[This Transcript is Unedited]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

SUBCOMMITTEE ON PRIVACY AND CONFIDENTIALITY

July 14, 2004

Hubert H. Humphrey Building
Room 705-A
200 Independence Avenue, SW
Washington, DC

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 160
Fairfax, VA 22030
(703) 352-0091

TABLE OF CONTENTS

P R O C E E D I N G S (9:10 A.M.)

Agenda Item: Call to Order, Introductions, Opening Remarks – Mark Rothstein, JD

MR. ROTHSTEIN: Good morning. My name is Mark Rothstein. I’m the director of
the Institute for Bioethics Health Policy and Law at the University of
Louisville School of Medicine, and chair of the Subcommittee on Privacy and
Confidentiality of the National Committee on Vital and Health Statistics.

The NCVHS is a federal advisory committee consisting of private citizens,
which makes recommendations to Congress and the Department of Health and Human
Services on health information policy, including those related to the Health
Insurance Portability and Accountability Act.

On behalf of the subcommittee and its fine staff, I want to welcome you to
the first of two days of hearings on implementation issues under the HIPAA
privacy rule. I also want to welcome those of you who are listening to us on
the Internet.

Before proceeding further, I would like to have introductions, beginning
with members of the subcommittee and staff. I would invite subcommittee members
to disclose their conflicts of interest at this time if they have any. I will
begin by noting for the record that I am a professor of medicine at a medical
school that is supported in part by contributions from grateful patients.
Therefore, I could be considered to have a conflict of interest in our
discussion of fund raising, which will occur this afternoon.

Now, for the other members of the subcommittee and staff.

[Introductions were made.]

I should note that the subcommittee will begin with a briefing on the HIPAA
Security Rule, and that will be followed by three panels of invited witnesses
on the issues of marketing, fund raising, and media access to protected health
information. In addition, we take public comments on these issues from
4:30-5:00 pm this afternoon. Any individual who is not an invited witness may
sign up to testify for five minutes. The public testimony slots are on a first
come, first served basis.

Unless the members of the subcommittee have any comments or remarks to make
at this time, I would like to proceed with the briefing on the Security Rule.
And I want to welcome and thank Stanley Nachimson from CMS, who has graciously
agreed to testify before us this morning.

Agenda Item: Briefing on Security Rule – Stanley
Nachimson, CMS

MR. NACHIMSON: Thank you very much. I appreciate the opportunity to provide
the subcommittee a little bit of education on the HIPAA security standards
regulation. I understand you spend a lot of time on privacy, and certainly the
security standards rule is directly applicable to your work. So, I will spend
some time this morning giving you some details about the security standards
final rule.

I’ll be happy to stop and answer questions at any time. There is quite a
bit of detail in the briefing. Let me along the way if we are going into too
much detail, or not enough detail, and I will adjust as necessary. I think
everybody should have paper copied of the presentation. I think they are
available also at the desk.

Our security standards regulation was published on February 20, 2003, with
standard effective date of April 21, which means according to the general HIPAA
schedules, covered entities have two years after the effective date to comply
with the rule, except if you are small health plan, you get an additional year.
So, the compliance date, the date that covered entities are expected to meet
all of the requirements of the security rule is April 21, 2005, except for
small health plans that have until April 21, 2006.

So, now we are a little less than one year away from the compliance date.
We have had a little over a year for folks to digest the final rule, and
determine how they are going to comply with it.

We had some general requirements that are published in the final rule, what
the real purpose of these security standards. And they are really to insure the
confidentiality of electronic-protected health information, that is only the
right people in an organization get to see the information.

We need to insure the integrity of electronic-protected health information,
that is it’s not altered by someone either inadvertently are advertently. The
fact that the information stays the way it should be. And also, the information
is available, that the right people get to see the information when necessary.

What we hope to do is create a balance here in protecting information.
Obviously, we could have a perfectly secure environment where information goes
into a computer system, and no one can see it. The information is perfectly
secure, however, it is basically useless to an organization. So, what we tried
to do is build a balance in the security regulations that information is
protected, but people can see it.

It’s important to understand that the security standards apply only to
electronic-protected health information. This is as compared to the Privacy
Rule, which protects all protected health information. Security standards at
this time only apply to electronic-protected health information. And it’s that
electronic-protected health information that any covered entity either creates,
receives, maintains, or transmits.

So, this is a contrast to the transaction standards, where the transactions
standards regulation really apply to information that is flowing between
covered entities. Here, security standards apply not only to that information,
but also information that any covered entity will store or create within their
organization.

What we expect covered entities to do is protect against reasonably
anticipated threats or hazards, and that’s in the Security Rule, the security
or integrity of the information, and protect against reasonably anticipated
uses and disclosures that are not permitted by the Privacy Rule.

I want to emphasize the word “reasonably,” because we do not
expect covered entities to protect against every possible threat or hazard to
the security, or every possible use or disclosure not permitted by the Privacy
Rule. That would probably be incredibly burdensome for any covered entities.
But what we want to do is make sure that covered entities look at the threats
to their information, and determine what is reasonable for them to protect
against. We go into some more detail in that in the regulations, and I’ll go
into that.

We also expect that covered entities would insure compliance by their
workforce. It’s not enough to set up a nice series of plans and policies and
procedures, document that and put it on the shelf, and say that’s it, we’re
done. We really expect that covered entities will train their workforce, and
make sure that their workforce follows those policies and procedures to insure
that there is protection against the information.

When we designed the regulation, we had a couple of themes that we kept in
mind. First, we wanted to make sure that our regulation and our standards were
scalable and flexible. Because these standards apply to a wide range of covered
entities, from the smallest physician’s office to the biggest health plan, we
had to make sure that our standards were flexible enough so that covered
entities can take into account the size of their organization the complexity of
their organization, their organization’s capabilities and technical
infrastructure, the cost of procedures to comply with these standards, and
potential security risks.

We designed the standards so that covered entities get to take these into
account when they design their protections. We also wanted to make sure that
our standards are technology-neutral. The pace of technology change, especially
in the security area is so fast, that if we were to write a regulation, propose
it, go through the public comment process, set up a final regulation, and give
covered entities two years to comply, if we adopted a particular technology in
the regulations, that technology would be way outmoded by the time it was time
to comply with the regulations.

So, we took out any references to specific technologies. We talk about what
needs to be done in the regulations, not how or what particular technology a
covered entity needs to use. That choice of technology is up to the covered
entity.

We also wanted to make sure that our standards were comprehensive in that
we don’t address just the technical aspects, the way that a computer system has
to work, but behavioral aspects. How should a workforce act in terms of
protecting these security of electronic-protected health information?

So, how did we accomplish this in this standard regulation? We developed a
set of standards that are all required, but also included implementation
specifications that provide some more detail as to what these standards mean.
But these implementation specifications can be either required — you have to
do them — or addressable.

And what do we mean by addressability? An addressable implementation
specification means a covered entity has a decision to make in regards to that
implementation specification. A covered entity could decide to implement that
exact specification if it is reasonable and appropriate for that covered entity
to do so.

They can implement an equivalent measure, something that accomplishes the
basic purpose of that implementation specification, but is not quite the same
thing, again, if it’s reasonable and appropriate for that covered entity to do
so. Or they can decide we’re not going to implement that addressable
specification, again, if it’s reasonable and appropriate for that covered
entity to make that decision.

And those decisions are based on sound and documented reasoning from a risk
analysis that every covered entity is required to do, in fact a risk analysis
is a required implementation specification. But based on the entity’s risk
analysis, they get to decide for each addressable implementation specification,
what of those decisions to make for each addressable implementation
specification.

Now, security measures in terms of maintenance, have to be reviewed and
modified as needed to continue reasonable and appropriate protections. That
decision is made about implementing the addressable implementation
specifications based on the initial risk analysis, and we expect on a periodic
basis, every covered entity to revisit their risk analysis, and revisit the
decision that they have made on addressable implementation specifications.

So, what are the standards that we have adopted in the security standards
regulations? There are five sets of standards. We have: administrative
safeguards; standards for physical safeguards; technical safeguards; standards
for organizational requirements; and the fifth section is policies and
procedures, and documentation requirements. There are five sections in the
regulation I specified there for each of the standards. And the regulation
sections go from 164.308 through 164.316. Those are the specific standards
within the regulation.

I’ll talk a little bit about each of those sections now. I’ll give you some
detail about the standards, and the particular implementation specifications
within each standard.

The first set that we address are the administrative safeguards in Section
164.308, and these really set up the administrative structure for security
standards within an organization. The first section, 164.308 are security
management process, where we expect covered entities to implement policies and
procedures to prevent, detect, contain, and correct security violations.

And I want to try and stay as close as possible to the exact wording of the
regulation when I talk about these, so we don’t get into interpretation
questions, at least in my discussion here, and I’ll certainly welcome any
questions as to what we meant by each of these standards and implementation
specifications as we go along.

The first required implementation specification under security management
process is the risk analysis that I spoke about, the analysis that a covered
entity must do of all of their electronic-protected health information, and
systems to determine the particular risks to the information that they hold,
that they transmit, that they receive.

Secondly, another required implementation specification, a risk management
plan. How do you begin to manage the risks that are identified in risk
analysis? The third required implementation specification under the security
management process is a sanction policy for each organization. That is, what
are the sanctions that are applied to individuals within the organization when
they might violate the individual organization’s security process? And an
information systems activity review, again as part of their security management
process, another required implementation specification.

The second standard under administrative safeguards is assign security
responsibility. There are no implementation specifications underneath this. If
there is a standard with no implementation specifications, that is assumed to
be required, so every covered entity must implement this. There are no
decisions to be made about whether or not to implement that.

Assign security responsible. Each covered entity must identify an official
who is responsible for the development and implementation of the policies and
procedures that are required by the subpart for the entity. This is a security
official. It can be the same person as the privacy official. There is no
requirement that it be a same person or a different person. This is a decision
that is left up to the individual organization, but there is someone who needs
to be named and identified as the responsible person in the organization.

The next standard under administrative safeguards is workforce security,
and if it’s all right with everybody, I think we will skip the Power Point
presentation, since I think we have all got it on paper. I will make it
available to the subcommittee, if they want to put it up on the Web site or
distribute it to anybody. I’ve got it here on a disk.

MR. ROTHSTEIN: That’s fine. We’re doing just great.

MR. NACHIMSON: On page 15, we’re up to workforce security of the standard
under administrative safeguards. This is where we move into how does the
workforce react to protect the security of electronic-protected health
information. It’s incumbent on the covered entity to implement policies and
procedures to insure that all workforce members have appropriate access, again,
availability of information, and to prevent workforce members without access
from obtaining access to electronic-protected health information.

So, there are addressable specifications here to determine how to authorize
individuals to get information, how to set up clearance procedures for a
workforce to determine whether or not individuals have clearance to access
particular information, and an addressable implementation specification for
termination procedures.

When you terminate an employee, what are the appropriate procedures that
need to be set up to make sure that those individuals no longer have access to
information? They are all addressable implementation specifications, and an
organization gets to look at their particular situation, take into account the
factors I mentioned before — complexity, cost, size — determine what sort of
procedures to set up under this standard to meet these implementation
specifications.

The third administrative safeguard standard, information access management.
A covered entity must implement policies and procedures for authorizing access
to electronic-protected health information consistent with the applicable
requirements of the Privacy Rule. Each organization by now will have set up
their procedures for complying with the Privacy Rule. They know who should have
access, who shouldn’t have access.

Now, when we have electronic-protected health information in that
organization, the entity must implement policies and procedures for authorizing
access to that electronic PHI based on the privacy procedures that have already
been set up.

There is a required implementation specification to isolate health care
clearinghouse functions. That is, if a covered entity operates as a health
plan, and also a health care clearinghouse, they must make sure that their
clearinghouse functions are isolated, and individuals within that clearinghouse
have appropriate access to the clearinghouse information, and not inappropriate
access to health plan information, for example. There shouldn’t be a mixing of
that information, again, if a covered entity is doing both functions.

There are addressable implementation specifications for access
authorization. That is, how do you authorize the access for individuals. And
access establishment and modification once you determine who has, and who is
authorized for access. How do you establish that access? And how do you modify
that access as necessary?

Again, we would expect for the most part things like role-based access. You
determine what individuals, what job functions have access to particular
information, and set up policies and procedures to establish that access,
modify that access as necessary, as individuals move from position to position.
I start out as a claims authorizer, for example. What access should I have to
electronic protected health information? And then how are systems set up to
arrangement for that access?

DR. FITZMAURICE: Stan, you mentioned isolating health care clearinghouse
functions from health plan information. For a self-administered health plan,
would that also require isolating that information from regular personnel
information? So, that an employer wouldn’t have access to the health
information of its workers?

MR. NACHIMSON: That particular implementation specification does not
necessarily apply there. But the other implementation specifications about
access authorization, access establishment, and modification would apply there.
So, someone that does not have the rights under the organization’s privacy
policies to see particular information, the systems would be set up hopefully
to prevent that access. That’s where these things would be established.

MR. ROTHSTEIN: But is it your point that who gets access to that
information is determined by the organization itself, or by some objective
standard of who has a need to know that information? In other words, could a
self-insured employer theoretically adopt a policy that we have
interoperability of functions, and everybody has to potentially do everything,
and therefore, we don’t want to restrict anyone’s access to that information?

MR. NACHIMSON: I think the organization, under their privacy requirements,
they determine who can have access to that information for payment and
treatment operations. If they determine that individuals can mix, those
individuals could possibly have access to that. And it’s up to their
implementation of the security standards to implement those sorts of access
requirements. They could determine that an individual has access to certain
systems, and their security policies would set up that particular access.

MR. ROTHSTEIN: So, my question I guess following on Michael’s question is
am I correct in saying that the rule provision that we are talking about merely
requires the covered entity to enforce its own policies that it sets up, as
opposed to having some sort of standard that applies to what those policies,
and dictates what those policies should be?

MR. NACHIMSON: And I would say that that standard you are referring to,
would be within the privacy compliance. That’s where the decisions about who
has access to what information are made. The purpose of the security rule is to
set that up in the electronic environment, so that it is consistent with our
privacy policies.

They could not make one decision under privacy, and say Stanley does not
have access to that information, and then set up their information systems to
give me that access, saying, well, we made that decision consistent with the
security. No, that’s not consistent with security. It has to be consistent with
the applicable requirements of the Privacy Rule.

MR. ROTHSTEIN: Thank you for that answer, and I’m sorry to have interrupted
you.

MR. NACHIMSON: No, that’s no problem at all.

MR. ROTHSTEIN: We tend to like to ask questions at the end.

MR. NACHIMSON: I think I’m happy to do that, because this is not — I don’t
believe the Security Rule is just straightforward and easy to understand,
particularly in its relationship with the Privacy Rule. So, please, as we go
along, let’s ask questions, and I’ll expand my explanations.

The next administrative safeguard has to do with security awareness and
training. And this is where again, we move into some of the behavioral aspects.
We want to make sure that all covered entities implement security awareness and
training programs for all their workforce members including management.

So, the CEO of the organization doesn’t get to say, all right, we are going
to implement security, and I want everybody to take training, but I’m not going
to worry about it. It’s critical that every member of the organization
understand the security policies and procedures. That’s not to say that the
training cannot be customized for each level of the organization, but it is
important that every member of the organization be trained, and be aware of the
security policies and procedures in that organization.

And we give some suggestions for the types of things that should be
included in a security training program. Again, these are all addressable
implementation specifications, so the organization gets to take a look at what
their organization is, and determine what should be included in their security
awareness and training. There has to be a security awareness and training
program. The exact contents, again, are left up to the organization based on
their size and capabilities and their infrastructure.

So, password management might be important in a large organization, but may
not be as important in a single physician office that perhaps it’s just the
doctor and one other worker that have access to the computer, and access to the
information.

The next administrative safeguard has to do with security incident
procedures. There have to be policies and procedures in place to address
security incidents. If someone intercepts information that is being sent,
someone hacks into your system, you have to have policies and procedures in
place to determine what you do if there is some sort of violation of your
security, set up requirements for response and reporting of that information.

And the next administrative safeguard has to do with the contingency plan,
and this is where we get into the availability of electronic information. It is
incumbent upon covered entities to establish policies and procedures for
responding to emergencies or other occurrences that damages system that contain
electronic PHI.

It might not sound like it’s a security issue, but it really is. What
happens if there is an earthquake, a hurricane, a power failure, any number of
incidents that damage their systems that contain electronic PHI? It’s critical
for an organization to be able to continue to operate. A doctor’s office just
can’t shut down and hopefully not treat patients. We would not want a health
plan to just shut down for two weeks and not pay claims, not provide
authorization to its physicians, because something happened to their computer
systems.

So, we require each covered entity to set up a contingency plan that
includes a data back-up plan, a disaster recovery plan, their emergency mode
operation plan. If there is an emergency, how is the organization going to
operate? How are they going to access critical pieces of information?

Testing and revision procedures, and an applications and data criticality
analysis; those last two are addressable implementation specifications. We
would expect I think larger and more sophisticated covered entities to move
into those areas.

A data back-up requirement implementation specification could be for a
small office, as simple as a physician’s office backing up their information
every night, putting it on a disk, and making sure that they have perhaps a
computer at the physician’s home or some other place that they would be able to
continue their operations the next day.

The next administrative safeguard is that for evaluation. We expect covered
entities to perform a periodic technical and non-technical evaluation to
establish the extent to which their policies and procedures meet the
requirements. So, it’s not enough to set up your initial security plans and
procedures, train your workforce, and move on from there.

It is important and required under the rule that there be a periodic
evaluation of those security plans or procedures, just to make sure that you
are still protecting the information, that if there are environmental or
operational changes, you are still adequately protecting the information.

If you set up a new system, you have new processes, you have new people in
place, there are new threats to the security information, new viruses, whatever
new ways that people are figuring out how to get at the information. It’s
critical that you continue to update your security plans and procedures to
address those.

There is a requirement for business associate contracts and other
arrangements, as under the other HIPAA standards. You can have business
associates to do some of your operations. A covered entity may permit a
business associate to create, receive, maintain or transmit electronic PHI on
their behalf, but only if that covered entity obtains satisfactory assurance
that the business associate will appropriately safeguard the information.

There needs to be a written contract or other arrangement, certainly in the
case of covered entities, just to make sure that business associates adequately
protect the security of information. So, that’s the suite of administrative
safeguards. You can see that it’s fairly comprehensive.

We next move into the physical safeguards. How do you protect the physical
environment of a covered entity. Those are Section 164.310 of the regulations,
physical safeguards. The first standard is for facility access controls.
Policies and procedures to limit physical access to electronic information
systems or facilities in which they are housed, while insuring that properly
authorized access is allowed.

This is where I think we specifically maintain the balance. You obviously
have to stop certain people from coming into your organization, from accessing
your information, but you absolutely have to allow certain people to access
that information.

There are addressable implementation specifications for contingency
operations. Again, under contingency, how do you both protect, limit, and allow
physical access to information, a facility’s security plan, access control, and
validation procedures, and maintenance records?

I think the reason that these are all addressable specifications is again,
the wide range of physical plants that we have in the health care industry,
from a small physician’s office, small provider’s office, to a large health
plan that is housed in a campus or throughout a campus. The access controls are
much different if you have a small office in a building, than if you have all
of your own buildings, or you are spread out throughout the country.

