require all this kind of stuff. The prescription-drug-reporting stuff we
just talked about is an example of a required disclosure, and if you are
writing a policy and you are trying to develop a standard here, other than
required by law, you have a hell of a problem figuring out which laws you are
going to allow and which laws you are not going to allow, and it is really hard
to do that generically. You almost have to do it on a case-by-case basis.
Finding all of the state laws that require some disclosure of some PHI to
somebody would take an enormous expenditure of resources, and then you have all
of these really difficult decisions to make, and so from a policy perspective,
you are almost forced to come to this general standard of saying required by
law and saying let the political process in the states deal with this kind of
concern, and if you can get enough votes in a state just to require a
disclosure, so be it. We are not going to get in the way.

MR. WILLIAMSON: I might just comment.

You know, there is tremendous diversity in this country about the way people
have attitudes about things, and you will see it in the state laws. We do in
the DEA. Believe me, sometimes, the way people feel about things in Georgia is
really a lot different than the way they feel about things in California, and
so it is kind of hard sometimes to cover all of the bases in a country like
this.

MR. CALABRESE: – it’s hard for me to get up and say that – you know, to talk
about the example where maybe they are infringing more on privacy, and I guess
I would just say that we think these current laws are pretty lax as it is, and
we are much less concerned about small ways that states can make them less lax
than we are about generally making the federal standards stiffer, and whether
we do that through changing the federal laws or changing the state laws, that
is kind of more our concern.

MR. ROTHSTEIN: I have shared what is at the top of my list with you. Bob
Gellman gave his list of things that he was concerned about.

I would like to ask you, Bob, if you could give us some recommendations
about how the administrative request provision could be tightened up to take
care of the – what you perceive to be the sort of the looseness in it.

MR. GELLMAN: Well, I would like to agree with the ACLU that you gotta
require a judicial warrant before the cops can ask for records. I don’t think
that is practical in all circumstances, unfortunately, and I don’t think it is
politically possible to establish a standard like that for a whole variety of
reasons.

I think the interim step is to say that if you are making an administrative
request that you have to make a written request to the institution from the
law-enforcement agency, that it has to be signed by a supervisory personnel of
the law-enforcement agency making the request. I’m not saying it has to be
signed by the FBI director or by the head of the state police, but by a
supervisor. It might be a desk sergeant or a lieutenant, but something that
says this isn’t just some cop off on his own asking for records.

I think those two steps – they are not the only ones. I might tighten up the
standards. I might require some kind of – there are standards in the
administrative-request section. I might require some kind of evidence, not
necessarily – whether it is offered to the hospital or not, I’m not sure,
because some of this gets very complicated about disclosing the internals of
law-enforcement investigations – that there be some kind of evidence to support
the assertions that the information is really needed, that we can’t use the
identified data and whatever the other standard is.

I would also suggest that the odds of this rule changing are very low. If I
may report on a rumor that I heard from several sources many years ago, HHS
wrote a better rule, when they were writing the HIPAA rule originally, and the
Justice Department, according to this rumor, objected very strongly to it and
the issue went to OMB to be resolved, the difference between the agencies, and
OMB ruled in favor of the Department of Justice, and the issue was then
appealed further to the White House and the White House, in resolving this,
gave the Justice Department everything it wanted and then some. Gave it stuff
it didn’t even ask for. So I think this is an issue on which HHS – that was the
Clinton administration.

I think HHS will be very hard pressed to change this rule, and I would
suggest instead or in addition to asking for that, that this committee make
recommendations to covered entities and to tell them this is what the rule
says, but you are not required to turn information over, and that you can, on
your own motion, say if you want to make – if you, Mr. Law Enforcement
Official, want to make a request, you must make it in writing. You must have it
signed by a supervisor – and perhaps I have exceptions for emergency
circumstances where an instant request may make sense – and I would also
suggest to covered entities that they have an internal procedure within the
covered entity so that not every person within a hospital is authorized to turn
information over to the cops, but there be a process whereby you have to talk
to a supervisory official or a lawyer or somebody within the medical facility
before information is turned out.

Institutions can do that right now on their own and have higher standards
than HIPAA requires, and you don’t need to change the regulation.

MR. ROTHSTEIN: Well, I think, in fact, many of them do.