The second physical safeguard is that for the use of workstations, and
there is no implementation specification here. It is a required standard. Every
covered entity must implement policies and procedures specifying proper
functions to be performed, the manner in which those functions are to be
performed, and the physical attributes of the surroundings or specific
workstations or classes of workstations that can access electronic PHI.

If you’ve got computers in your office, what are those supposed to do? How
those functions are performed, what sort of rooms should you lock them or not
lock them in. Should they be air conditioned, should they not be air
conditioned? How do you make sure that the physical workstation itself
adequately protects information, and adequately allows access to
electronic-protected health information?

In workstation security, the next physical safeguard, implement physical
safeguards for all workstationss that access electronic PHI to restrict access
to authorized users. How do you set up passwords on those workstations to make
sure that I can’t walk into any health plan, sit down at a workstation, and
start accessing electronic PHI if it’s not my job?

And again, if it is my job, how do I make sure that I can access that
information? If I have workstations that are designated for a certain job, and
that’s my job, they can be placed in a specific room, in a locked room, and
only certain people have access to that room and those workstations. It’s
important for the entity to have processes in place to make sure that the right
people have access, and the wrong people don’t have access.

If that means setting up a code, or giving out key cards, that’s perfectly
appropriate. Again, the covered entity gets to make that decision, but they
also have to make sure that access is assured for folks that do need access,
and it is prohibited for folks that should not have access.

The next standard is for device and media controls, policies and procedures
that govern the receipt and removal of hardware and electronic media that
contact electronic PHI into and out of a facility, and the movement of these
items within a facility. Again, if we are talking about PDAs that contain
information, if we are talking about diskettes, notebook computers, there have
to be policies and procedures in place to make sure that electronic PHI is not
accessed where it should not be accessed.

You have to make sure that there are policies and procedures in place for
disposal of information. It’s time to get rid of old computers. I think you
have all seen the newspaper or media reports where old computers get donated,
and all the sudden people start accessing credit card numbers, financial
records, all kinds of information.

It’s critical that health care entities, covered entities that have this
information, make sure that when they dispose of their computers, they figure
out a way that that information disappears. Perhaps the safest way is to take a
hard drive and just smash it to smithereens. Our security expert thinks that
that’s pretty much the only way to guarantee that there is no access to that.
But obviously are other software procedures that can be applied to wipe out
information.

Media reuse, same thing. I’ve got a diskette that I’m using for something.
I put information on there. That diskette could be used by another department.
There needs to be a way to make sure that electronic PHI, if it was on
diskette, and this diskette goes to another department that should not have
access to the electronic PHI, that somehow it gets wiped out.

Accountability and data back-up and storage, again are addressable
implementation specifications, but important within this area, you make sure
that if information for example is stored on these diskettes, it’s adequately
backed up and stored.

So, that’s sort of protecting the physical attributes of an organization.
We now move into the technical safeguards, which is sort of how the computer
systems should be set up to adequate protect electronic-protected health
information.

There does appear to be some overlap here. I think we use some of the same
terms. And there may even be some duplication here. If people start thinking
about access controls, they are there under physical. They are also here under
technical safeguards. They mean somewhat the same thing, but we want to make
sure that all aspects of electronic-protected health information are adequately
protected.

The first technical safeguard is access control. And there, there have to
be technical policies and procedures for electronic systems that maintain
electronic PHI to allow access only to those persons or software programs that
have been granted access rights. So, we limit access to the building, we limit
access to rooms to appropriate people, that’s one safeguard. Now, we also limit
access in the computer systems themselves.

The first required implementation specification is unique user
identification. That is, we require that access to systems is protected by
assigning each user a unique user ID. There are entities today that probably
assign organizational passwords. All right, everybody in the emergency
department, here is the emergency department password. You use that, and you
get in the emergency department systems.

Under our security standards, I think we would frown on that. We would want
each individual in the emergency department to have their own user ID and
password to access those systems.

There are questions that are now beginning to bubble up that say this may
very well impact on patient safety. It may be critical that there just be an
emergency department password, because if everybody has to remember their own
unique user ID and password, and you are going to have to sit there and wait,
and critical access to systems may be blocked.

We are starting to take a look at those questions and see how we can
balance patient safety considerations against the necessary protections for
electronic-protected health information. So, again, I think the questions are
now starting to come up as folks implement or attempt to implement the security
standards. And we are looking at those, and we’ll be issuing either through
frequently asked questions or guidance documents, our responses to that.

DR. FITZMAURICE: Is it possible without going through changes in
regulation, to make a particular requirement move from required to addressable?

MR. NACHIMSON: I would say no, not without going through changes in
regulation. That’s part of the standards, part of the official regulation. The
final answer on that would probably rest with the attorneys, but my guess is
that’s a modification to the standards that would require —

MR. ROTHSTEIN: Excuse me, Mr. Nachimson, this is wonderful testimony and we
appreciate the handout. I know my colleagues are chomping at the bit to ask you
lots of questions. So, if you could complete the presentation at a slightly
more rapid pace, that would be very helpful to us. Thank you.

MR. NACHIMSON: I’ll certainly be happy to do that. I’ll just mention each
of the safeguards themselves, without getting into too much detail, and we
should move through that.

There are technical safeguards for audit controls, keeping track of systems
activity. There is a technical safeguard for integrity, making sure that
information is not inadvertently or advertently changed; for person or entity
authentication, that is making sure that somebody getting into your system is
indeed that person. Is it really Stanley logging on here, or accessing that
information? Or is somebody just with Stanley’s password?

Protecting the transmission security. This is where we move from the
information that is simply stored within an organization, to information that
an organization either sends out or receives. I just want to mention here that
encryption is an addressable implementation specification.

That was a critical policy issue, whether or not to require encryption. It
was decided that because there is not a lot of interoperability among different
encryption systems, we would leave that addressable, especially when physicians
might want to communicate with their patients by e-mail.

There are a couple of organization requirements for business associate
contracts and other arrangements. There are certain requirements for group
health plans. And there are some documentation requirements, that’s the last
set of standards. Basically, you have to document your policies and procedures.
You have to maintain documents on policies and procedures, and other things
that are required to be documented, audit logs and things like that. There is a
six year time limit. You’ve got to keep that information for six years.

I just want to say that at the end of the regulation there is a chart —
those of you on the radio, obviously you won’t be able to see that — but for
the folks here in the room, this is an official part of the regulation. We call
that our Readers’ Digest condensed version of the security standards
regulation. I tell people that they ought to start reading this regulation from
the back. There is a nice summary of at least the standards, and the
implementation specifications, and whether they are required or addressable.

If you like, you can even make a copy of that, laminate it, stick in your
pocket and carry it around. You’ll be an instant expert on the security
standards regulation.

There are a couple of other items here, but I think in the interest of time
I’ll be happy to open it up now for questions from the subcommittee.

MR. ROTHSTEIN: Thank you very much. That was very helpful to us, and I’m
sure the listeners on the Internet as well.

Before we go to questions, I want to afford an opportunity to two people to
introduce themselves.

[Introductions were made.]

Thank you.

And now the floor is open for questions, and I believe Mr. Houston asked to
be recognized.

MR. HOUSTON: Just a little bit of background. Working for a large health
system, one of my responsibilities is information security. So, I’m keenly
interested and aware of this particular rule. I’m also working for the NCVHS,
trying to understand whether we need to have hearings on aspects of the
Security Rule. We did have one set of them already to get some general insight
as to where there were issues.

And I’m really interested sort on a general basis, first off, where the
areas you think are potentially at issue. Obviously, you mentioned one where
you spoke of the fact that there might issues related to unique IDs and access
and things of that sort. That would be sort of my first question. And I do have
some follow-up questions more specifically in other areas.

MR. NACHIMSON: That’s certainly one thing that has been raised. We have
also heard a lot of questions about security incident reporting in that
security incidents, the way that perhaps a strict reading of the definition in
the regulation could mean any type of access from the outside. There are lots
of pings that go on, I think is the technical term, over the Internet, where
folks are just sort of seeing what is out there.

And if a system is adequately protected, that’s rather an innocent
operation. But a strict reading of the definition of security incident may mean
that you would actually have to report every ping that goes on. There could be
thousands of those during the day. So, folks have asked us, do we really mean
that they have to keep track of every one of those, or is only sort of major
things that really could compromise the security of an operation.

Those are I think, two of the main issues that have gone on. There has not
been too much — there is sort of a spectrum that goes on where people say gee,
this is great, that it’s flexible. Leave me alone. Don’t give me any more
information. Just let me do my thing. And then there are others that say, well,
give me more information. Is this what you meant by a risk analysis? Or if we
do this, will that meet the requirements of the security rule?

We have tended to shy away from telling people, yes, if you do this, it
will definitely meet the requirements of the Security Rule, because it’s
impossible for an organization to tell us everything that goes on in their
organization, give us their entire risk analysis, and have us analyze that, and
determine whether that’s appropriate.

MR. HOUSTON: And each organization is unique.

MR. NACHIMSON: Yes.

MR. HOUSTON: Let me ask just a couple more follow-up questions. Simon and I
have spoken about Security Rule issues specifically related to medical
equipment. And it seems to be an area that when Simon first asked me, I said I
haven’t really heard much. And then all the sudden with a couple of months
following, it became an issue which I had heard internally a lot about.

Have there been issues so far expressed from medical equipment vendors,
manufacturers, or from other covered entities related to how do you deal with
this animal? Because obviously, you don’t necessarily have the flexibility to
put patches, viral protection software, things of that sort on equipment.

A good example is I know in my facility we use medication administration
cabinets which have imbedded Microsoft operating systems. We don’t have the
luxury of patching them, other than based upon a vendor patch. But when we have
had a number of outbreaks, a number of these cabinets have been infected, and
obviously we have tried to segment them on their own networks and things like
that.

But that is an issue, and I think as I dug a little bit deeper and talked
to some equipment manufacturers, as well as others in industry, that has been
an issue that I have seen. Have you heard anything? Has anything of this sort
come up?

MR. NACHIMSON: We have gotten I would say fairly recently, a couple of
questions on our electronic mailbox, our ask HIPAA mailbox that CMS maintains,
the questions on all the HIPAA standards except for privacy, about certain
devices. I think the last one was telemetry devices, and whether these
constitute electronic-protected health information, and whether they would be
required to follow the security standards. So, we are going to have to start
looking at that.

So, that’s I think a fairly recent item, where these things are moving to
digital — they are collecting digital information and transmitting that. And
whether or not that is a transmission of electronic-protected health
information or not.

MR. HOUSTON: I hadn’t even thought about that angle yet.

DR. COHN: I have a follow-up from a previous question. I guess it hadn’t
occurred to me that this wouldn’t be covered by the Security Rule. So, are we
to infer that you are still trying to figure out what whether it really is a
computer? Of course, your watch is a computer too these days, but the question
is obviously what isn’t a computer, and what isn’t protected health
information?

So, you are going to be starting to investigate whether this is actually
protected health information at this point?

MR. NACHIMSON: We will have to respond to individual situations and devices
to determine whether or not these are electronic-protected health information,
and these situations are or are not covered by the Security Rule, yes.
Certainly, on would expect a covered entity to hopefully err on the cautious
side and assume it is something that does need to be protected, but as these
questions come up —

MR. HOUSTON: Unfortunately, a lot of these telemetry systems are out of the
box. You don’t have a lot of control over the configuration once they are
installed, necessarily whether you can turn on encryption or turn it off. They
run on specific frequencies, and I think there is a new telemetry frequency
that is out there. So, that could be problematic, depending on how you —

MR. NACHIMSON: And there is where I’d sort of like to rely on the scalable
and flexibility option in the risk analysis, where covered entities would take
a look at these devices and say, is there a risk or is there not a risk here?
And if there is a risk, what capabilities do we have to protect them?

DR. COHN: Maybe just a follow-up and then I’ll pass it on to others. But
there is obviously the risk analysis. But then there is the issue of is it in,
or is it out of the Security Rule per se. And as I said, until you mentioned
it, it hadn’t occurred to me that it would not just by definition, be in.

So, certainly, if the department is looking at whether or not this area is
even in, and you have any question in your mind, I think you owe it to the
industry to inform the industry as quickly as possible.

DR. HARDING: On page 21, administrative safeguards, the topic of business
associate contracts and other arrangements, I was wondering — we have talked
about in this committee several times, the issue of business associate
arrangements. And one of the things here was it said that the covered entities
obtain satisfactory assurances that the business associate will appropriately
safeguard the information.

We have talked about the issue of offshore work and so forth, where someone
has a business associate agreement, but then from that point it goes into the
ether, and work is done in places that aren’t under control. Is there any
consensus coming out of all of that as to how that is going to be addressed
here in the future, the Indian or the Pakistani health care information
transcriptions and so forth?

MR. NACHIMSON: At the moment there isn’t any consensus. I know that the
department has been looking at it, and continues to look at the issue of
offshore international operations, and what reach we have, or how covered
entities would be held liable for that. Probably through the business associate
contract, but if these folks are offshore, and especially if they are not
covered entities and they are offshore, it’s still the responsibility of the
covered entity to maintain the security and privacy that information.

The covered entity would be held liable for any breaches or violations at
this point. But how it would necessarily be enforced or how the covered entity
would deal with their offshore entity, I don’t think has been decided.

DR. HARDING: I guess the phrase that caught my eye was satisfactory
assurances. And I’m sure that was very carefully selected, satisfactory
assurances that the business associate would appropriately safeguard the
information. Coming up with a definition of that is going to be an interesting
one.

MR. NACHIMSON: I would agree that that was very carefully crafted. We tried
to walk I think a fine line here. We do not want or expect a covered entity to
go in and inspect in thorough detail, the operations of any business associate.
And I’m sure that business associates at some point would almost object to
someone perhaps even walking through and going into detail of all of their
security plans and procedures.

However, there is an obligation that the business associate provide some
assurances, either written or examples of what they do to the covered entity,
so that the covered entities at least have some satisfaction that their
information is being adequately protected.

DR. HARDING: So, I, as a provider, a physician who transcribes a note on a
patient, and then that goes to a transcription service, I would ask them for
specific assurances that this information isn’t going — I don’t think there is
an answer to my question at the present time. But there is something about it
that’s my responsibility still to ask the first person anyway that I’m talking
to, to guarantee that?

MR. NACHIMSON: Yes.

DR. HARDING: If I did that, then I would have done my duty?

MR. NACHIMSON: In general, I think you would want to go a little bit
further than just asking. And if they said, yes, we’re talking care of it, I
think you would probably either in your contract or prior to signing the
contract, you would want to see some assurance that some protections were being
done.

If they said for example, we use this particular software, here is the
protection that we have, or we have a contract with this company, we have an
office that is in a building and it’s locked. Each of our employees has a key
so that they can get into the information, as opposed to well, we’re just in an
open area, and we mix our business with lots of other businesses, and the
person at the next desk that is dealing with agricultural information, for
example, can easily lean over and see what is going on. I think you would want
to go a little bit beyond than simply a yes or no.

MR. REYNOLDS: Having implemented all of the HIPAA transactions so far, I
would like to commend everybody’s work on this particular regulation. I think
that different than privacy and transactions, you kind of had to say how to do
business. And I think in this one it puts a nice framework around what you need
to think about, and how you need to approach it, but it has not been nearly —
especially for large entities — it has not been nearly as burdensome to
implement as anything else that we have had to deal with in HIPAA by a dramatic
step.

Most large entities are getting audited on a continuous basis, especially
with all the concerns — John brought it up — with viruses and everything
else. You are constantly getting evaluated, and you are constantly having
outside auditors come in and look at how your systems get accessed, and so on.

So, I think this one, I think you have set up a really good structure, and
in our case it’s actually easy to align to, especially with the addressable and
required. So, I think as we look at future standards, this isn’t a bad way to
look at it, because it doesn’t tell anybody how to do business. I know it
raises some questions, but it really doesn’t.

But a couple of questions. Role-based is an easy word to throw out, but
more and more as companies look at the fungibility of their staff, so that one
— I’ll just use our example — one day somebody is a claims processor. The
next day they go to customer service. But if you were to get a glut of claims,
they could go back and do claims.

So, as a customer service representative they might do this, and as a
claims representative — as long as any entity is able to answer that the
person, whatever job they are doing, they can access the data that they can
access, you can validate that based on their responsibility. Role-based gets a
little fuzzy.

So, I think as you throw out role-based, more and more when people are
trying do the accordion thing, where if I have this much work, they do this, if
I have this much work they do something else, in today’s world, role-based kind
of loses the meaning that it had maybe 10 years ago, where somebody was hired
to do this, and they just did this. You are having to really cross-train people
to do more things. So, as you think about it, a little bit like Simon said, as
you talk about role-based to the industry, it is probably a little different
now than it was.

Business associates, back to Richard’s question. Do people have to go as
far with business associates, to talk about disaster recovery? Or that the
industry gets an affirmation that somebody understand the rule, they are
secure? Or do you have to go as far as to evaluate their whole disaster
recovery situation?

MR. NACHIMSON: I think that’s one of these decisions that is primarily left
up to the covered entity in their analysis of their risks. They need to make a
decision for themselves, what’s the risk here, who am I dealing with, what type
of assurances do I really need to make sure that I can continue my operation,
and that my information is collected?

I wouldn’t necessarily set up a checklist of every question that every
covered entity would need to ask. It would depend on what the business
associate is doing, the relationship with the business associate, the
information that is going back and forth.

MR. REYNOLDS: Again, going back to Richard’s question, there are levels of
offshore that people deal with. You deal with an offshore company that the
employees are the employees of a US company. And then you have an offshore
where they are not.

Do you see a distinction that it’s a stronger environment where the
offshore are employees of a US company, and that US company itself certifies
that they meet the HIPAA rule, versus somebody in another country that is
completely outside the jurisdiction of US law, completely outside the
jurisdiction of what’s going on? Do you see any difference in that?

MR. NACHIMSON: I don’t feel capable of really answering that question, not
having dealt with those entities. I would again, leave that up to the judgment
of the individual covered entity to understand who it is that they are dealing
with. To understand what the risks are, and what the assurances are that they
might need.

If I can just respond a second to the role-based question, which is an
excellent point. And that gets into some of the auditing. I think if an entity
allows multiple roles for an individual person, as long as they can go into
their system and say, on Friday Stanley accessed the system as a customer
service representative, and got into this information, or got into this system.

But on Thursday, he accessed the system as a claims processor, and both
accesses were appropriate, I think that’s perfectly okay. So, there are sort of
multiple layers of protection and standards here, hopefully that are flexible
enough to handle situations like that.

MR. REYNOLDS: Mark, my final question, and you just played on it. The
system activity audits, which could become dramatically burdensome. If
companies have to track every single person that did every single transaction,
then it doesn’t really matter what their role is, and it doesn’t really matter
what you set them up on. You are following them around on every transaction.
And if you have to audit that on a continuous basis, you are talking about an
incredible amount of data, and an incredible amount of information.

So, back to the hierarchy, which is hard to really get a complete handle
on, if you allow somebody to be in the system, and you teach them about
security, and you have their management agree that that’s what they could do,
so what level do you have to actually, every single day — if you think of the
transactions in hospitals, doctors offices, and payers and clearinghouses,
because once you capture that data, and your example is perfect.

If I have to know that on Thursday Simon did this, and on Friday Simon did
that, I have to have somebody auditing that every day, otherwise I can’t tell
you that somebody has met it. So, that’s the one area to me that is so gray,
that it’s almost getting opaque, because that amount of auditing decides the
cost.