And Mr. Williamson will comment on this and then –

MR. WILLIAMSON: Yes, I did want to jump in here.

First of all, I would like to reaffirm that I am with the DEA. I’m a
Diversion Investigator, and I’m – I don’t know how many law-enforcement people
you have here, but inferring everything about law enforcement from talking to
me would be a mistake, okay? I mean, I just know what I know.

But I would hope that we do not have to go to a judge or a magistrate to get
types of information that we would routinely consider somehow third party. It
would be a tremendous inefficiency. It would be very expensive, very
problematic in the way we do business. I don’t have any problem having
supervisors to look for things. I don’t think investigative prerogatives should
be abused, and I do think that there should be safeguards, that the evidence
should be thrown out, but in the world from beyond a reasonable doubt to
probable cause to simple suspicion or whatever else, I mean, when you say you
have to have evidence of something that means something to me, that police
should not have to have evidence of something, because, by God, if you have
evidence of something, you can indict them, you know, you can go forward with a
reasonable suspicion or something lower like that. So I just wanted to kind of
throw in my two cents pretty much with Bob, I guess.

MR. CALABRESE: If I might, just briefly, I mean, I don’t want to touch on
Bob’s we-are-not-going-to-change-this, because that would be sad.

But I would just say also the standard could be higher as well, the standard
for what type of information you are going to get and how you should get access
to information, and, again, this is outside of the rule, but if that standard
is violated in getting the information, the exclusionary rule should apply and
we should urge courts to apply an exclusionary rule. I think that that’s
provided – that has proved to be an effective deterrent in the past in keeping
law-enforcement officials from going and doing fishing expeditions, knowing
that it is not going to be admissible in court.

MR. HOUSTON: I just had a comment. I mean, I think we’re still –
unfortunately, the gentleman from the National District Attorneys Association
was not able to be here, and I think that we are sort of – I mean, though Mr.
Williamson is here from the DEA, I think we are sort of still missing a
perspective or two on this, and I think I would be interested in seeing if we
could try to arrange some testimony, maybe a single panel, at some later date
to help speak to some of the issues of the – you know, from the District
Attorneys’ side as well as maybe some other law-enforcement perspectives.

MR. ROTHSTEIN: Well, we did make – I believe – rather strenuous efforts to
get additional witnesses from various law-enforcement community groups,
professional groups, government agencies and the like, and they were all busy
today, and so were unable to attend, but, clearly, we do need their input and
will have an opportunity, I think, should the subcommittee or the committee
come up with any recommendations that would effect their interests.

MR. HOUSTON: Not to minimize anything that was said here, I just – I think
even if it could be done by some type of agreement to get some type of written
statements in lieu of testimony, I think that would be important. I mean, I
read through the one testimony from Mr. McCullough(?), and it might be helpful
to at least get some thoughts from others, too.

MR. ROTHSTEIN: Well, just to remind the panelists and the subcommittee
members and others that the purpose of this hearing today and the whole series
of hearings is not to get the total body of information that exists on every
problem. It’s a way of generating some areas in which further fact finding is
necessary to identify problem areas that individuals effected by the rule or
other commentators want to address, and so I appreciate your statement.

MR. REYNOLDS: Nobody mentioned accounting for disclosures. Maybe, Mr.
Gellman, you could – because my understanding of covered – if a covered entity
releases information, other than for treatment, payment, healthcare operation,
then they have to account for that as a disclosure, and I haven’t heard that
brought up. So I would – why wouldn’t these administrative requests fall into
that type of a category where you would notify the person that you have –

MR. GELLMAN: Well, an accounting for disclosure is not the same thing as
notice to the person. An accounting for disclosure is simply a notation
somewhere in a file that records have been disclosed. If the person asks for
the record – for the record of the accounting, they may be entitled to get it.

Now, for law-enforcement disclosures, the law-enforcement agency can ask
that the record of the accounting not be given out for a period of time. That
has to be done in writing, under the rule. However, just in general, with
respect to accounting for disclosures, there is, in the Privacy Act of 1974, a
very comparable provision that applies across the board to disclosures and has
been on the books and in effect since September of 1975, and I can tell you
that an awful lot of federal agencies don’t do it, and how much compliance
there is with accounting for disclosures out there in the real world I really
wonder about, and it’s a very difficult thing to do –

MR. REYNOLDS: It is a difficult – right.

MR. WILLIAMSON: In our administrative subpoenas, we would ask them not to
disclose for a period of time to track the intent of the law and also allow us
to do our investigation.

MR. ROTHSTEIN: If there are no further questions from the members of the
subcommittee, I want to thank the panel members for their excellent testimony.

Agenda Item: Public Comments

MR. ROTHSTEIN: According to our schedule, we were scheduled to take a break
and then have public comments, but we only have one public commenter. So with
the consent of the subcommittee, I would invite Kathryn Serkes to come to the
table, give her remarks and then, following that, we will adjourn for the day.

Okay. So, please proceed, and you’ve got five minutes, as you know.

MS. SERKES: Pardon me?

MR. ROTHSTEIN: You’ve got five minutes, as you know.

MS. SERKES: Thank you.

I am Kathryn Serkes, S-E-R-K-E-S, for the Association of American Physicians
and Surgeons.

Just to refresh all of your memory, APS was founded in 1943. It is a
non-partisan professional association of physicians in all practices and
specialities, dedicated to the protection of the sanctity of the
patient-physician relationship.

We have also filed an amicus in the interest of disclosure. We have also
filed an amicus brief in the State of Florida, urging the state to comply with
its own laws in the Rush Limbaugh case as well.

I don’t have any prepared statements. I would like to respond to some of the
things that we have heard today, and specifically want to reiterate what we
have heard from both Mr. Gellman and the ACLU in terms of the concerns that we
have in the problems, and I don’t need to review those, but we echo those same
concerns, and I may be able to help you with some specific examples.

We are, indeed, particularly concerned about the administrative requests,
the administrative subpoenas, the grand-jury subpoenas. This is a big problem,
because, as you know, physicians – and, again, I am looking at the side of the
individual physician, rather than the hospital, the institution – but the
physicians are subject to state licensing, and because of the fraud
investigations, in particular, are subject to these administrative
investigations and administrative reviews. So this is where it is of particular
concern for the physicians.

I will give you an example – I wanted to say something in the front as well,
that even though, for example, we have filed in the Rush Limbaugh case, APS
also filed an amicus brief supporting the partial-birth-abortion ban, but, in
that case, for example, we do not agree with those who are opposing the
disclosure of the records by the physicians who have filed objection to the ban
that they are resisting disclosing the records, if those records can be – and,
particularly, the judge used HIPAA as the reason for that, and we disagree with
that. If the records can be identified, that is a different situation, where
there is a civil suit and the parties who initiated the civil suit are not
willing to reveal records, as opposed to being the subject of a federal
investigation, for example. There is a clear distinction there, so that we were
not always – it is not always an issue of no disclosure whatsoever, you know,
and to make that very clear.

But let me tell you, for example, of how these administrative requests – and
one of the areas that we have a great deal of experience, unfortunately, in the
past year or so, is on the drug-diversion and the pain-management issue. APS
has filed several amicus briefs in this, and we have several members who have
been prosecuted by the Department of Justice, both at the state and federal
level, but DEA sat in on a medical-licensure-board administrative hearing of a
physician in Tucson, Arizona, and then they use the information – and that was
without the knowledge or consent of either that physician or the physician’s
attorney – and the physician had no legal representation in that one, because
it was an administrative proceeding. In fact, not all members of the state
licensing board knew that the DEA was monitoring that, sitting in the other
room watching – listening to that. The information obtained at that hearing was
then used as part of the indictment against the physician, 160-something-count
indictment against that physician. So that is a case where the administrative
process is being invoked in a law-enforcement environment.

To respond to the prescription-drug monitoring, I get your newsletter, Mr.
Rothstein, so I am familiar with all the work that you do in Kentucky. Kentucky
is considered the gold standard of the prescription-drug monitoring, and yet
Kentucky still continues to be the state with one of the biggest problems in
drug diversions. So we are not seeing the correlation between the reporting and
clamping down on the true diversion.

We have recently held a town meeting in Florida where that bill is being
considered. There are some problems with that bill that have nothing to do with
HIPAA. In fact, the state senate staff has already suggested and analyzed the
bill and said that they believe that it will be found unconstitutional.