So, if you set up a corporate structure, whatever you are, and you say here
is how we are going to know that people access it, and you have it audited, and
you do everything else, but your answer again, keeps taking it down to that
level where somebody has got to track every person, every day in everything
they do, and that is not where the world tends to live.

MR. NACHIMSON: My response to that would be every covered entity needs to
do their risk analysis, and set up a system that reasonably protects against
unauthorized access. That’s an individual company decision that you or anybody
would make, and say it would be incredibly burdensome for me to track every
instance of systems activity, every access by my employee.

I’m comfortable, or I’m reasonably comfortable that I’m protecting against
this set of risks, and I don’t need to do that. Now, you may have a history
where in a department or in some area that there has been a series of break-ins
or a security incidents. In that case, you may decide, based on your risk
analysis, I need to be a little bit more careful in this area.

MR. REYNOLDS: But that becomes incident-based?

MR. NACHIMSON: Yes, absolutely.

MR. REYNOLDS: Thank you. I think that position, if it would help the
industry, which is kind of your continuous position, and I think that’s what is
good about this rule, is you leave it up to the entity to decide what their
liability is.

MR. NACHIMSON: And again, we try to emphasize the reasonableness of the
protection, and listed the factors that entities can take into consideration in
designing their security plans and procedures.

MR. REYNOLDS: Mark, thank you.

MR. ROTHSTEIN: At this time, let me ask for staff questions, and then we’ll
have a second round of subcommittee questions.

MR. FANNING: Is there any equivalent for paper records? I know the statute
probably doesn’t command you to write something, but in fact a great many
records are on paper. And there are a lot of bad stories about information
being disclosed. The late Queen Mother of Great Britain had both hips replaced
over the course of her life, and her orthopedic surgeon left the records in his
car. The car was broken into and they were stolen, probably to get the leather
brief case. But be that as it may, that is a security breach. What about the
paper side?

MR. NACHIMSON: Let me answer that in two ways. In the Privacy Rule there is
the so-called mini Security Rule, which requires covered entities to set up
appropriate technical, administrative, and physical safeguards to protect the
confidentiality of protected health information.

Now, the Privacy Rule applies to all information beyond electronic. So, one
could say that there is at least a mention or an assumption that there is some
security, going down the HIPAA security, that covered entities are already
setting up some procedures that they are putting in place for the rest of their
protected health information.

The second, I think it’s reasonable to ask why didn’t we have protections
for the paper in the HIPAA Security Rule? We did have a proposed rule, and I
think the initial reading that we got was that the standards should only apply
to electronic-protected health information based on a reading of the law.

We got comments in on the proposed rule about applying it to paper
transactions. There was a feeling that it was incumbent upon us to first get
out protections for electronic-protected health information. That it would be a
completely separate set of protections that would apply to paper records. And
we would wait to see first how the electronic standards were being implemented,
and see if there was a need beyond what is mentioned in the Privacy Rule, to
set up standards for paper-based records.

So, I think the department is sitting back and seeing whether there needs
to be a regulatory set of standards for paper information. And I would say the
jury is probably still out on that, but I’ll just leave it at that.

MR. FANNING: I do think that some elements of this regulation point that
direction — controls on physical media and so on. And a thoughtful
organization would know how to apply them in the paper situation as well. But
this is an especially useful guide, in addition to being a command.

MR. NACHIMSON: Thank you. And I would also say that there is nothing in any
of the HIPAA regulations that prohibits an organization from applying
protections like this to their paper records. We continue to emphasize that
even the security standards are good business practices that organizations
probably should have implemented even without the HIPAA security standards.

MR. ROTHSTEIN: Additional staff questions? Amy, Evelyn? Okay, John.

MR. HOUSTON: I wanted to go back to the issues that Harry had brought up
specifically related to some of the effort to police role-based security and
things like that. And there is saying that three-quarters of the questions out
there are actually statements. With fear of just making a statement, I guess
I’m going to try to ask a question.

MR. ROTHSTEIN: Well, make you statement in the form of a question?

MR. HOUSTON: I am concerned about the practicality and the cost of
role-based security, as well as audit controls and things of that sort. And
working in an organization with literally hundreds of systems that manage
clinical information, one of the things that I know I have found is that there
is a wide variance in how the capability of vendor software, in terms of even
being able to do role-based security.

And that, coupled with both the system capacity issues related to doing
logging and turning on those controls, and then coupled with the fact that when
you do turn them on, sometimes you get the unintended consequence of getting in
the way of delivering efficient, quality patient care. You have an environment
where I know we have made conscious decisions to impose less security within
certain systems, because of those other impacts.

Clearly, there is a concern that where is that edge? And depending on who
is interpreting it, we could have to buy a lot more computer hardware to
support some of these processes, as well as to try to figure out a workable
process to audit some of these things. Because I think as Harry indicated, even
assuming that everybody has the role-based access they need, in a nursing unit,
nurses see many, many patients. They may move around a good bit.

You have a physician that has to do a consult. He may not have a
pre-existing relationship with the patient, but he is brought in, in the middle
of the night to do consult, and he looks at the record. How do you know whether
that was appropriate? If you really have to do auditing, somebody should be in
there looking at all of those things, and that’s a lot of access. That’s a lot
of things that need to be looked at.

This is a problematic issue. I’m sort of concerned with at one level, sort
of the official stance sort of embodied in the presentation, and I’m sort of
encouraged by what you had said in response to Harry’s questions. But I just
sort of what to put on the table, well, have you talked to vendors, or have you
tried to do assessments of the impacts on a range of different covered entities
to determine what is the impact of these specific provisions?

And again, very specifically, role-based security, access control, audit
controls, integrity, I think those are the areas where I’m concerned. So, there
is a statement. To make it a question, what are your thoughts?

MR. NACHIMSON: I think people seem to be focusing on the role-based, and I
don’t believe that there is anything in the security standards that actually
requires role-based access. There have to be access controls. If role-based is
a problem, covered entities can make the decision not to do it role-based, but
there still do have to be access controls.

Let me sort of go back to the beginning of the Security Rule. We spent
quite a bit of time in discussions with other government agencies, with private
sector entities in crafting these standards, and publishing the first set of
proposed rules, where a number of meetings with industry. That went on, and in
finally crafting the final rules.

I think your concern was really what was expressed to us, that there is the
possibility of incredible costs if there were strict security. That it
interferes with patient care, with patient safety and other items. And that’s
why we made the decision to first state that things should be reasonably
protected. And then give covered entities the decision-making power themselves.
That they must do a risk analysis and set up a risk management plan. There’s no
question about that.

But you as a covered entity, get to look at your situation, and decide how
you are going to protect that information reasonably and adequately. You get to
make decisions that it’s too costly to do this, therefore, we are not going to
do it. Here is an alternative way of doing it.

Or, we have operated this system for X number of years. There has never
been any compromise in the security. We don’t expect there to be any compromise
in the security. Nobody else can get to the information or is interested in the
information. Therefore, no additional security procedures are necessary. Here
is where we should look at some additional auditing, but here is where we
really don’t need to do any auditing. The question do come to us what is
enough? And the answer has been it depends on your situation.

MR. HOUSTON: Will your answer be expressed in an FAQ at some point? Because
I think that those types of comments are of great importance to the industry as
it tries to comply.

MR. NACHIMSON: There are a series of FAQs that are going through the
departmental clearance process that hopefully will expand a little bit on this.
Off the top of my head, I don’t remember if that exact answer is in there, but
through our presentations, we continue to emphasize, and even to individual
answers to ask HIPAA questions, the question comes into, should we do this? The
answer, it’s almost becoming a generic answer, you need to do a risk analysis
and determine whether that particular solution is right for your situation.

MR. HOUSTON: But your exact dialogue to me is very insightful as to the
types of analyses we should go through.

DR. COHN: And this is just really a follow-up of this issue. I’m listening
to the CMS and the federal response, but I’m also aware that really beyond the
federal government there is going to be a lot of accrediting organizations that
are going to take and audit organizations against these rules.

And they may not have quite what Stanley is thinking in here, because
clearly they are going to be wanting to look at your facility, and look at your
various systems and capabilities and security implementations. And so, I think
from what you are expressing as your concern, you would need to be probably be
as concerned about accrediting organizations and what their upcoming plans are.
And this may be something we should ask them.

MR. HOUSTON: Absolutely. And I think even from auditor to auditor on some
of the compliance engagements, when JCAHO comes in, it’s radically, depending
on who comes from JCAHO, what they look at, how deep they dig on certain areas,
and what their individual philosophies are, based upon their backgrounds. And I
think those are things that again, a little bit of guidance.

Again, I liked what you said. I really liked the way you said it. I hope
that that gets expressed in terms of an FAQ.

DR. HARDING: One of the things that has always intrigued me is scalability.
And it has always been kind of pressure valve release for a lot of people for
HIPAA. I don’t have to do as much as Blue Cross does in my office, and so
forth.

I remember we had a gentleman who testified before this group in Utah who
was an administrator of a small hospital, and we still aren’t sure if he was
packing heat or not when he came in, because he was pretty ticked about the
things that he perceived that he was going to have to do for the privacy
things, that he would have to be just like Johns Hopkins Hospital in effect, in
his little store is southern Utah.

Is it true, or is it appropriate to think that scalability is purely
justified by a self-evaluation of the covered entity? That they can scale
things if they can state that they have thought it through? Or is there more to
it than that scalability?

MR. NACHIMSON: The size of the organization, their capabilities, and the
cost of complying with those are some of the factors that we allow them to take
into account. I don’t think you can simply say because I’m smaller I don’t have
to do as much. Those are factors that go into your risk analysis and risk
management plan.

Take a look at your risks, and then determine how you can address those
risks, taking into account the factors of size and complexity of your
organization.

DR. HARDING: It’s a self-assessment?

MR. NACHIMSON: It is a self-assessment, but it’s not just, hey, I’m little,
I don’t have to do as much. Here is the risk analysis, here are the risks. I’m
small. I don’t anticipate a lot of people — I’m a small organization and I
hold a small amount of information. I don’t anticipate a lot of outside hackers
looking at me, because I only have a small amount of information. Therefore, I
probably need as extensive a set of protections as Johns Hopkins or Blue
Cross/Blue Shield of North Carolina, that hold lots of information.

So, that’s a decision, a factor that they do get to take into account. The
fact that I don’t have three security specialists on staff to design all of
these things, I have to rely on off-the-shelf software or outside vendors, I
don’t have the time or the people to devote to that, so I may not be able to
design as extensive a security program as a larger organization. So, they can
take those things into account, but only, I would argue, in the context of the
whole risk analysis, risk management plan.

DR. COHN: Obviously, we are getting close to the end of the session. I
actually want to go back to John Paul’s I think initial question, which is of
course we’re asking for this briefing in the context of planning out hearings
in the future on the security rules.

And I think John Paul started out by asking well, what current issues are
you seeing. With these 41 pages of slides, it doesn’t tell us much about the
issues. It tells us more about what is in the Security Rule. And we heard from
you your response of what you are sort of seeing currently.

What I’m actually curious, just as we look forward between now and next
April, which is the implementation date, knowing that we are nine months from
implementation, I’m just curious from your perspective at this point, there are
many ways to take the fact that we are not seeing a lot of complaints, a lot of
issues coming up. One might be that everything is really kopacetic(?) and
working, and we’ve got five issues and we’re working them, and everything is
fine.

Another might be that everyone is still trying to implement the claims
transaction, and the other administrative and financial transactions, and they
haven’t really started paying much attention to this yet. And that we are
really going to be seeing a flood of activity over the next nine months, and
issues associates with that.

I’m just curious if you have any perspective on all of this stuff, and if
you have any thoughts about timing of occasions to hear from the industry of
what might be helpful or otherwise?

MR. NACHIMSON: I think there are a couple of things that might explain why
there aren’t a whole lot of issues, some of them negative, like everybody has
been so attuned to getting their claims transactions ready, that they haven’t
paid any attention.

But I think that there are some positive things that one, because we worked
a lot with the industry on the security standard, there is not a whole lot of
things that are brand new, that are surprises in here. There are a number of
things that entities were already doing. Entities have been doing risk
analyses. That’s a standard security thing. They have been doing risk
management plans. They have been doing some role-based access. There is some
auditing in place. So, a lot of these things, entities have already been doing,
even before HIPAA.

Number two, because of privacy, there was already a focus on protecting the
confidentiality of information. Some of it through plans and procedures, but
some of it through computer protection. So, they have already been doing some
of that in complying with privacy.

Thirdly, I think because of the scalability and the flexibility, there is
not the hard and fast rule about gee, we’ve got to do this on security, and how
the heck are we going to do it? Because we’ve got a little bit of flexibility
in it, even the smaller entities could say well, it’s not a $250,000
proposition. There are some simpler ways for me to go ahead and do this. So, I
think those are some reasons why there is not the hew and cry.

We have been looking at, and will continue to look at the volume of
questions on Ask HIPAA for example, and the phone calls that we get. It has
stayed rather steady in terms of security. There hasn’t been a big explosion in
the last couple of months, although we are starting to see a few more questions
about security.

I would sort of say in terms of timing, we have been telling people it
takes probably nine months to a year to do a good security program. That means
that they should have already started at least doing their risk analysis. Six
months out from the compliance date I think would be an interesting check point
to say, all right, how far along are you? Have you done your risk analysis?
What have you found? What are your plans?

We are also monitoring some of the industry surveys. The Phoenix Health
Organization, for example, not only are they monitoring transactions
implementation, but they are also monitoring security implementation. And at
least in their survey, which admittedly might be biased, because it’s people
that are sort of paying attention to HIPAA, their most recent survey seemed to
indicate that the vast majority covered entities would be compliant by the
April 2005 compliance date.

Now, admittedly, it’s self-reported information. I don’t know how many
people are going to call even an independent organization, a non-government
organization and say, I’m not going to be ready. And it was somewhere around 80
percent said yes, they started, and they planned to be ready by April 2005.

It’s easy to say that nine months to a year out ahead, but still, it was
rather heartening, at least on our point, that people are not saying this is
impossible, this just won’t work for us. We are never going to be able to make
it.

I tend to think that again, because of the scalability, the flexibility,
the technology neutrality, that people will have an easier time implementing
this than privacy or transactions and code sets. But we continue to go out to
lots of conferences and things like that, local and national, and I think it’s
just sort of steady stream that there are more security conferences these days,
because we are over the big transactions hump, but most of the questions that
we are getting are gee, now that I have done this risk analysis, is this the
right way to respond to it, rather than how do I start thing?

At this point, I think we are relatively satisfied, but things could change
in a heartbeat. So, we will, from a CMS standpoint, monitor not on the Ask
HIPAA mailbox and the questions that we get on the phone, but the outside
surveys and reports that we get from entities.

MR. ROTHSTEIN: I have one last question for you. Before the compliance date
for the Privacy Rule, the NCVHS made a recommendation to the secretary that at
some level in the department, there be established some way to evaluate with
some degree of scientific rigor, the consequences of the Privacy Rule, its
effectiveness, its gains in terms of protecting privacy, its costs, its burdens
on health care, and so forth.

And I was wondering, now while we have a window before the Security Rule
goes into effect, the question is has there been discussion about establishing
some sort of ongoing system to study the consequences of the effects of the
efficacy of Security Rule, either internally, or through some sort of grant
system with another agency, or even conceivably the public?

MR. NACHIMSON: That what I’m aware of. We are currently working on the
enforcement procedures for security, coming up for April, to have those in
place. And we have the ongoing discussions again with outside organizations
that either volunteer or think about doing that themselves. But I’m not aware
of any plans in the department or in CMS to do that particular evaluation.

I’m sure as the day gets closer, there will be more people asking that
exact question. I think that’s more of a longer-term issue that you not be able
to make any decisions in April 2005, or even November 2005, but perhaps a year
or two further out, and surveying organizations as to the number of security
incidents, and things like that.

MR. ROTHSTEIN: Well, even though that was phrased as a question, perhaps
you saw something besides a question in that.

I will now recognize that we are scheduled for a 15 minute break, which we
will take now, and then resume with the marketing panel.

Thank you very much for your testimony.

MR. NACHIMSON: Thank you. I appreciate the opportunity.

[Brief recess.]

MR. ROTHSTEIN: Good morning, we are back in session now. And we are now
beginning our first of three panels. And before we start on the first panel, I
want to review the subcommittee’s procedures. We have asked each of our invited
witnesses to take 10-15 minutes to give prepared testimony. If need be, I will
give you a one minute warning. And after each witness, subcommittee members
will have an opportunity to ask questions for clarification, and then we’ll
have our main discussion after both witnesses have finished.

You have two weeks to submit additional written testimony to Marrietta
Squire. And I would ask people with cell phones to turn them off, and remind
the witnesses to speak clearly into the microphones for the benefit of our
Internet listeners.

Before we begin this panel, I want to note that this is the first of two
panels that we have today dealing with topics that we have discussed
extensively in the past. And it’s good to see that some of our witnesses in the
past have still been willing to come to talk to us again today.

And the purpose of these hearings, the first two of the three at least,
certainly is to ask the question well, what has changed, if anything, since the
last time we talked to you? And do you have more information for us about how
the implementation has gone?

Has it gone better or worse than expected? What problems have you
encountered? What recommendations or additional comments do you have that the
subcommittee should relay along to HHS, et cetera? So, I’m sure you get the
idea.

So, first I would like to call on Mr. Bell from the National Association of
Chain Drug Stores.

Agenda Item: Marketing – Panel 1

MR. BELL: Well, thank you very much for inviting me back to testify this
morning. I was looking back over my old testimony. I think it was three and a
half years ago, and I was actually testifying on a prior version of the
marketing provisions of the HIPAA Privacy Rules. And it was a very different
version, and for us anyway — I represent pharmacies — a very confusing
version.

But I wanted to thank the subcommittee number one, for inviting me back.
But number two, also for helping with the clarification and revision process
that, as far as our members are concerned anyway, has led to much better
marketing provisions of the HIPAA privacy rules.

So, with that I’ll start, and just introduce myself. I’m Don Bell. I’m
general counsel for the National Association of Chain Drug Stores. NACDS is an
association of pharmacies. Our members operate well over 32,000 pharmacies, and
employee over 100,000 pharmacists. And initially I just wanted to reaffirm that
pharmacies do recognize the tremendous value of protecting patient privacy. It
is an important part of the professionalism that all of our pharmacists live
with and practice every day.

And it’s also just a good business practice. Pharmacies know that they can
attract customers only when the public trusts them to protect confidentiality
of medical records. So, NACDS members anyway, have no interest in adopting
marketing strategies that will endanger that trust.

Now, the marketing provisions of the HIPAA privacy rules of course, attempt
to limit the misuse of protected health information. That’s an appropriate,
laudable goal. In pursuing that goal, of course though the government should
not restrict the health care communications between patients and pharmacists.
And to my mind, that is the essential tension that we have here. We need to be
able to distinguish between marketing and health care communications, and
that’s not always a bright line that separates those two types of
communications.

The HIPAA privacy rules define marketing in part as to make a communication
about product or service that encourages recipients of the communication, to
purchase or use the product or service. Well, that’s a pretty broad definition,
because encouraging a patient to purchase or use a product or service is a
common aspect of many communications by health care providers.

And again, the distinction between marketing and advertising on the one
hand, and health care communications on the other hand is not always separated
by a bright line. Let me give you one example of that. A pharmacist may
encourage a patient with diabetes to use a glucometer. And that is performing a
valuable health care service.

It is also possible though that if the pharmacy then sells that glucometer,
it will profit from it. So, is advocating the use of that glucometer marketing,
or is it a health care service? Our pharmacy members would say that that’s
predominantly a health care service, but it would also seem to fit into this
fairly broad definition of marketing that is in the rules.

Now, I believe it would also fit within one of the exceptions that I will
discuss in a couple of minutes. But you can see I think, the tension here
between being able to draw that bright line isn’t always there. But our
experience is that informed consumers make better health care decisions. So,
it’s important for pharmacists to be able to inform consumers about the
availability, quantity, quality, and price of health care products and
services.

Now, as I mentioned, since I testified back in 2001, this subcommittee has
helped quite a bit with clarifying the rules. And for the most part, we believe
that the Office for Civil Rights has appropriated characterized important
pharmacy communications as health care communications, rather than marketing or
advertising.

And what I would like to do is just briefly go through some of the examples
of the most common communications that pharmacies and pharmacists have with
their patients, and describe how we believe those fit within the marketing
limitations.

One of the most common is refill reminders. When a patient fails to follow,
maybe fails to get a prescription refilled as ordered by their physicians, a
pharmacist may call or write the patient to remind them of their doctor’s
orders. And rather than charge patients for these reminders, a pharmacy may be
paid by a third party such as the drug manufacturer or a PBM.

And there is no need to disclose the patient information to that
manufacturer or the PBM. So, as far as I know, that does not occur. There is no
protected health information going from pharmacies to a manufacturer or a PBM
with regard to these refill reminder programs.

Now, studies show that these refill reminder programs save lives, the
literally save lives. They also save money, because patients who take their
medications as prescribed by their physicians are less likely to end up in the
hospital. So, we believe that OCR has correctly determined that refill
reminders are treatment activities. OCR wrote that it is not marketing when a
pharmacy or other health care provider mails prescription refill reminders to
patients, or contracts with a mail house to do so. So, refill reminders is one
of the most common types of communication.

Another common type of course is simply recommending medications. Patients
often come up to their local pharmacist and ask which medication they should be
taking for their particular medical condition. And recommending a drug to a
patient is a perfectly legitimate health care activity, even though the
pharmacy may end up making money if that medication, if it’s a prescription, is
ultimately prescribed and then filled by that pharmacy.

But we do believe it is a legitimate health care activity, and for that
reason, OCR, we believe, has correctly determined that “recommendations of
specific brand name or over-the-counter pharmaceuticals are not
marketing.”

Now, another example of communications that is sometimes controversial is
called recommendations of alternative medications, what is sometimes called the
switch programs. And when a patient is taking an expensive brand name drug,
pharmacists may inform them about generic drugs that have the exact same
ingredients, but cost much less.

Another similar example is when a pharmacist informs a patient about other
medications that are biologically or therapeutically equivalent to the drugs
they are taking, but maybe they have fewer side effects, or maybe greater ease
of use. And these communications also help patients with their health care, and
help them save a tremendous amount of money, and provides options to patients.

Again, with these drug substitution programs, as they are called, there is
no need for the pharmacy to give protected health information to the
manufacturer itself. And again, as far as I know, that doesn’t happen. And I
have talked with all of our major members about this, and many of our smaller
ones as well. I don’t know any of them that provide protected health
information to the manufacturers as part of these therapeutic interchange
programs, or the refill reminders for that matter.

Recommending other health care products is another common communication
between pharmacists and patients. For example, OCR has written that informing
an individual who is a smoker about an effective smoking cessation program is
not marketing. And that is true, even though the pharmacy itself may have those
products for sale.

Counseling and drug utilization review, obviously some of the most
important categories of communications that pharmacists have with patients.
Pharmacists will counsel their patients about the proper use of prescription
medications, will conduct drug utilization review to prevent drug interactions,
and insure that their patients are properly taking the appropriate medications.

And we believe that HHS has correctly categorized those as health care
communications, rather than marketing communications. HHS wrote that
pharmacists’ provision of customized prescription drug information and advice
about the prescription drug being dispensed is a treatment activity. I won’t go
through all that they have said on that, but we can follow-up if there are any
questions on it.

A final category I will talk about is disease state management and wellness
programs. These are self-help programs like diabetes self-management training,
and similar disease state management training. We believe those also should be
included within the exception for treatment. For example, without obtaining
patient authorizations, a pharmacy should be able to compile a list of patients
who purchase diabetes medication, and send them letters suggesting that they
receive diabetes self-management training.

And we believe that at least in the December 2002 guidance, OCR suggested
that most of these program, not necessarily all of them, but most of these
types of programs would be not within the definition of marketing.

So, despite a lot of alarmist rhetoric that we have heard in the past about
how health care providers might misuse protected health information, and it is
true, they might, and I’m sure some of them do, but the examples described
above include the vast majority of the real life examples of pharmacies using
prescription information to communicate with patients. And these communications
help patients. So, the vast majority of patient communications by pharmacies
lead to better informed and healthier consumers.

Now, the last thing I want to do is talk about a new privacy best practices
guide that is being issues sometime this week, maybe today by the National
Consumers League. I would recommend that the subcommittee look over that new
privacy best practices guide before making any recommendation to the larger
committee.

The National Consumers League or NCL is a private, non-profit consumer
advocacy organization that has been representing consumers for over 100 years.
The best practices guide that they are going to release this week is entitled,
“Health Care Communications Provided by Pharmacies: Best Practices
Principles for Safeguarding Patient Privacy.”

Now, there are a couple of important things I think, about this best
practices guide. One is that the NCL best practices guide does recognize the
importance of pharmacy communications to patient health. The NCL best practices
guide notes the importance of providing useful information about prescription
drugs, encouraging prescription compliance or adherence through refill
reminders and other methods, recommending treatment alternatives, adjunctive
therapies, and providing disease state management communications.

For example, the NCL best practices guide states that it has been firmly
established that communicating with pharmacy patients about the importance of
adherence to therapy, including refill reminders, has important proven benefits
to individual patients, to the public health, and to the economy. And so, the
best practices guide concludes that a consensus exists among pharmacists,
Congress, FDA, health care experts, consumer groups, and patient advocacy
groups that there is a critical need for improving patient access to reliable
and understandable health care information.

So, one thing that I think is important about this new best practices guide
is that it does recognize the importance of these communications between
pharmacists and patients.

Another aspect that I believe is important is the fact that it provides an
alternative to more mandatory regulations. NCL’s best practices guide creates a
voluntary framework for additional privacy protections, and if consumers feel
the need for additional privacy protections, then the market will reward
pharmacies and adopt best practices guidelines, such as the ones being issued
by NCL this week.

So, although the NCL best practices guide is just being released this week,
so far the response from pharmacies has been very promising. We believe, in
conclusion, that a voluntary, market-based approach by a trusted consumer
advocate is better than rigid new regulations.

So, I want to thank the subcommittee for considering my testimony, and be
happy to answer any questions you may have.

MR. ROTHSTEIN: Thank you.

Any clarification questions from the subcommittee? Hearing none, I
recognize Ms. Pritts. Welcome back.

MS. PRITTS: Thank you.

I would like to thank you for the opportunity to testify today on the
marketing provision in the federal Privacy Rule. I think you made a wise choice
in selecting the individuals that you have testifying today, because I must say
that my impression of the privacy rules is drastically different than that of
Mr. Bell’s.

I have heard today, and I have heard repeatedly during the discussion of
the marketing provisions of the Privacy Rule, that the use of protected health
information for marketing purpose is not really a privacy issue, because you
only disclosing the person’s information back to the patient themselves.

Well, in order to put this into some context, I would like to go back to
the Fair Information Practice Principles. These are well established
principles. They were developed way before the Privacy Rule ever was even
contemplated, and they are very well accepted, not only in this country, but in
the European Union.

One of the basic principles of the Fair Information Practice Principles is
choice. And I’m going to paraphrase an FTC report on privacy online. They
drafted a report to Congress. At its simplest, choice means giving consumers
options as to how any personal information collected from them may be used.
Specifically, choice relates to secondary uses of information. That is, uses
beyond those necessary to complete the contemplated transaction.

Such secondary uses can be internal, such as placing the consumer on a
mailing list in order to market additional products, or external, such as
transfer of the information to third parties. Those would be used in disclosure
under the Privacy Rule. But under the generally accepted principles included in
the Fair Information Practices, an individual should have the right to choose
how their information is used for a secondary purpose.

I would say to you that when a person goes to a doctor or a pharmacist, and
they get a prescription, and then they get it filled, they expect that to be
used to treat them. And a secondary purpose for that would be to sell them
other things.

Now, I will agree that there cannot be a bright line drawn on this issue.
We all would agree that it would be marketing for CVS to sell its patient list
to Disneyworld to sell vacations to Disneyworld. That is clearly marketing.
That has nothing really to do with health care.

On the other end, you know that it’s not marketing when a pharmacist says
to a patient, gee, your doctor prescribed the wrong medication here. You could
have a serious interaction here. We should switch this medication to another
one. There is no monetary motive behind that. That’s all involved with patient
care.

There is a huge area in between there that is really very gray. And there
are practices that are at one end of the continuum and on the other. And I
would say that the practice of sending an individual information on new drugs,
only because the patient has a medical condition, and the provider is getting
paid to send them that information, should at least be disclosed to the
patient.

And people have very serious concerns about this. The Fair Information
Practice Principles weren’t drafted in a vacuum. People have concerns about how
their information not only is disclosed to others, but also how it is used.
When you look at some of the major news stories that came out not too long
before the Privacy Rule came out, you have Eckerd in Florida sending a
gentleman switching letters for his HIV medication. He sued them. He thought
that that was a violation of his privacy.

You had I believe it was Walgrens sending patients samples of Prozac in the
mail with switching letters, encouraging them at the end of the patent for the
daily version of Prozac, to switch to weekly Prozac, because now we can get our
money through the protected patent aversion. And again, this wasn’t necessarily
information that was sold to a drug company. It was information that a doctor
and a pharmacist were getting paid to use in order to market a particular
product to a patient.

In these circumstances, it’s not like somebody ever sat down, really looked
at these patients’ medical records, and determined that these particular drugs
would be good for the patient. That would be called treatment. What they did is
they selected patients who had particular medications, and they received
payments from somebody else to tell them about an alternate treatment. And on
the continuum, I would say that that falls more closely to marketing than it
does to treatment.

Patient reaction to this I think supports that view. I would like to quote
one of the consumers who received one of these switching letters, and his
wasn’t even what we would consider a serious medical condition. He had
psoriasis, and he started receiving all these alternative treatment
solicitations in the mail.

He says, “I feel my privacy was violated. It seemed pretty clear to me
that either the physician or pharmacy had released my name.” Now, the
truth is he is probably not right. They probably didn’t have to release his
name. They were probably just doing it themselves. But what it does is it
erodes the trust between the patient and the pharmacist, and the patient and
the physician. They think that their information is being sold and bandied
about without any consideration of their privacy.

Now, looking at how the Privacy Rule addresses these issues, we all know
that they require authorization to use and disclose protected health
information to a third party for marketing. And that if the marketing involves
remuneration, the authorization must say so on its face. Of course they go
ahead and go on and then they define marketing in such a way that they exclude
many of the actual activities that we just described. They would exclude things
that many people consider to be marketing activities.

And because of the way that health care operations is defined, indeed when
you add it all together, pharmacists and doctors are allowed to use these
materials and protected health information to encourage people to buy products
simply because somebody is paying them to do so.

So, does the federal Privacy Rule improve, or at least preserve the trust
between the provider? In some ways yes, and in some ways no. The good thing is
that they can’t sell the information. That’s pretty much the most egregious
violation, is when this information is being sold and marketed.

And has the Privacy Rule made a practice in that? It’s really hard to tell.
I mean as Mr. Bell was saying, most of the pharmacies say that they don’t sell
the information. The public, including scholars and reporters have had a really
hard time figuring out how pharmaceutical companies actually get this
information. People who work for these companies generally sign confidentiality
agreements when they leave, and this is like a huge trade secret as to how this
information really flows.

But I have been to so many presentations where doctors come up to me and
they ask me, how is it a pharmacy representative comes into my office, they
know all of my patients that are on a certain medication? How does that happen?
And I can’t answer that, and many people don’t. We didn’t know how that
happened before the Privacy Rule, and we don’t know how it is happening now.
So, you really can’t tell.

I don’t think though, that from what I have heard that the common practice
that people have heard, and from the news reports that you have read, that it’s
been the selling of medical information that has really been the concern of a
lot of people. It’s not what they were doing in the first instance. Pharmacies
generally say that they weren’t, and when you read a lot of the news reports of
these violations in the paper, that’s not what was happening.

What was happening is they were receiving payment from drug companies to
send out marketing materials on the drug companies’ behalf. And the Privacy
Rule really doesn’t change this. There is no authorization required to use
health information for these switching letters. There is no authorization
required to send information to a marketing company business associate, so
there is a certain amount of disclosure, even though theoretically you have to
have this contract saying that they can’t use it for any other purposes, but a
lot of consumer think that just breaching that barrier alone is a violation of
their privacy.

So, these are the very activities that consumers were complaining about,
and the Privacy Rule allows them to continue. And there is no chance of getting
off the mailing list. When you start getting this stuff, there is no mechanism
in place for consumers to say I do not want you to send me information about
alternative medicine for my condition. Maybe it’s a personal condition. Maybe
they don’t want to receive these things in the mail.

I know I personally was contacted about a woman who was receiving bright
yellow and purple postcards for Prozac in the mail. And she was very upset
about that. She said my mail carrier can see that. Everybody in my apartment
can see that, and you can see why. And you would have to wonder about
somebody’s business judgment in doing something like that, in all honesty.

The right to request restrictions doesn’t help in this context, because the
provider doesn’t have to agree to your questions. So, there really is no
mechanism, no choice here, unlike what the Fair Information Practice Principles
would dictate, and so, there is no authorization, and there is no opt out.

Now, HHS, in particular Claude Allon(?), the deputy secretary of Health and
Human Services, said that there was choice, and that patients have a choice,
because they can shop around, and they can find a pharmacy that has a practice
that they agree with. How? How do you know? Look at a notice of privacy
practice. I have got three of them. I’ve one from Giant, CVS, and Walgrens, all
major chains.

You can look at these. You would never tell from looking at the notice of
privacy practice whether any of these companies receive payment for sending you
switching letters. They don’t have to tell you, and they don’t. They say we may
contact you to provide treatment-related services such as refill reminders,
treatment alternatives, and other health-related benefits and services that may
be of interest to you.

There is no way of finding out what is really going on here. I would like
to point out that for a brief period between December 2000 and 2002, CVS
actually did have something similar to a notice of privacy practice. They
weren’t calling it that at the time. But it had information on it when you
received a switching letter, that told you that here is an 800 number you can
call to get off this list. They don’t do that anymore.

So, what’s the practical result of the Privacy Rule? Again, here it’s hard
to tell. In all honesty, there haven’t been as many published marketing
incidents since the compliance date of the Privacy Rule, but I would attribute
that more to the few highly publicized lawsuits that have been brought under
state law, than what the Privacy Rule has done.

Eckerd agreed to expressly ask for permission to use information for these
marketing practices in settling its lawsuit in Florida. And they agreed to do
that across all states. So, it’s very important not to preempt more stringent
state law, because it is filling in where the Privacy Rule lacks.

One of the most clear effects of the last version of the Privacy Rule I
would say is to leave the impression with lay people that these marketing
practices that we have been talking about are actually prevented by the privacy
regulation, and they are not. I say this, because I was recently at an academic
conference on marketing, and I was invited to speak on the Privacy Rule.

Everybody in the audience — these were academics who study marketing,
that’s their specialty — everybody there understood that the HIPAA Privacy
Rule prohibited using health information for marketing. When I posed the
question about well, what do you call it, what do you think it is when a
pharmacy receives payment from a pharmaceutical company to send an individual a
switching letter? To a one they said in unison, marketing.

So, the lay person’s definition of marketing is different, so totally
different than what the Privacy Rule. It is generating, I think, a lot of
confusion. And I’m not the only one who thinks this. June McDeasy(?), who is an
associate professor of law, in an article published in the Nebraska Law Review
concluded that the commercial use of protected health information under the
HIPAA Privacy Rule is, “marketing disguised as health care
operations.”

And so, there is a lot of confusion out there about what the actual scope
is. And it’s beyond confusion. It’s almost misinformation. People hear
marketing, they think that it means one thing, and the rule means another. And
I don’t believe that HHS has done nearly enough in the communication aspect to
clarify about what the provision means, particularly with respect to consumers.

The main issue that was debated when the privacy rules were being discussed
was one of these issues about these marketing letters. And finding this
information about whether a pharmacist can receive payment for sending a
switching letter from a consumer perspective, if you are a consumer, you are
looking for that information, finding that information is difficult.

You look under the HHS’s main Web site of consumer information. It has a
fact sheet. It says prohibition on marketing. The final Privacy Rule sets new
restrictions and limits on the use of patient information for marketing
purposes. Pharmacies, health plans, and other covered entities must first
obtain an individual’s specific authorization before disclosing their patient
information for marketing.

At the same time, the rule permits doctors and others to communicate freely
with patients about treatment options and other health-related information,
including disease management programs. There is nothing said about payment in
here. And I understand that a lot of these publications are general in nature,
but since this was one of the major issues, and it seems to be a confusing one
for a lot of people, you would think that that would be clarified upfront.

Then you go to the frequently asked questions, and it’s very difficult to
locate information on this subject. The question when is an authorization
needed before a provider or health plan can market goods and services to me,
says for all marketing purposes. That really kind of begs the question.

It’s not until you look under the question, can a provider be paid to make
a prescription refill reminder, that you would actually find the answer to this
particular question. So, it’s very difficult for consumers to actually find the
information about this kind of a specific topic that they are concerned about,
and that’s been in the press an awful lot.

In light of this, I have the following recommendations, and I understand
that many of these are merely a pipe dream at this point, but I’m going to make
them anyway. I believe that the marketing provisions should comply with the
Fair Information Practice Principles. They should provide a choice for
consumers when their health information is being used for secondary purposes,
at the very minimum, an opt out.

There should be real notice about what the provider/pharmacist is doing.
Are you getting this information because somebody has looked at your medical
record? Or are you just getting it because somebody is paying them to send it
to you? And it should be prominently displayed on the material itself.

And there should be more effective communication about when authorization
is required. I understand that the marketing provisions were a very hot
political topic. But I’m afraid that the spin here has really done a disservice
to people, because I don’t think that a lot of consumers, and a lot of just
non-HIPAA people understand what the marketing provisions allow and they
prohibit.

And if the policy decision has been made that it’s okay for a pharmacy to
be paid to use a patient’s health information to send them marketing materials
on behalf of a drug company, why don’t we just say so, and get it up out front?
Patients should know.

Thank you.

MR. ROTHSTEIN: Thank you very much.

My guess is we’ll have a few questions, and also perhaps Mr. Bell would
like to comment as well. But I think you will probably get that opportunity to
comment in answer to the questions. So, the floor is open.

MR. HOUSTON: I actually have a question for each. I’m going to start with
Don. My first instinct is that when Joyce spoke, that by sending a
communication to a patient, that there is clearly some potential — let’s say
it’s something in the mail — that the patient’s family, the patient’s
neighbors, the mail carrier may actually glean from that mailing, what
condition the patient has.

If it’s Prozac, if it’s something that indicates on the surface that that
is what is that is related to, that their clearly could be some type of privacy
issue there. And I looked at other sections of the rule, and guidance that OCR
has given, and I’m troubled.