The problems with a prescription-drug bill like that, I think, as Mr.
Gellman has pointed out, that this is moving to the surveillance society. That
Senate bill, there is no control on who gets the information. The bill does not
spell out who gets the information, who can receive the information in that
database, nor does it control what data goes into that database, nor the
duration, because you raised the issue of how this floats out there forever,
and as you correctly raised, anyone getting a controlled substance, from an
antidepressant to Tylenol 3, is going to be in this, who there’s no suspicion
of any wrongdoing on their part and yet they are into this database. So that
people who are – by just the fact of receiving a prescription for a controlled
substance then have given up part of their privacy rights in exchange for
receiving a prescription. So we are making those into a different class of
patients.

The physicians – you are talking about some of the problems – the gentleman
from the DEA is talking about some of the problems that doctors are having,
problems justifying their prescribing without being able to reveal the records,
and that is correct.

The other hand in this is that physicians, in fact, are choosing to stop
prescribing controlled substances because they are in a bind about being able
to document their records and reveal patient records or withhold them and be
subject to prosecutions or suspicion, and so many physicians have written
letters and they just are not prescribing. So the chill is happening.

Then the other extreme is that some pain specialists are having patients
sign contracts that say specifically that they have the right – that the
physician can reveal their patient records to anyone that the doctor sees fit,
and I have a copy of one of these contracts from a physician in Florida who
specifically asks – now, one patient I know signed it, initialed it and asked
him to delete it, but he is asking to be able to do it. So that is the other
extreme. We have doctors going both ways, trying to figure out how to do this.

You talk about, too, the information flow, and doctors ratting on patients.
Dr. Hasman(?), in Tucson, Arizona, who is just in the process of negotiating a
plea deal and her sentencing will be in a month, I believe, she received an
anonymous call saying that her patient – talk about doctor shopping – received
an anonymous call that she had a patient who was diverting drugs, diverting
controlled substances. That was one of the things that she was cited for in her
indictment, that she should have reported that.

What is a doctor to do? What is a physician to do. An anonymous phone caller
reporting drug diversion, is that enough to compel a physician to report
patient medical records? We don’t think so, but that’s the bind. That’s the
bind.

The DE information flow – this is the dilemma. We can’t figure out how to
solve this either. We have come up with a program project called Communication
and Cooperation, because, now, the information is flowing to law enforcement in
one direction. Physicians are asked to report criminal activity as allowed in
HIPAA, and, yet, the information doesn’t come back to physicians, and you are
concerned – the DEA has expressed concern about what can you disclose, what can
be disclosed back to physicians, because perhaps the drug diversion could be
stopped if the physicians knew who was under suspicion, what people were under
suspicion of drug diversion, then the doctors could stop it and not write the
prescriptions, but, in the meantime, the physicians are supposed to be putting
the patient information out, but not getting anything back.

And, frankly, we have been working on state legislation, model legislation.
We have worked with the pharmaceutical industry on writing the federal
legislation on prescription-drug – and we have not come up with language that
will work that we don’t feel would compromise the privacy issues. This is a
very difficult one, but I hope that some of these examples have helped you to
understand how difficult this is that the law enforcement has created a chill.
It is sending terror throughout the physician community, as well as patients.

We put out a packet of HIPAA FACS and one of the things that we have is a –
Mr. Gellman mentioned something like ratting on – were doctors ratting. We put
out a position that says you have the right to remain silent, anything you say
can and may be used against you. We call it the Miranda Doc, is that to the
point where every physician is going to have to put this poster up in his
office that you have the right to remain silent when you come into this office,
because what you say may be used against you. We had requests for about 40,000
of those posters from physicians.

So we are very concerned of the chill that this has had, and we are
struggling, too, to figure out what is going to work to stop the drug
diversion, in particular, in these issues.

Thank you very much. I appreciate the time.

MR. ROTHSTEIN: Well, thank you for your testimony, and I thought banking was
difficult – (laughter) – and – well, that will give us something to chew on for
this evening.

I want to remind everyone that we will begin at 8:30 tomorrow morning, and
we have two panels on the topic of HIPAA and school records.

Thank you.

(Whereupon, the meeting adjourned at 3:17 p.m., to reconvene tomorrow,
February 19, 2004.)