One case in point is that covered entities are still allowed to call
patients and give them appointment reminders, but we’re supposed to be very
careful what we communicate so that there isn’t the opportunity for others who
are in that household to get information about that patient’s condition. And
there are cases where patients don’t want their spouses to know what type of
treatment they are receiving.

How would you square your desire, obviously you think the need to be able
to communicate with patients in their homes about alternative therapies and
treatments, while still — in my mind there is still some tension here with
what the OCR and HIPAA really requires us in other areas to avoid?

MR. BELL: I can tell you how the members of NACDS that I have talked with,
and I’ve talked to well over 200, but I’ve certainly talked with the bigger
ones, and many of the medium and smaller ones as well, I can tell you how they
deal with those issues.

There are basically two scenarios you seem to be talking about. One is
mail, and one is calling. You mentioned like appointment reminders. A lot of
times our pharmacists may call a patient saying your prescription is ready.
They will talk to the patient about that. Now, if there is a voice mail, if
there is nobody there, I have heard that some of our members will leave them a
voice mail saying, Mrs. Jones, please call me at the following number. But I
haven’t heard of anyone that I know, all of the members that I have talked to
have specifically said they do not leave messages saying, Mrs. Jones your
Prozac is ready, please come pick it up.

MR. HOUSTON: And that is in my mind, a very problematic issue. If there is
something on the face of mailing. If it’s not an envelope. If it’s simply a
brochure or some type of multi-color marketing procedure that speaks of Prozac,
the purple and yellow.

MR. BELL: Well, I agree. On the mail, I was about to say, I agree with you
completely. I haven’t seen this yellow thing about Prozac, but I agree with you
it’s bad business practice, much less privacy problems. I hope it wasn’t one of
our members that did that. It sounds like something a manufacturer would do,
not one of our members.

Anyway, I can tell you what the members that I have talked to do with mail.
They have told me they do not do the little postcards, which I think some of
them did in the past, send a postcard. But instead, they have told me
everything that they send out is in an envelope.

And I did want to, if I can on the mail thing, because Joy, you raised some
very good points that I just wanted to discuss for a second. In any of these
mailings, like a refill reminder for example, if they are being sponsored, paid
for by a manufacturer, you mentioned that CVS used to have an 800 number on its
notice of privacy practices, but doesn’t any more. I don’t know if they do
anymore or not.

But I do know, because I have spoken with the attorney at CVS that writes
this portion of the letters, that every single letter that they send out with
these types of communications does have an opportunity to opt out in an 800
number that allows everyone to opt out, any patient to opt out of receiving
future communications if they want to.

The new National Consumers League best practices guide for pharmacies,
that’s one of the guidances that they have given, is to say when they receive
one of these letters, every time there should be number one, a very clear
disclosure if there is any payment by a manufacturer or some other for making
the communication, and number two, there should also be an easy method of
opting out.

Now, again, this has just come out, but in the process of reviewing it, I
have called up a lot of our members, and I said, is that going to be a problem
for you guys? And everyone that I have talked to so far said no, because that’s
exactly what we do already.

MR. ROTHSTEIN: So, let me just follow-up and see if I’m clear on this. You
would have no objection to a recommendation — I’m not saying that we are going
to make it, but hypothetically — in which we recommended that there be some
sort of opt out mechanism available to consumers if it were included in the
regulation, or some interpretation thereof?

MR. BELL: Well, as I mentioned, our members are not in favor of any new
regulations, because we think that best practices guides by NCL and others, and
just the market itself has been working this out. And it seems like it has been
working it out. From the members that I have talked to, they are already doing
these things.

MR. ROTHSTEIN: So, you approve of the concept, but you don’t want it
incorporated into the Privacy Rule? I’m trying to get an understanding.

MR. BELL: No, I understand, it’s a good question. As an association, I have
to walk a line. I can’t tell our members what their business practices should
be. So, I don’t know that it’s up to me to say yes, we should do this or not.
But I can tell you that the ones I’ve talked to are already doing that.

MR. HOUSTON: Just sort of a follow-up, I think from Joy had indicated
though, there isn’t 100 percent compliance, or else she wouldn’t be speaking of
these examples.

MR. BELL: I don’t doubt that. All I can speak for is our members, and the
ones that I know of.

MR. HOUSTON: I want to ask Joy one question. First of all, are you going to
be here this afternoon, or are you leaving after your testimony?

MS. PRITTS: Well, it depends on if you need me. I have a phone call at one
that I need to make. So, I can either make it here, or I can make it back at my
office.

MR. HOUSTON: The reason why I ask is that we are going to be talking about
fund raising this afternoon, and I had one specific question about your
perspective on fund raising, and again, using the one thing out the Association
of Health Care Philanthropy, which was related to requests about using one
additional piece of information, which is the patient service department
information in conjunction with it doing fund raising-related activities.

And I am interested in getting your perspective on using that additional
data element for the purposes of fund raising. I apologize if I sort of — I
know we sort of switched gears here, but I did want to get your perspective at
some point.

MS. PRITTS: I would like to think about that, and get back to you after we
are done with this part of the session, if that’s okay? I want to look at one
part of the regulation before I answer that.

MR. HOUSTON: Okay. It is relevant for today’s testimony, though it’s not
necessarily relevant for this testimony.

MS. PRITTS: No, I understand. And it has been an issue, and I do understand
their perspective on this, which is that it makes it difficult for them to do
fund raising for things such as a cardiology unit and things of that nature.

MR. HOUSTON: Thank you.

MR. ROTHSTEIN: Okay, other questions? Mr. Reynolds.

MR. REYNOLDS: Thank you, both of you. Excellent testimony.

Joy, I have a question. Don talked a lot about health care communications.
Do you have a box that you have drawn around health care communications?

MS. PRITTS: Yes. Well, I’m sorry, are you referring to an actual diagram
that I had drawn in the past?

MR. REYNOLDS: No.

MS. PRITTS: I thought you were referring to an exhibit I had in the past.
I’m sorry.

No, I think it’s a difficult line to draw, but I think I would draw the
line a little bit different than where it has been drawn in the Privacy Rule. I
understand that there was a lot of concern about — and this really came out in
the hearing before the HELP(?) Committee after the modified Privacy Rule was
issued — that there is a lot of concern about doctors being able to attend
conferences, and to receive perks from drug companies, because that was
concerned remuneration.

And so, they didn’t want doctors to be prohibited from prescribing or
making decision based on the fact that they had received remuneration in that
context.

I do think that there are issues there, but they aren’t necessarily
addressable in the Privacy Rule context. And that that is not so much of a
concern for most consumers that your doctor went to a conference, was paid to
go to some conference, and now they are prescribing a drug for you. That’s
always an issue in your health care, that somebody is not making a totally
unbiased decision on why you should be getting a particular medication.

But generally when that is happening, the doctor is looking at the
patient’s medical chart. They are deciding they know the patient’s condition.
They are deciding well, yes, the patient does need this. And they are
considering this among several options. So, to me, that’s more health care. And
when you’re looking at the continuum, that’s health care communication, even
though there is some kind of removed remuneration involved.

I think that it’s a clearer line to draw when somebody is receiving $3 a
name to send out a mailing for something like Prozac or a new HIV/AIDS
treatment. To me, that’s marketing. And I think to every marketing professional
that I have talked to, that is marketing. And most health care consumers think
of that as being marketing.

And I think that’s where some of the confusion comes, because the rule says
you can’t use it for marketing, but when anybody thinks of that term, most
people would include that activity.

MR. ROTHSTEIN: Can I ask a follow-up on that? So, let me just sort of
sketch this out, so we are all clear with this. It would be unlawful for the
pharmacy to sell a list of patients who are being treated for depression, let’s
say, to a pharmaceutical company, who would then directly solicit them to
switch drugs or try their products, or whatever?

It is currently not a violation of the Privacy Rule for the pharmaceutical
company to approach the pharmacy and say, look, we will pay you X amount per
mailing. Don’t tell us who the patients are, but you send it out to your
patients, or people who are prescribed drugs for this condition, who are taking
other medications, announcing our product. And that’s what you have a problem
with.

Suppose the manufacturer of this second pharmaceutical product went to the
pharmacies and said we think our product is superior to the other one. It
provides better outcomes, et cetera, et cetera, et cetera. And we will pay you
the costs that you incur in mailing this stuff out. We will reimburse you. So,
we will pay you 50 cents, or whatever your costs are in mailing each one out,
but we are not going to give you a bounty for each one that you send out.

And to make it more complicated, suppose the pharmacy actually thinks that
the second product is better. Would you have a problem with that arrangement?
So, what I’m focusing on, is it the fact that the pharmacy is getting money
from the manufacturer that constitutes the big problem in your view?

MS. PRITTS: Well, it’s a difficult line to draw, but I think that is one of
the obstacles that I have in this area. At that point, it really does become a
secondary use of the person’s health information. The information is being used
to treat them kind of secondarily. The primary purpose that these things are
being sent out is for profits.

I’ve been at some pharmacy conventions where I heard some small pharmacies
say that they needed to do this, because this is where they made their money.

MR. ROTHSTEIN: So, let me ask you this. Would it satisfy your concerns if
there were a provision that said it’s permissible under the Privacy Rule for a
covered entity to mail out news of additional products for the individual’s
condition so long as the covered entity did not receive compensation from the
manufacturer of that protect in addition to their mailing costs?

They will still have something to gain by it if people switch to their
product. They presumably would make more profit. But would it satisfy you if
there were a provision that said this arrangement is okay so long as you don’t
derive any income from promoting this other product?

MS. PRITTS: No.

MR. ROTHSTEIN: That would not satisfy you?

MS. PRITTS: No, I would still want there to be on that mailing, a notice to
the consumer that this mailing was being paid for by the pharmaceutical
company.

MR. ROTHSTEIN: Supposed we added that on?

MS. PRITTS: I’m not done yet. Ideally, what I would want upfront is when a
patient walks into a drug store, for somebody to say to them, look, we send you
these things on occasion. Are you interested in receiving them, yes or no? And
then the patient can say, like some patients do, that’s a great idea. I want as
much information as possible. Sign me up. And then the people who have reason
to say, I don’t think I want that kind of thing coming into my house could say
no. And that would make me happy.

MR. ROTHSTEIN: Let me just follow this up, and I want to ask Mr. Bell the
same question. Knowing that it’s not going to make her happy, how would your
organization feel about and what objections would you have to a change in the
Privacy Rule that said you can do this. You can mail out stuff for
manufacturers about new products related to conditions that your
patient/customers have. But you can’t get compensation over your costs, or that
becomes marketing for which you need a prior authorization. So, what would
their reasoning be?

MR. BELL: A couple of things. I want to answer that, but first let me
respond to what you were suggesting that you might be able to live with. I
think our members could actually live with that too, maybe. I’m speaking out of
turn, because obviously I haven’t talked to them about it.

But they could, but only if when the patient said no, I don’t want to
receive that information, then the pharmacy would not be held liable for anyone
for not providing medical information that they might get paid for if they were
sending out. Because our members are sort of stuck between a rock and a hard
place here. Our members are held liable all the time.

One of the fastest growing types of lawsuits against pharmacies is not
providing this type of information, like the importance of refill reminders, or
the importance of taking your drugs correctly. That’s the biggest type of
lawsuit we face right now.

So, if they could get protection from liability when the patient says no, I
don’t want to receive that information, they may just go for that. I say that
to highlight the issue here as a fact that again, it’s not a clear distinction,
in my mind anyway, between marketing and health care communications all the
time.

There is an attempt here, it seems to me, that you are getting to, which is
well, let’s try to draw a brighter line, and say that if someone is making
money off the communication, then it’s marketing. I think that’s a very
dangerous conclusion to get to, because we don’t have a nationalized health
care system right now. We have a market-based health care system right now.

Someone is paying for all of it. Someone is paying for all the drugs
dispensed, all of the communications being made. Someone is paying for it. Now,
maybe it’s the patient. Maybe it’s the patient’s health plan. Maybe it’s the
drug manufacturer, but somebody is paying for it. So, to try to draw a line and
say, well, as long as they are not getting paid for it then it’s health care,
but if you’re getting paid for something, then it’s marketing, I think that’s a
dangerous line to try to draw.

MS. PRITTS: I was actually going to agree with Mr. Bell here that I think
the line is easier to draw actually in the pharmacy context. But when they were
drafting the rule, I know that there is a large problem in dealing with PBMs in
particular, pharmacy benefits managers, because that’s what they get paid — to
switch people to lower cost drugs and things of that nature. So, it is a
difficult line to draw, and I don’t want to give you the impression that I
think it’s easier than it is.

MR. HOUSTON: I want to blur the lines, or draw the lines differently
anyway, because when Mark posed his last question to Joy he said covered
entities. And we have been focusing on pharmacies up to this point, and I think
there are other covered entities that would do communications to patients which
— would you consider it marketing or is it treatment-related?

And the two other entities that I can readily think of obviously are the
providers themselves and more specifically physicians, who obviously have a
treatment relationship with the patient, a very intimate relationship. But also
health plans. And as we know, health plans change formularies all the time, and
change programs, and therefore will send communications related to changes. And
is it Clariton or something else for allergies?

What are your opinions regarding communications with patients from health
plans as well as providers, again, the same type of communications, maybe in a
lot of cases under the same circumstances. The pharmaceutical company may be
underwriting the physician office the health plan to make these communications.
What are your thoughts? Does it change your opinion? It’s probably more related
to Joy than Don.

MS. PRITTS: Well, I would like to look at the provision, because I think
that they kind of take care of that in the specific provision which deals with
health plans and what they can do. So, it’s very specifically tailored to
health plans, and how they can send out information on what’s available on
their plan.

MR. BELL: If you want to look at that, can I just try to respond? I cannot
claim to be an expert on any other types of providers, but Joy did raise an
excellent issue, and that is PBMs, these pharmacy benefits managers that send
out a lot of communications. Trying to figure out who PBMs fit within the
privacy rules has been very, very difficult for our members.

They own mail order pharmacies, and those are clearly providers. But the
basic job that PBMs do, which is stand between the pharmacy and the patient and
the health plan, and keep track of all of these drug sales, and reimburse the
pharmacies, they are not considered, as far as I can tell, covered entities.

So, they are sort of in a gray zone. At most, they are considered to be
business associates of the health plans, but a lot of times what we have seen
is that that tail, the PBM is wagging the dog, the health plan, and it’s the
PBM that makes a lot of the decisions about what types of communications will
go out to pharmacies. So, that might be something that you’ll want to look at,
is how PBMs fit within this whole regulatory scheme.

MS. PRITTS: I don’t have the provision with me that I was looking for. But
I do believe that there is a specific exception for health plans that kind of
removes them from the equation.

MR. HOUSTON: In some regards I think, but again, they are still going to
making potential marketing communications, and it still is a communication
coming to the patient’s front door if it’s a mailing.

MS. PRITTS: I think it’s a problem. I don’t know that there are any easy
answers to it. I think that there are better answers than what we currently
have. This gets into kind of micromanagement, but I know that there are a few
states that have requirements that marketing materials for health services and
treatments and probably pharmaceuticals is what I’m guessing, prescription
drugs, that they must be sent in an envelope. I’m hesitating, because I’m
trying to remember which state that was, because I was so surprised to see it.
But there is at least one state that really gets down to that level.

MR. HOUSTON: The realization is that an almost identical communication
could come from a pharmacy, a physician, or a health plan. And they could be
underwritten by the same manufacturer, they really could. And what it sounds
like is that it could be acceptable simply based upon where it is coming from,
rather than anything else.

MS. PRITTS: Well, as a practical matter though, when we look at how things
are actually working, what usually happens is doctors are getting paid to write
the prescriptions. So, that’s actually what has been at issue for the last few
weeks, is doctors actually receiving large payments from pharmaceutical
companies to write prescriptions for their product.

As a practical matter, that’s where they are getting their money from in
these kinds of — the marketing is being done to the doctor directly. It’s
usually not being done through the doctor.

MR. ROTHSTEIN: Dr. Harding.

DR. HARDING: I’m missing out on some money somewhere. I haven’t been paid
for prescriptions lately.

MS. PRITTS: I’ll send you this article. It was quite amazing. Did you see
that?

DR. HARDING: I think it was oncology.

MS. PRITTS: Yes, a $10,000 check.

DR. HARDING: I’ll leave that one alone. But when you were talking, Joy,
about doctors being told the number or the people who they were writing
prescriptions for by pharmaceuticals, just as an anecdote, in my area the
pharmaceutical representatives don’t come in and tell you who you wrote
prescriptions for. They tell you the percentage of a certain product that —
we’re using psychiatric drugs here today, Prozac and so forth. But they would
come in and say what percentage of your antidepressants were Prozac. They would
tell you that.

MS. PRITTS: Right, and I think that’s the more common practice, what you
are speaking of.

DR. HARDING: As opposed to individual-identified.

MS. PRITTS: Right. But it has come up to me what has been a surprising
number of times where I have been approached when I’ve been at a conference by
a doctor who says, I got somebody in here who is telling me the names of the
patients that are on these medications, and I want to know how they know. I
have no idea.

MR. FANNING: Is that not from the PBM, rather than the pharmaceutical
company?

DR. HARDING: It could be.

MR. FANNING: Because they have the record of the transactions.

DR. HARDING: Mark, you were talking a little bit about the profit issue,
and a certainly amount of profit becomes marketing and so forth. That to me, is
kind of an abyss, thinking about how to divide that up, and what kind of profit
are we talking about, and so forth.

I could come down a little bit more on Joy’s side of things in saying that
the real issue, it seems like, is the notice. That if the notice is there, if
the letter comes and it says we are sending this letter to you at the request
of or for the payment from big pharma or some system or something, if that
notice is clearly there, it doesn’t give me near as much heartburn as if there
is no notice. Now, I still think that’s marketing, but it is at least clear and
upfront as to what is going on with that letter.

MR. ROTHSTEIN: Well, I’m persuaded that the trial balloon never even got
off the ground on trying to restrict the payment issue, because there are so
many ways you can imagine to get around that by changing their pricing schedule
and increasing their profits, and so forth.

So, let me follow-up on Richard’s approach, and that is to ask Mr. Bell
whether you think there would be acceptability to a change in practice that
there was disclosure on anything that was sent at the behest of a third party,
where that was indicated there? It could be if you just sent them a mailing,
this mailing was paid for by such and such pharmaceutical company, or in a
letter, or however you want to do it, leaving aside the issue of the
appropriateness of the method.

MR. BELL: Well, I don’t even think it would require a change of practice,
at least with the pharmacies that I have talked to about this. Again, I have
been told that they are already doing it now. I don’t now about all pharmacies.
I don’t claim to speak on behalf of all pharmacies, but the ones that I have
spoken to among our members already make those disclosures.

So, I don’t think that it would be necessarily a change of practice. I’m
sorry to keep referring back to these NCL best practices guide that you guys
haven’t seen yet, but that is one of the best practices that they mention, both
the notification of payment by a third party, like a manufacturer, and the
opportunity to opt out. And I do know for a fact, having talked with quite a
number of our members in discussing these best practices within that, they are
already doing that. So, I don’t know that it would require a change of
practices.

Now, I do know though on the other hand, our members do not like messing
with the privacy rules in any way. It took so long, and such a great effort to
come into compliance. And I think they did a very good job, and I haven’t heard
of — Joy may have, but I haven’t heard of any lawsuits against any of our
members anyway based upon activities that would have been a violation of the
HIPAA Privacy Rule.

So, I think they have done an excellent job of implementing the rules. I
think that they would not be in favor, to put it mildly, of any changes along
the lines that you are talking about.

MR. HOUSTON: I just wanted to ask Richard if he was finished?

DR. HARDING: I have a little bit different topic, so I’ll come back around.

MR. ROTHSTEIN: Is this related to this topic, John?

MR. HOUSTON: I just wanted to follow-up on the issue about marketing from
health plans. I did pull up the provision, and maybe I’ll just read it really
quickly. Marketing does not mean, “describe a health-related product or
service, or payment for such product or service that is provided by or included
in a plan of benefits of the covered entity making the communication, including
communications about the entity participating in a health care provider network
or health plan network, replacement of or enhancements to a health plan and
health-related products and services available only to a health plan enrollee
that add value to, but are not part of the plan of benefits.”

So, I think that was the provision that you were relying upon. It gives a
health plan some additional wiggle room, but I still if you are providing
communications about specific drugs and therapies —

MS. PRITTS: That are covered, I think might come under there.

MR. HOUSTON: It might, but it doesn’t give you that much wiggle room. In my
mind, I still think you have somewhat of the same issue.

MR. BELL: To me it doesn’t resolve that basic issue. It says health care
isn’t marketing. We still haven’t decided exactly where to draw that line
between the two.

DR. HARDING: Just kind of a quick thing that came up, that Joy mentioned,
and that’s the issue of state lawsuits and preemption. And I would imagine that
the two of you would have different thoughts about preemption in this category.
But I wonder if you could say just a little bit more about the necessity of
preemption, or the difficulty of preemption?

MS. PRITTS: Well, it would be very nice if we had a very strong federal
privacy rule where the bar was set high enough that patients would feel
comfortable. Because of a lot of compromise, where we ended was, as has been
repeated stated, a floor of privacy protections. And the compromise that I
think was reached there, was reached because there are a number of states —
every state in the union has some rule, some law that is more protective than
the Privacy Rule.

And there are very important policy reasons behind that. Many states, for
example, have decided to protect certain medical information at a higher level.
Generally, those protections are afforded to medical conditions that have
stigma attached to them. It’s unfortunate in this day and age that we still
have this, but there still is a lot of stigma attached to certain medical
conditions.

And these states have decided, a lot of them based on their population,
that these are things that are worth protecting. So, one way of solving the
issue, I have always said, is to just raise the standard high enough, and then
you wouldn’t have to worry so much about different state laws; raise that
standard high enough on the federal level.

We are not there. And until we get there, it’s very important that more
protective state laws remain in place. I’m not naive enough to think that it
doesn’t cause practical difficulties for people who practice in more than one
state. I know that it does. What some of these providers have — the way that
they have solved the issue is admirable. They decide to apply the highest
standard that they can to all of their operations. And that way people in other
states kind of get the benefit of the higher standard set by one.

The thing that I have seen repeated though when I have looked at this, is
how much privacy protection there really is at the state level. And again, it
varies dramatically by state. You look at New York state and they have an
enormous amount of case law dealing with medical privacy issues. Michigan has
almost nothing. So, if you were to eliminate the current structure, it would
really be lowering the privacy protections afforded to very many people in this
country.

DR. HARDING: Has there been the burst of legislation that was predicted in
the states to increase privacy levels during the last year since the privacy?

MS. PRITTS: No, in fact the opposite has actually occurred. Hawaii
basically revoked its comprehensive medical privacy statute in light of the
federal regulation, saying we don’t need it any more. Texas did something
fairly similar. They had passed a fairly comprehensive set of laws dealing with
medical privacy, and they revoked most of them.

There are movements afoot in several states to modify their existing
privacy, some of the kind of nuts and bolts of their privacy requirements to
make them more in line with the privacy regulation. Sometimes that’s good,
sometimes that’s not, but it does make it more consistent. But there has been a
trend.

Right, now I’m thinking of some of the access provisions. There has been
legislation introduced in I believe three states where currently the
individuals have I would say the response time is shorter for producing the
medical records, and things of that nature. And they are going to the federal
standard. So, instead of the federal Privacy Rule that floats all boats, it’s
kind of becoming the least common denominator.

MR. BELL: On preemption, our members would appreciate preemption. I
understand it would take probably a change of the statute itself. And
preemption is an issue that we deal with not just on privacy, but on many
different levels.

Our difficulty with preemption is, as you mentioned, our members operate in
many different states. Our members are companies like CVS and Rite Aid and
Walgrens and Wal-Mart and Safeway and Giant, companies like that, that operate
in many different states. So, it can of course be confusing to determine all
right if you’ve in 50 states, you’ve got to follow 50 different rules.

Our association has created a HIPAA preemption analysis, where we go
through and try to determine what is preempted and what isn’t, and what’s more
stringent standards in states. That cost us over $1 million. And we spend
another $10,000-20,000 every other month to update it, because it not just the
fact that there are 50 different standards out there, but there are 50
different constantly changing standards out there.

And I understand that legislatures aren’t necessarily the ones that are
doing all of these changes, although they have in places, California for
example. But there are also regulations that constantly come out in effect or
change, the privacy rules.

There are lawsuits that are decided that change the privacy standards. For
example, in Illinois a couple of months ago an Illinois court decided that the
mental health privacy statute will apply to mental health drugs. And that
pharmacies have to know why a drug was prescribed, for example, in order to
tell which set of privacy standards apply.

And then of course there are the attorneys general that are always doing
investigations, and whether their settlement agreements, which they then
proclaim must be followed by all other providers that aren’t a party to the
settlement, whether that constitutes a standard that is more stringent I don’t
know. But there are always constant changes coming along that does make
following 50 different changing standards difficult. So, sure, our members will
like it. If you can do that, we’d appreciate it.

MR. ROTHSTEIN: Let me ask Ms. Pritts a question. I’m sure Mr. Bell wouldn’t
mind getting off the issue of pharmacies for a minute. And that is whether you
have any concerns about marketing in other settings? For example the
redisclosure of PHI by marketing firms that have gotten information via an
authorization or marketing in other contexts.

MS. PRITTS: That’s one of the concerns about the fact that the Privacy Rule
doesn’t cover everybody who holds health information. The people who get it,
such as marketing firms, they are not covered directly by the Privacy Rule.
They are only covered through a business associate contract.

And there is concern that they will use it improperly, but there is no real
mechanism for people to tell if they have. A lot of the times when you read
about the things that people are complaining about, they don’t know who has
their information, or how they got it.

I’m thinking now about this Prozac example that I had raised earlier. The
person who received that tried to trace back where the information came from.
And they found kind of a marketing company, but they couldn’t figure out who
had paid the marketing company to send the information. So, it’s a difficulty.
I think it’s a difficulty in knowing whether it’s actually being done.

And if you find out that the information is being disclosed, I think it may
be difficult to do a real trace of where the information came from, because it
is so possible it came from different sources. And then of course there is
almost not enforcement at that point, because HHS doesn’t have authority over
the business associates.

MR. BELL: Yes, and if I could follow-up on that, I agree with you. And
there are other entities out there that aren’t covered entities, but do have
protected health information. I probably filed one of, if not the first HIPAA
privacy complaints on April 14 or 15. I can’t remember when I did it, but it
was about all of these Internet pharmacies that specifically require patients
— I’ll call them patients — to waive any privacy rights.

So, I filed complaints against literally hundreds of these companies, and
about a year later got a reply back from HHS that said, well, they’re not
covered entities, because they don’t adopt the type of electronic transactions.
So, I think you are right that the privacy rules do not cover all of the
entities apparently, that have this type of information.

MR. ROTHSTEIN: Other questions or comments?

Well, I want to thank both of you very much. It was a very enlightening and
stimulating discussion. And with that, we will break now for lunch. We will
have our next panel on fund raising beginning at 1:15 pm.

[Whereupon, the meeting was recessed for lunch at 12:15 pm, to reconvene at
1:15 pm.]

A F T E R N O O N S E S S I O N (1:20 P.M.)

DR. ROTHSTEIN: Good afternoon, everyone. I want to welcome you back to the
hearings of the Privacy and Confidentiality Subcommittee of the National
Committee on Vital and Health Statistics.

This afternoon we take up two issues, fundraising in our first panel and
media access to PHI in our second panel. I want to remind members of the public
that there is an opportunity to provide public comment at 4:30 p.m. If you want
to sign up, please do so at the front desk, and you can address the issues that
we are discussing today for five minutes.

Agenda Item: Fundraising – Panel 2

This afternoon, we have two witnesses on our first panel on fundraising.
Let me say thank you to both of you for coming, and say at the outset that the
first two panels today, the marketing as well as the fundraising panel, are
issues we have dealt with in the past. I know Dr. McGinly has testified before
us and other Hopkins representatives. Duran Pollock testified in 2002 at our
hearing on the issue of fundraising. What we are doing today is revisiting the
issue. We had many concerns expressed to us at that time and even before then
on fundraising issues, and we are checking back to see what has happened,
trying to see if there are problems in the implementation of the rule, if you
have recommendations that you would like us to pass along to the Department on
ways to make the rule operate more efficiently for you and for those people who
are working in your field.

What I would like to do while Dr. McGinly is getting settled is to first
ask for Mr. Zeller to testify.

MR. ZELLER: Thank you. Good afternoon, Mr. Chairman and members of the
privacy subcommittee. My name is John Zeller. I am the Associate Vice President
for Development and Alumni Relations at Johns Hopkins Medicine in Baltimore,
Maryland.

First, thank you for inviting me here today to discuss with you the impact
that HIPAA has had on fundraising efforts, particularly at Johns Hopkins
Medicine. Before I discuss the impact, I’d like to make two brief comments.
First, that academic medical centers and nonprofit health care organizations
support without question the spirit of HIPAA legislation to insure the privacy
of medical record information. Second, I would like to thank you and the
committee for your letter dated March 1, 2002 to Secretary Thompson, in which
you recognized the vital role that private philanthropy plays in funding
medical research, patient care and education programs in this country. The
privacy interests of patients should not impede responsible fundraising
activities.

At Johns Hopkins Medicine, private philanthropy from our patients is not
only an essential component of the institution’s financial health, it
contributes enormously to medical advancement. Generally, patients direct
philanthropic funds to the cutting edge medical research we perform tied
directly to their own diseases or to those diseases from which their family
members are suffering. This research is often so new that traditional funding
sources such as NIH will not yet support their ideas, therefore making private
philanthropy a driving force in the identification and development of new
medical discoveries.

Fifteen months after the implementation of the fundraising portion of the
regulations under the HIPAA law, how has this impacted our fundraising efforts?
Let me begin by addressing what we can quantify. We have diverted current staff
to focus on HIPAA. We have added staff to manage authorization information, and
we have created a new office of HIPAA fundraising compliance, which reports to
my colleague here on my left, Cynthia Beech Smelser, who is a director of the
fund for Johns Hopkins Medicine.

Our operating budget is increased to accommodate substantial authorization
for printing and systems costs. We have developed makeshift systems to manage
authorization information in the short term while we are building a system that
will be able to handle a system that will be able to handle this information
long term.

One of the reasons for success at Johns Hopkins Medicine is the way in
which scientific collaboration occurs across the institution, spontaneous and
unimpeded. However, trying to implement a uniform process in a large complex
organization like Hopkins presents a great challenge.

In order to comply with HIPAA, we met with our leadership, trustees, legal
counsel, physicians, clinical managers and various hospital committees to
discuss how best to proceed. This resulted in a number of pilot projects
examining different approaches to securing patient authorization. The outcome
was an agreement that our institution policy would be to offer authorizations
to patients at registration.

We have been implementing this process throughout the Hopkins health system
since last December. Our preliminary data suggests that less than half of our
patients are signing the authorization form. The signing rate does very from
clinic to clinic, however.

At this juncture, the HIPAA impact on fundraising is difficult to assess.
First, we do not yet know whether or not the patients who have signed the
authorization form are truly those who are philanthropic. This will have to be
assessed over a period of time. Second, successful fundraising programs rely on
strong relationships built with potential donors, educating them about the
impact of philanthropy, involving them in the programs of the institution, and
matching their interest and philanthropic capacity with the needs of the
organization. This is done face to face, over time, and as an ongoing
relationship that continues past any initial gift. Asking permission to engage
in these types of conversations before any contact with the institution can be
very awkward for all parties involved.

Third, the combination of varying legal interpretations of the few
paragraphs in the law devoted to fundraising make it extremely difficult for
academic medical centers and nonprofit health care institutions to determine
best practices for grateful patient fundraising, and develop a model for
institutions to follow.

In closing, let me again restate that it would be helpful if HHS would
implement what you suggested in your letter of March 2002 and employed
responsible fundraising activities. In that letter, you recommended that HHA
should explore procedures for the disclosure of clinical department of service
information for use in fundraising such as simplified authorization or an
opt-out procedure for departmental information. We ask that you renew that
recommendation today.

Thank you. I would be happy to answer any questions you might have.

DR. ROTHSTEIN: Thank you. We will have plenty of questions, I’m sure, but
we want to hear from Dr. McGinly first, unless someone has some particular
question.

DR. MC GINLY: Hi, Mark. Thank you all for inviting us back. I am delighted
to be back with you here. I wanted to try and address more questions in
addition to what we had submitted to you earlier and to wrap up with a rather
strong recommendation regarding point of service in the use of that
information, which was for the first time eliminated from professional
fundraisers’ use without the written authorization.

A couple of things I wanted to address. How has life for fundraisers
changed since the last time that we met with you. On this issue with the
privacy regulations, I can tell you that there is a lot of confusion. There are
a lot of people that are upset out there. There is a loss of services in
communities because of the added costs that our organizations have incurred as
a result of not only doing the written authorization portion of it, but just
tracking and dealing with the notice of privacy practices, and on and on.

Just to give you a flavor for this, some of the things that are coming out
relative to the interpretation of the regulations as it relates to fundraising.
You are all familiar that demographic information can be used without prior
written authorization, as long as there is an opt-out, and all that. Here we
are with interpretations that run the gamut and create more and more confusion.

I’ve got an attorney in Kansas City who is advising clients and volunteers,
all have to enter into a business associate agreement. The attorney hasn’t read
the regulations, but that is part of the confusion that is out there. We have
compliance officers and other advisors initially explaining and still
explaining right now to our members that they can’t visit patients any longer.
I can walk in off the street and visit you in one of our hospitals, but our
development person can’t. That is not the way it is in the regs. They are
defining things quite differently. We are entitled to have the age of the
patient, but they won’t give the birth date in some instances, the birth date.
You need that if you are going to into planned giving, or you are a part of
that program. And of course, that is permissible. I can give you five or six
more sound examples like that on the one side.

One of the things that we did in 2002, actually towards the end of 2002,
is, we conducted a fax survey of our members. We got a range of expenditures
and added costs relating to implementing HIPAA just for fundraising. Remember,
this runs the gamut just from small community hospital to those like where John
happens to be, where they have made a decision because they want to fund raise
by department, that they are going to go for the written authorization. But it
ranges from as little as $25,000 to well over a million dollars. We have a
group of our larger organizations that are going with the authorization form,
reporting that it is anywhere from $400,000 to $700,000 annually to manage this
process. Part of that goes to things like some of the responses we got, where
additional compliance officers hired IT computer security database training. A
physical plant change is $120,000. Investing a million dollars to implement
staff publication, public education as it relates to the fundraising. So we see
quite a wide gamut there.

Also, we saw in the year 2002 that giving — and unfortunately, I can’t
attribute this in a statistical way to specific things, but we know what some
of them are, but we watched giving drop from eight billion dollars in our
annual survey to $5.5 billion. Now, granted, the major portion of that was
because of the economy. We saw gifts of appreciated property go down. But we
also know that an awful lot of that was due to the confusion in donors’ minds.

An important element that John raised with you as well, when you talk about
the written authorization, what some of the larger teaching hospitals in
particular are finding is that about 40, 45, less than 50 percent of the people
who are asked, will you give us the prior written authorization, are saying no.
This flies in the face of what we know has been permissible up until the
implementation of HIPAA, and is creating tremendous troubles for us.

Those people are responding just the way you responded to the question I
asked you when I was here last: What do you think of when you hear the word
fundraising. You came back and you told me, it is the telephone call at
dinnertime. We are not that, but people who are presented with that option are
now having the opportunity to be educated about what we are doing, or given the
opportunity to engage to volunteer and donate money will opt out of it, because
they have that misunderstanding. So that is one of the biggest things that we
see going on.

Our members are struggling with this, there is no question. They are
struggling to the point that I have become at my age the HIPAA — nobody at my
age is HIPAA — I have become the HIPAA expert. I have made presentations to
over 40 foundation boards since this was enacted, and even before. I have done
over 100 workshops with attorneys and others. We get into arguments and fights
on the floor of these workshops, particularly the gentleman from Kansas who was
advising the business associate agreement was necessary for every volunteer.

We write to the Secretary, and we raised three questions about point of
service, and we knew the answer to that, but we wanted to get it on the table.
The business associate agreement, because some organizations have chosen to
treat their foundation as a business associate rather than complying with what
is in the regulations, and that opportunity that they are a health care
extension, they are a part of health care operations, there is no need for a
business associate, and the physician referral of patient names for the
purposes of fundraising, which was pretty well clarified in that letter.

The key thing that we are seeing as we go through all this is, we are now
rebuilding from the standpoint of 2001, with eight billion dollars raised,
which is incidentally what one chief executive, Blue Cross Blue Shield, told us
that implementing all of the HIPAA regulations worldwide or across the board,
was going to cost about $8.6 billion. So if that is true, we have wiped out
what we have done in philanthropy as a result of these HIPAA regulations.

Now, the piece that is fundraising of course is a much smaller percentage
of that. But we see substantial dollars being invested in something that in our
view, in accordance with what is the donor bill of rights, our donor ethics, is
unnecessary. This idea that a written authorization, no matter how simple it
is, is just like that question asking, do you want to go to the hospital, do
you want to go to the dentist, what do you think of when you hear fundraising.
The answer is no, you don’t want to go to the hospital until and unless you
have that need.

These grateful patients have been through that experience. They have been
helped. They have been assisted. Many of them want to turn around and benefit
the community and others that cannot afford to benefit themselves in the same
way.

I also would point out that there are a lot of contradictions in the
regulations, but look at an independent cancer center, which we have done, Fox
Chase in Philadelphia, and several others, Craig Memorial Hospital in Denver.
These are all institutions that are freestanding, and they offer only one
service. They do fundraising to their patients. We haven’t had any issues with
that, we haven’t had any problems with that. We didn’t have those before this
regulation came out.

Incidentally, we understand that back in November, December, there were
2400 complaints. As far as we have been able to determine, not one of those was
dealing with fundraising. I can’t say that with total accuracy, because I have
only gotten anecdotal information from OCR as well.

So with that, I would recommend, and I would hope that you would recommend
to the full committee and on and on what we were talking about before. That is,
to allow the use of point of service information within the health care
provider, without prior written authorization from the patient, for fundraising
purposes. It is the way that we have conducted business for 35-plus years, up
until the time that these new regulations come in.

Lastly, you asked what kinds of things are we doing educationally. Again, I
just finished our round of regional meetings. We had HIPAA on the agenda. We
have put together with one of our compliance officers out in Pacific Medical
Center in San Francisco a program where we take this all over the country. We
have a compliance officer who is sitting down, and we promote this. It is HIPAA
and fundraising, specifically what you can do and what you can’t do. When we
get into these discussions, we find our members are all over the board, based
on the advice that they are getting.

There is one last thing I wanted to add, but at my age, I have these senior
moments. My most serious thing is simply a recommendation to allow the use of
point of service patient information within the health care provider, by the
health care provider, without prior written authorization for fundraising
purposes.

Thank you.

DR. ROTHSTEIN: Thank you very much. Before we begin with our questioning, I
know you weren’t here this morning when three of the four subcommittee members
at today’s hearing indicated for the record that we work at academic medical
centers that are funded in part at least by private donors, so therefore we
have in theory at least some level of conflict of interest. But we wanted to
get that on the record.

The floor is open for questions.

DR. HOUSTON: A question just to summarize. You definitely believe that
there has been an impact on the amount of funding you have collected due to
HIPAA, as well as an impact on your costs in order to do fundraising. I just
want to make sure I clearly understand that. I just want to be crystal clear.

DR. MC GINLY: Absolutely, from what we have seen.

DR. HOUSTON: Mr. Zeller, can you specifically quantify the impact on Johns
Hopkins?

MR. ZELLER: As I stated in my remarks, it is very difficult to quantify it
definitively. We do have some indications, and I was speaking with Dr. Harding
beforehand about this. We track the percentage of individuals who sign
authorizations. That is less than half. So we really won’t know what the impact
will be on individual giving going forward until we really ascertain whether or
not those who are signing up are philanthropic.

But specific information for our financial year that ended June 30, we have
traditionally in the past garnered support in the vicinity of 70 percent of our
contributions coming from individuals, the balance coming from corporations,
foundations and organizations, not necessarily associated with an individual.
So private foundations are counted within that 70 percent. Of that 70 percent,
approximately 90 percent has come from grateful patients. This year, although
we achieved comparable results to last year, that percentage has dropped from
70 to 56. So a trend line is such — one year does not make a trend line,
obviously, but it is an indicator, coupled with less than half the individuals
signing the authorization, that we may be headed towards a significant issue.

DR. HOUSTON: if somebody doesn’t sign the authorization, do you
automatically put them into your opt-out database? Obviously an authorization
is only required if you want to use Department specific, disease specific
information. So if they register and don’t sign this authorization, do you
immediately assume that they are opting out of the generalized database?

MR. ZELLER: No. We will try to re-seek an authorization six months later.

DR. MC GINLY: Can I add, we will try to re-seek authorization —

DR. HOUSTON: You still try to make contact without an authorization,
generally without the disease or department —

MR. ZELLER: We do have that option. I will tell you that in the overall
fundraising impact — and I think Duran Pollock made this comment two years
ago; if you look at the amount of money that we raise on an annual basis as a
percentage from general solicitations, as you are suggesting, last year was
about $160-plus million in private gifts from a variety of sources. Last year
from direct mail, using only generalized information, that number was $220,000.

DR. HOUSTON: So it is less than one percent.

DR. MC GINLY: Also, those figures about the source nationwide, it is about
68 percent in our surveys. If you add bequests, which are also individuals in a
different state, it is closer to 80 percent.

DR. ROTHSTEIN: Dr. McGinly, you spoke earlier about fundraising at Fox
Chase and some other specialized centers. Could you repeat that point?

DR. MC GINLY: The regulations don’t prohibit a specialty hospital from
doing fundraising, grateful patient fundraising. They don’t have to ask for an
authorization, because all the people at Craig Memorial Hospital at Denver are
spinal cord injury patients.

DR. ROTHSTEIN: No, I understand that. Was it your statement that
fundraising at those institutions did not decline between the years that you
mentioned?

DR. MC GINLY: They have held up much better, absolutely. My point is though
that here is a spinal cord department within Mass General that cannot do that
without having a written authorization. Here is one at Craig Memorial, Fox
Chase, the cancer center there, that cannot do that without a written
authorization.

Yes, the return from a grateful patient — just as an example, from direct
mail, if you get one-half of one percent return on a direct mail acquisition,
you would be very happy with it. We are finding a lot of our members are
getting 28 to 32, 33 percent return from grateful patients.

So yes, their mailing costs are a lot less because they are going to their
grateful patients, and their return is a lot higher because there are grateful
patients that have had an experience with the institution. But they don’t have
to worry about a written authorization. My point is that it is not an issue as
far as privacy is concerned, but it is an issue as far as our fundraising
effects, and the cost.

DR. ROTHSTEIN: I see the point you are trying to make. That is the issue
that we have all been wrestling with, how do you continue successful
fundraising at large multi-specialty medical centers. The methodology side of
me is questioning whether A equals B, but that is beside the point, because you
could argue that cancer survivors are more motivated to give than the average
hospital patient and so forth. You would have to compare longer term trends in
one year, and I don’t want to do that. The issue is whether in balancing the
patient privacy rights against the other valid rights, where do we strike the
balance. That is what we are all wrestling with.

I want to ask Mr. Zeller a question. You said fewer than half of the
individuals at registration sign initially. What percentage are you able to
recapture later on through other efforts?

MR. ZELLER: We have actually only put the patient in place at the end of
December, so we have really only had six months worth of data. The process as
it is now is that for those who do not authorize, choose not to authorize, that
we try to recapture them six months later. So the time frame is hard to assess
what that successful recapture might be at a later date.

DR. ROTHSTEIN: What would your view be on an opt-out for patients similar
to the directory opt-out, where individuals could elect not to have that
information disclosed for fundraising, but ordinarily it would be available?

MR. ZELLER: Help me with the definition of what type of information you are
talking about.

DR. ROTHSTEIN: The department of service information. So in other words, I
check into the hospital for treatment of something that I consider sensitive,
and I am given an option to opt out, either expressly or just in the rule that
I can exercise if I want, so that I don’t have to be approached by a specific
division of the hospital or that information is not given for fundraising
purposes. Is that better than the current state or not sufficiently better than
the current state of the rule, so what?

MR. ZELLER: Bill may have comments on this. It still puts it in a very
awkward situation relatively to seeking that authorization or that process at
the front door, if you choose to do it at registration.

We tried a couple of different pilots. It is clear that physicians do not
want to participate in the seeking of this authorization.

DR. ROTHSTEIN: Suppose the burden were on the patient, and the patient
would have to initiate and say, by the way, don’t put me in the directory and
don’t give my information of what sort of diagnosis or whatever for
fundraising?

MR. ZELLER: I think that would be significantly better. Let me come back to
the point where you said diagnosis. What we are talking about is point of
service relative to potentially a physician’s name or an area in which they are
seen, as opposed to any specific diagnosis. So that would be significantly
better than what we have now, in my opinion.

DR. HOUSTON: Just to be complete, can somebody describe the specific types
of information you like to have, in as much detail as you think is necessary?

DR. MC GINLY: First of all, what is the difference if I am an oncology
patient in Fox Chase or an oncology patient in Hopkins? One place they have to
get written authorization, the other they don’t. There is no difference. I
would submit to you that if you want to opt out one piece of this or carve out
one piece of it, it is going to make our members’ lives more difficult in
tracking this information.

We are not interested in whether you had colon cancer or rectal cancer or
what kind of cancer you had. What we are interested in is that you received
services through the oncology department or whatever it happens to be. We can
then take that group of grateful patients and appeal to them on the basis of
supporting something in oncology or cardiology or whatever it happens to be.

DR. HOUSTON: I also heard mention of physician name. I just wanted to know
exactly what elements you are interested in.

DR. MC GINLY: For the most part, having the physician name, which is
permissible for our members in our normal work, gives you the department they
received service in. There is no way that you can avoid knowing that
necessarily. Part of our responsibility is the visit will begin in the
hospital. You know that I am in the cardiac care wing, but how I use that
information is the bigger —

DR. MC GINLY: You mentioned opting out of the directory. Another good
example. Here are patients saying they want to opt out of the directory. They
opt out of the public directory. That doesn’t mean you deny the name of the
physician that is providing treatment, nor should you deny the name to the
fundraising person for fundraising which is part of health care operations.
They have simply opted out of the public directory. But again, there is a lot
of confusion out there.

DR. ROTHSTEIN: But again, if you approach someone and they said don’t call
me again, it is just a different stage of the opting out.

DR. MC GINLY: Here is another good example, too. In the notice of privacy
practices, we have collected numerous of those, and I find some of our best
members who have an opt-out in the notice of privacy practices, when they
receive that statement. That is not required. It is the worst place to put it,
because it is the same thing as presenting them with a written authorization.
Fundraising, opt out before I even learn what this is all about.

One of the best notices of privacy practice I ever saw or have seen so far
is with a for-profit hospital. Why they even had it in there — I explored it
with them, it was just in the regs, so we complied, was their answer. They
don’t even do any fundraising. But it was the best one, because they didn’t
have an opt-out in the notice of privacy practices. They were doing it
correctly as far as good sound basic practice, and putting it in the materials
that they were mailing out, or they would have been.

DR. ROTHSTEIN: You made a statement earlier, you said that it is common for
fundraisers at hospitals to visit patients. You are talking about people who
are long time donors, right?

DR. MC GINLY: No, not at all. I am talking about the fundraising office or
the volunteer that they have working for them, who is making a visit to
patients that are coming into the hospital. Quite frequently, they are people
who are established or they have been a donor, yes. But they may make a call on
somebody. I will call my member to visit one of my friends in Enova, not
necessarily for fundraising, but to help them out, how is everything going.
They may add them in later. That is part of what is expected of them in their
fundraising duties.

MR. ZELLER: I think sometimes there is the perception that if someone who
wears a fundraising hat visits a patient, it is for the purpose of discussing a
gift, or to solicit them. My comments reflected the fact that grateful patient
fundraising in particular is built upon a relationship. It is a relationship
with a physician, it is a relationship with the organization, which development
for fundraisers helped to facilitate.

So there are courtesies, whether it is escorting a patient to appointments
that they have been asked to do, or to simply stop by, getting greetings from
friends or colleagues who knew they were in there for the purposes of
facilitating the best possible experience that they could have, not to sit
there and solicit them for a gift at that time.

DR. ROTHSTEIN: So I needed to clarify that. People are not coming and
hitting up people. It just sounds awful.

DR. MC GINLY: This is a role that they play that is building a
relationship. Have you ever been in the hospital for something?

DR. ROTHSTEIN: Yes.

DR. MC GINLY: Isn’t it comforting to know that there is somebody there who
can be an advocate for you?

DR. ROTHSTEIN: We learn in law school not to ask any questions that you
don’t know the answer to. My view, when I am in the hospital, I barely let my
doctor see me, and everyone else is thrown out.

DR. MC GINLY: So you do not feel comforted by someone from headquarters
coming to visit you?

DR. ROTHSTEIN: No. And frequently the president of the hospital and people
I work with want to drop by. No visitors. I don’t want to see anybody.

DR. MC GINLY: Then that should be protected for you.

DR. ROTHSTEIN: I want to get off my hospitalization.

DR. MC GINLY: Apparently he is not a major donor.

DR. ROTHSTEIN: No, actually I am a donor. I am grateful to the institutions
that have cared for me, unsolicited. I appreciate the fact that they saved my
life, and they don’t have to do anything.

I did have a question. That question was — and see if I am correct in this
— using a publicly available directory, you could go to John Fanning’s
hospital room, and you see that he is being treated by Dr. Harding. You know
Dr. Harding is a psychiatrist. Then when you decide you want to endow a chair
in honor of the esteemed Dr. Harding, mail him a solicitation saying that we
are — not saying that you are a patient, that we are establishing a chair for
Dr. Harding. Is that what you are saying?

DR. MC GINLY: In practice, prior to this regulation, exactly that could
happen. There were some very clear cautions that we have in our practice about
psychiatric care of patients, about Medicare and Medicaid patients, and what
your philosophy is, what your management is, not off a public record
necessarily, but the census that I am going to receive daily as a part of my
fundraising responsibility. I can walk in off the street and come and visit you
in your hospital, except when I get there, they are going to say, Mark doesn’t
want anyone to come in, and I am going to honor that.

So yes. Would we do that with psychiatric care patients?

DR. ROTHSTEIN: Well, let’s make it internal care patients.

DR. MC GINLY: I would, on making those visits, because I know why you are
there prior to these regulations —

DR. ROTHSTEIN: What about after the regulations?

DR. MC GINLY: I can’t do that.

DR. ROTHSTEIN: Why?

DR. MC GINLY: I may know, because I have come to visit you, which is
perfectly permissible, that you are on the cardiac care wing. I cannot take
your name and put it in a file and build a file of cardiac care patients to do
fundraising to, unless I get a written authorization from you. But do I know
that you are in the cardiac care wing? Sure, I do.

DR. ROTHSTEIN: I’m struggling with this. Suppose I am in the hospital, and
someone from the American Heart Association looks at the directory, pays me a
visit — forget the no-visitor stuff — they see I am in the cardiac care wing.
They send me a solicitation for the American Heart Association, right? Can they
do that?

DR. MC GINLY: First of all, the person that is with the American Heart
Association is not employed by the provider.

DR. ROTHSTEIN: I understand that.

DR. MC GINLY: Could that person walking in off the street do that? Sure. It
would be kind of unscrupulous, though.

DR. ROTHSTEIN: I’m just talking about whether the privacy rule prohibits
it. The answer is, obviously not, right?

DR. HOUSTON: The privacy rule says that an institution related foundation
is only able to do fundraising on behalf of that institution and not on behalf
of other —

DR. ROTHSTEIN: No, but they are an independent foundation. I am trying to
draw — what I am trying to do is compare what is publicly available
information about where you are, that someone learns by just showing up, which
they are allowed to do, and what you are allowed or prevented from doing under
the privacy rule.

DR. MC GINLY: The difference is, first of all, the language is crafted very
nicely that it is speaking only to the institutionally related foundation,
because these people are working for the provider. It doesn’t speak to the
person from the American Heart Association who would walk in off the street, I
suppose, because they are not part of — do those regulations apply? I doubt
it. Would that be unscrupulous? I would think so. But by the same token, our
member coming across the street from the foundation or the department of
philanthropy, while they can make that visit and build the relationship with
you, cannot categorize you and promote to you off a list of cardiac care
patients exclusively. You may get a promotional piece or an invitation to
contribute, but it is much broader, and it has gone to a larger list of
patients.

DR. ROTHSTEIN: See, the complicating thing is that the information about
the department is learned through an inadvertent disclosure, and it is not
obtained by the development office getting a printout of all the monthly
cardiac patients.

DR. MC GINLY: It is the development office getting a daily printout of all
the admissions or people in the outpatient area or whatever it may be, and
perhaps comparing those to current donors or deciding that these are a group of
people that we want to visit. That is not inadvertent. That is part of sound
fundraising.

Am I learning about your diagnosis? Probably not. I am learning where you
are receiving service in the hospital. How I use that information is
restricted.

DR. ROTHSTEIN: I’m trying to help you. You are not helping me help you. The
point I am artfully trying to make is, the institutionally related fundraisers
are seemingly in a worse position than someone off the street.

MR. ZELLER: But I think you could also look at — as Bill was speaking to,
we all as part of health care operations are engaged in making appointments and
securing services for individuals. In the course of that process, they are
privy to in some cases very detailed PHI. We do not and cannot use that by law,
but we also as an organization do not use that in any kind of direct
fundraising way.

It would strike me — and I don’t know the legal interpretation to this,
but it would strike me that if the AHA walked in off the street and saw the
same type of exposure, saw that you were being treated in a cardiology unit,
that information was incidental and could not be used in a direct fundraising
way.

AHA would not have access to that information as a health care provider
normally. So I don’t know how they could use that. That is what I think Bill
was saying. It would be unscrupulous to use it. I would argue that it probably
would almost be against the law. Maybe not.

MR. REYNOLDS: I want to focus on this level playing field that you have
seemed to mention. So a hospital is identified in the reg as being able to do
things that you wish you could do. If you had a unit in one of your hospitals
— let’s take Johns Hopkins. If you had a unit that specialized in cancer and
you changed the organizational structure of that to a specialty hospital, would
you be allowed to do the same things that the specialty hospitals do?

DR. MC GINLY: I’m not an attorney, but I can play one. I don’t know the
answer to that. I suspect if they reconstituted themselves legally as a
separate entity, separate and apart from Hopkins, they could do that. But look
what they would lose.

MR. REYNOLDS: No, I’m trying to make a point. In other words, you would
have somebody that is offering exactly the same services, though they may be
structured differently when we go through the finances and we go through
everything else, you would be offering the same service to the same people,
don’t change any doctors, don’t change any nurses, don’t change any beds, don’t
make it different, that they could in fact approach each of those patients.

Now, is there a set of specialty hospitals that identifies what those
specialty hospitals are, those other categories? You don’t need to list them
off, but if there are categories, I think it is an interesting consideration.

DR. MC GINLY: They are harder to find because there have been so many
mergers and multi-systems, and many of them that were freestanding couldn’t
afford to stay freestanding. So they merged into systems, multi-hospital
programs, and once they have done that, they are part of a larger system. Then
they no longer have that stature.

DR. HOUSTON: I don’t necessarily agree. I think some hospitals will be
branded as — I worked for a large health care system in Pittsburgh, and we
kept three of our hospitals branded specifically to a specialty area.

DR. MC GINLY: Are they within an organizational structure even within a
holding company?

DR. HOUSTON: They are a separate 513c, but they are still under the parent
corporation, which is a 501c3.

DR. MC GINLY: Then I think you would have to review that. The response I am
getting from the attorneys is, at the very least, to be on the safe side, make
sure you get written authorization.

DR. HOUSTON: I guess where I am continuing to go with this is, if you had a
category of specialties that the law allowed, DR. MC GINLY: If they were
specialty, I really struggle personally to understand the difference.

DR. HOUSTON: If I have privacy and I walk in this door, and if I have
cancer and I walk in that door, if that is a specialty that is identified as
one of the ones that was a category, I guess if you looked at a level playing
field of a regulation, cancer is cancer is cancer. I’m just trying as a
committee to understand what kind of consideration we need to give. The level
playing field just doesn’t seem to come into play here.

DR. MC GINLY: That is one of our key points with groups that are facing
that kind of situation. Again, I would ask you, why did you find it necessary
to exclude this point of service information from being used in fundraising? It
operated for 40 plus years prior to this under the ethical guidelines of our
organization in how we treated information.

DR. HOUSTON: But I believe in one of the preambles it does specifically
describe why. The rationale, I believe, was that by including that department
of service information, that you are in essence disclosing PHI, and that if
somebody got a mailing at home from the Johns Hopkins Cancer Institute or
whatever, that somebody receiving that letter might say, did they have cancer.

We took testimony this morning, talking about fundraising, where there was
a discussion talking about the fact that right now, it is permitted for
pharmacies to send brochures to patients’ homes describing alternative therapy
and different medication, giving an alternative.

DR. ROTHSTEIN: Pat of the rationale is not so much because of the contact
of the individual. It is just a sharing of the information with third parties
who have no role in their treatment. That would not include only your
in-hospital people, but your business associates. Therefore, you could hire
some outside fundraising company to assist you, and now to disclose that I am
being seen for such-and-such, would be to disclose that condition to another
set of people that on balance the privacy rule thought that if those
disclosures should be made, it should be pursuant to an authorization.

So my question was, what is the rationale. I believe that is the rationale.
Part of it is as John described, but also reining in the control.

DR. MC GINLY: But the fact that I get a mailing from the oncology
department at Johns Hopkins doesn’t mean that I was a patient there. I may have
an interest in that, because I have a relative who was — there are all sorts
of things. I don’t see that as disclosing information.

DR. ROTHSTEIN: But it is not the mailing. If that is disclosed to ABC
solicitation company, —

DR. MC GINLY: If I hire a direct mail firm to do that, they are subject to
the same rules we are. That is another thing.

MR. REYNOLDS: But again, I go back to the specialty hospital. Could the
specialty hospital hire that outside service to do any different? I am going to
the level playing field of the situation that the patient is in, and then what
can whoever finds it out do.

DR. MC GINLY: I think you also need to interject, in 35 or 40 years, what
kinds of issues have we had with patients, donors and others about this kind of
fundraising. For all that period of time, if people said to us or said to our
members, we don’t want to receive fundraising materials, they are gone from the
list. They have always been gone. We don’t want to waste our efforts on people
that aren’t interested, and added costs, just from that perspective. But we
have a bigger responsibility in protecting that information. That is the
integrity of the fundraising through the health provider.

Again, the question that comes back to the committee is, is this overkill.
From our perspective, it certainly is.

DR. HOUSTON: I’m going to ask a question I think I know the answer to. Are
there any OCR FAQs on fundraising? I think I already know the answer, but I am
going to ask it anyway.

DR. ROTHSTEIN: I don’t believe so. I looked at the website before I came on
fundraising and marketing, just to prepare for the hearings, and I couldn’t
find it. That doesn’t mean that there aren’t any.

DR. HOUSTON: I hadn’t found any. I know that as of a couple of months ago
there weren’t any.

DR. MC GINLY: You are talking about any complaints?

DR. HOUSTON: Well, complaints is another point that you brought up. What I
am trying to establish is, obviously there is an impact on fundraising with the
privacy rule, but still, there is nothing from an OCR perspective that gives
any guidance or clarity as to these types of issues. Maybe it is what it is,
and the issue is not clarity and FAQs, but rather some type of substantive
change that allows these foundations and other organizations to do their
business or to regain the lost fundraising dollars.

MR. ZELLER: I would argue, Mr. Houston, that it also comes to the
individual interpretation of the organization, which I referenced in my
remarks. The diversity of the interpretations are so broad. I think Bill has
probably seen that in reference to his discussion and comment as well.

I would like to come back to the component of patients and their support by
disease area. There is a very powerful motivation for individuals who are
philanthropically inclined to want to become engaged in the support for either
the patients or the programs specific to their disease, or what their family
may be facing. Our history has shown, at least at Hopkins and I think at other
institutions, that people are very passionate about that. What we have found is
that this process as it currently exists interrupts that at a very inopportune
time by asking the people before they have had contact with the institution to
agree to a perception of what fundraising might be, as opposed to how it is
actually conducted.

DR. MC GINLY: I think what you are assuming was, when our member visits
somebody in the hospital, they are making a solicitation. That never happens.

DR. ROTHSTEIN: I understand. I just wanted that to be clarified. I didn’t
assume that was happening. I work with development people every day of the
week, and you never would ask somebody the first time you met them, even if you
met them in their office.

DR. MC GINLY: That is the point John is making, as far as the point at
which you are asking for this authorization, and the fact that we have never
had this issue before. This has made it much more complicated. We are losing
service, we are losing dollars. We are investing more money and expense, and
really, it has been a non-issue with patients and grateful patients in the
community for the most part.

We have seen people ask questions, or we have seen people charge into an
office and say, how did you get my name, what is this all about, and we explain
that to them. if we want to take them off, fine. But more frequently, we turn
them into much more avid volunteers and donors.

DR. ROTHSTEIN: Let me just remind everybody that the committee is already
on record with a recommendation in this area. Much of the discussion this
afternoon has involved things that would require a change to the rule, an
amendment.

Is there anything that the department could do to make your lives easier
than could be accomplished without amending the rule? In other words, is there
guidance, education and interpretation or something of that sort that could be
done more easily and with less controversy, and more quickly of course, than
amending the rule?

DR. MC GINLY: I gave you some examples early on in interpretation for age
and insurance. It is all over the board. Despite our best efforts, there are
people out there who are interpreting it one way. There are people that are
making decisions that are based in politics. There are people making decisions
based on compliance, strict and not strict. There are people making decisions
based on advisors that haven’t even read the regulations, unfortunately.

DR. ROTHSTEIN: So you are saying that more guidance and clarity would help
in interpreting?

DR. MC GINLY: In anything, yes, absolutely. But it is not going to be —
that goes across the board in the fundraising part of this. However, the one
thing that is really detrimental, and I know you are on record with this, but
you are also able to amend that or follow through and suggest a rule change.
That should be in our humble opinion the elimination of that written
authorization.

What are you going to go back to? You are going to go back to what was
working, anyway.

DR. ROTHSTEIN: Further questions?

MR. FANNING: I have a question. Dr. McGinly, you make reference to donors
and volunteers. Explain what you mean by volunteers, people who actually give
individual services?

DR. MC GINLY: Sure. We have a whole host of volunteers, auxiliaries, people
that are manning information desks, people that are helping the chaplaincy
throughout the hospital. Those are volunteers that may not necessarily be
financial donors.

Now, once you have somebody who is volunteering and contributing time, and
we have got high school students, we have got the elderly that are in there,
all ages doing this, it is phenomenal. But some of them are both volunteering
time and financial resources, some are just volunteering time.

MR. FANNING: But do you solicit — in the same way that you solicit for
money, do you solicit for volunteers?

DR. MC GINLY: Sure, we will try and get them involved and have them support
financially and things that are dear to them. We are not trying to get
everybody in the world. if we can get 30 percent, —

MR. FANNING: Thank you.

DR. ROTHSTEIN: Dr. Harding.

DR. HARDING: Let me see if I have a couple of things straight here. One is
that costs of fundraising have gone up in the last 15 months due to new hires
and systemic changes that have to be done. So the cost has gone up. Would you
say that is significant? Or is that two percent, or is that 50 percent? Is that
a considerable amount that we are talking about, or is that just a little.

MR. ZELLER: I can give you the exact numbers. Our budget went up by
$400,000 just in the short term. That has not taken into consideration the
systems time for development that needs to be put in play, does not take into
account the cost of preparing three-part authorizations, does not take into
account the technology necessary to manage thousands of authorizations and
index them.

PARTICIPANT: Or the redirection of some staff resources.

MR. ZELLER: Or the redirection of existing resources. At a time where
health care budgets are extremely constrained, those dollars are being taken as
redirects to avoid jeopardizing the revenue stream that we have.

DR. HARDING: So a significant increase, you would say. You also said that
there was a decrease in small donor contributions in the last year? You are
saying patient contributions. I refer to that as a small donor as compared to a
foundation or something.

MR. ZELLER: Actually, Dr. Harding, some of our largest contributions come
from individuals. So the diminution of the percentage of individuals supporting
Hopkins from 70 to 56 percent can translate quickly into multiple millions of
dollars.

DR. HARDING: And once again, 15 months out — and there hasn’t been a trend
line developed, your feeling is that the authorization and the less than 50
percent signing up and so forth is very likely to be contributing to that.

MR. ZELLER: That is our intuitive response to it, if you will. As you look
at it, there could be a confluence of a number of factors that are happening,
but when you look at those two together, it begins to give us pause as to
whether or not we are headed for a problem.

I might say that there is a shadow effect that occurs here, and I think
Bill would support this. Philanthropy, as I mentioned, is built on
relationships. It comes over a period of time. So much of what we are seeing
can be pre-existing relationships that exist between a patient, a physician,
the institution development office. To keep that stream if you will alive, you
constantly have to replenish it with new relationships. If that part of the
process is being interrupted, then what we see now may be a very temporary
sustaining philanthropic support that could be in great jeopardy going forward.

PARTICIPANT: It will likely take us two to three years at a minimum to see
the impact of this.

DR. MC GINLY: They need to learn about us, and that takes time, as to what
we do in finding out what their interests are. This comes at a terrible time.
In 2002, for instance, when we surveyed our members, 47 percent said they were
at the same level or giving or less than the prior year, just before we ended
the year; 27 percent of those were way, way down. Fifty-three percent said they
were up, not significantly. In the fundraising parlance, almost all of those
were in some stage of a capital campaign, which is an added special effort.
That was what was sustaining them more than their daily operations and
continuing to build those relationships. So it was very difficult that year,
for a lot of reasons.

MR. ZELLER: I would also add that there is a cumulative effect here that
needs to be taken into account. We have been able to with fairly high
confidence track back what the investment of a philanthropic dollar does. It
translates into what happens at the institution. Over the course of time, that
return is almost ten to one. So for every dollar invested philanthropically, we
are able to leverage that ten times over, particularly in our research
enterprise, where as I mention, patients want to support new novel
investigations in research that isn’t currently funded.

I can give you very, very notable examples. Probably the best would be Bert
Vogelstein, most cited scientist in the world for the last 20 years. His
program — and he fundamentally changed the understanding of cancer — his
program was only made possible because a private gift gave him the money to
start something that the NIH wouldn’t even consider. Radical prostatectomies
began as private philanthropy that was then leveraged into NIH.

Bert Vogelstein’s lab has produced some of the world’s leaders in cancer
research. He is very handsomely funded by NIH, as is his lab. But the
fundamental basis would not have begun if it were not for individuals who came
in and provided those critical dollars.

So I think it is not only the bottom line impact that philanthropy has to a
P&L statement of an organization, which is significant at a place like
Hopkins, where in our overall budget we are talking about a margin of $40, $42
million on a nearly four billion dollar operation, and philanthropy makes that
difference. When you back out all of the clinical revenue and NIH revenue and
begin to narrow that gap down to a relatively defined revenue stream,
philanthropy represents a huge piece of funds that can be leveraged, unlike any
of the others.

So it is a significant impact not only from the P&L and how much money
is raised this year, but it is how it is used and how it is leveraged going
forward.

DR. HARDING: Just to finish, Bill, you also said that there were very few
complaints at this point that have come into the CR. At least, we don’t know of
any at the present time.

DR. MC GINLY: I can’t quantify that because they wouldn’t give me exact
numbers. But as of December, there were about 2400 complaints that had come in.
They did tell me that one-third of them had been resolved without anything, but
they did not tell me the exact number of fundraising — but to my knowledge,
there hasn’t been anything about fundraising. In my 20 years in this spot that
I am in, I bet you I haven’t run into more than half a dozen. Some of them have
been critical as far as a patient being upset, but they have been resolved and
turned around.

The last thing I wanted to say is, I remember the discussion years ago
about the issue of point of service within a general hospital of a specific
-ology, urology and so forth. But I don’t remember any discussion about
specialty hospitals at that time, that they should have a separate or a
different —

DR. ROTHSTEIN: My recollection is that there is no mention of specialty
hospitals. It is just by default. So when M.D. Anderson wants to solicit you,
you would know who they are.

DR. MC GINLY: Life is life. When the bank statement comes to our house, if
my wife opens it, she knows all the checks I have written and I’m not supposed
to write. That is the chance you take. But I don’t see where that is disclosing
anything that has got to be a big problem.

DR. ROTHSTEIN: John, would you like to follow up on that line?

DR. HOUSTON: Sure, a couple of points, I guess. We obviously can check with
OCR and see if we can find out if there is any additional information related
to fundraising. But a couple of thoughts. You need to ask the question, are
there things you can do in the context of the current rule. I’m going to throw
two of them on the table, just to get a sense of whether they are feasible.

One is in the context of saying, if you do have some type of
organizationally separate subsidiary or freestanding facility, maybe we could
get guidance that would be acceptable because of the fact that there really
isn’t any specific separate risk of privacy.

The other one I would ask is, what about guidance regarding employed
physicians who make fundraising appeals in their capacity as a physician to
their own patients? Does that help?

DR. MC GINLY: Let me give you a sense of some of the things that are going
on around the country with that. We wrote a letter, got some clarification,
like a physician employed by the entity can certainly give a name, just like a
nurse, the janitor, anyone else can give a name. The physician who is on staff
has to have — it is in the letter, I forget the exact words, the
organizational relationship agreement. We have had attorneys that have said,
that is implied, and therefore all physicians can get that, and that is the one
I would like to go with.

Go ahead.

DR. HOUSTON: I am more thinking of the physician that is able to provide
the actual letter appeal to his patients.

DR. MC GINLY: One of the approaches to that is, they are doing that, and
maybe the development office is doing all of the back office work for that, can
they do that. Well, if they are acting as a volunteer, you could, under the
direction. But how do you get that kind of interpretation?

DR. ROTHSTEIN: Besides that, let me add that there are some ethical
problems with that, because patients would feel a sense of coercion if the
doctor who is saving their life and treating them on an ongoing basis now
solicits them to make contribution to his or her institution.

DR. MC GINLY: You could say the same thing about the institution that saved
their life.

DR. ROTHSTEIN: They are not bound by the same codes of ethics that
physicians are. My recommendation would be that that is probably a direction
that I would not like to see —

DR. MC GINLY: But, Mark, in fact, physicians do do that. The AMA has a
statement about ethics and fundraising, and they are exercising in that
statement — they have just reviewed it, the draft has come out, I don’t think
they have finalized it.

Yes, there has to be due diligence and care, and some physicians will use
that as a reason they don’t want to get involved, because — for whatever
reason. But again, it is acknowledged by the AMA.

DR. ROTHSTEIN: But many physicians are very uncomfortable in that role.
What I am saying to John is that I would not like to institutionalize the role
of physician as gateway to patient information for fundraising purposes.

DR. HOUSTON: I understand that that is your own personal perspective. It
sounds like there is some — I appreciate that. I am just thinking, is that a
possible strategy that should at least be considered in the context of the
subcommittee, and is there a value to it from —

DR. MC GINLY: There are champions out there that are physicians in the
fundraising environment. Of course, they are very careful with what they are
putting out. They are not always raising funds or something that is their
research; they are doing it on behalf of the institution.

DR. ROTHSTEIN: I understand that. Having served on the board of directors
of a major disease organization that had many leading physicians on the board
of directors, we debated for hours about the proper role of physicians in
raising money for what we all thought was a terrific cause. Many told us
stories about patients who sought another physician because they were wealthy
patients who were asked by their doctor if they would consider giving money to
such-and-such foundation, and the patients had a fit. The docs became very
gunshy then, and I understand that.

There is a role for that. But my view is, I don’t think we should be
latching on to that as a way of solving some other problem.

MR. ZELLER: Let me make a comment, Mr. Houston, relative to that. I would
echo the Chairman’s comments. We actually looked at and did some pilots using
physicians for seeking of authorization, not asking a patient for money. It was
very awkward. Physicians were very uncomfortable having to have that
conversation, coupled with patient care.

Physicians — there are many who are very accomplished fundraisers, but by
training are not fundraisers. Under our scenario, they still would not be
allowed to disclose that patient’s name to the development office to provide
the support necessary to do it even if they wanted.

DR. HOUSTON: Your model as I understand it would be, the physician sends
the letter which says, if you would like to contribute or be contacted, please
provide this authorization, send it to whatever the foundation is or the
fundraising office, and they will contact you back. I think that is what your
model is.

MR. ZELLER: No, our model is at the point of registration.

DR. HOUSTON: No, what you tested, though.

MR. ZELLER: They were tested in both personal presentation as well as at
the registration model. We did not send letters.

DR. HOUSTON: Oh, you did not?

MR. ZELLER: No. The interpretation was that we couldn’t.

DR. ROTHSTEIN: Other staff questions? Thank you. It was a very engaging
presentation. It is always good to go back to issues that need further
refinement. We appreciate your presentations.

We will take a brief recess for 15 minutes, and begin the panel on PHI and
the media at 2:45.

(Brief recess.)

Agenda Item: Media Access to PHI – Panel 3

DR. ROTHSTEIN: Good afternoon, everyone. We are going to get started now.
In the interest of moving on with these hearings, we are going to begin our
third panel on media access to PHI a few minutes early. Because we have six
individuals testifying on this panel, I thought if we began early, we would be
able to give more time t present your testimony, and also give the subcommittee
members more time to ask you questions.

Alerting those of you on the Internet to a proposed schedule for this
afternoon, as of now, there are no individuals who have signed up for the
public comment period, so we will conclude with the media access panel. The
time listed for subcommittee discussion five to 5:30 will simply be moved to
tomorrow because we have subcommittee discussion essentially all morning.
Therefore, we don’t need to meet at five this afternoon. So we will conclude at
4:30 or sometime around there, whenever the subcommittee members and/or the
panel members have exhausted the issue and/or themselves.

So I want to welcome all of you to address an issue that is very important,
very interesting, one that we frankly have not spent any prior time on in terms
of our hearings, unlike some of the other issues we talked about today. We are
anxious to hear your views on this.

So I would like to begin by asking Sara Howley to speak.

MS. HOWLEY: Good afternoon. My name is Sara Howley. I am the Director of
Public Communications for the North Broward Hospital District. We are located
in Fort Lauderdale, Florida, and we cover the northern two-thirds of Broward
County. We are a tax assisted public hospital system. We have approximately 35
facilities that range from our four medical centers, Children’s Hospital, and
about 30 other facilities that are primary care, school-based clinics, and also
some family health centers in that area.

We are the third largest employer in the county. That means we have 7500
employees, and we have 1600 physicians on staff.

DR. ROTHSTEIN: Excuse me. I don’t mean to interrupt. Our hearings are not
only going on the Internet, but we also have some people who are on conference
call listening in to us. I would ask the people on the conference call to try
to be as quiet as possible, maybe hit a mute key if you have got it, because
all of the telephone movement and shuffling around is being heard here at the
hearing. Thank you. I’m sorry.

MS. HOWLEY: That’s all right. Anyway, we provide care for everyone
regardless of their ability to pay within the northern section of Broward
County. I wanted to also point out that we have two of the three trauma centers
in that county. We are going to speak about a lot of high profile media
situations here, where we would have patients that would come to us. I think
that is an important point.

At the North Broward Hospital District, patient privacy has always been our
top priority. That has been for years, ever since we came into existence. So we
really take it very seriously, but we also had a very large task ahead of us to
make sure that we were compliant as of the April 14 deadline, but we started
way before that. We actually started in October of 2000, where we hired someone
onto our staff to help us evaluate exactly what we needed to do. By October
2001, we had a complete department that handles all of our HIPAA compliance
throughout our whole hospital district and with all of our medical centers.

One exception. We have been very patient focused on privacy. One exception
prior to HIPAA being put in place was with public record patients, where we had
a little bit more leeway in the timeliness and the information we were able to
provide to the media at that point. That has obviously since changed somewhat,
and we have included that in all of our policies.

Within our department of corporate communications, we started very early on
looking at our policies for releasing patient information. We also had to
revise our policy along with redoing our consent forms for information. We had
always had a consent form; we now needed to make sure that it was done
appropriately and according to the standards. We also had it done in four
different languages to accommodate our patient population.

From that point on, we decided that once we had our policy in place and our
consent form finished and complete, we needed to then educate our internal
media relations staff, approximately 15 people, and another 25 people who are
not direct media relations employees, but they have direct contact with the
media, such as security personnel and some of our nursing supervisors who
handle weekend and media calls in the evenings.

We did that training, and we also took the time to evaluate media staging
areas. As you can imagine, especially with the trauma centers, we do have a lot
of high profile situations that come, and media outside of our doors was
considered a public access area. Now we have to readjust our parameters to make
sure that patient privacy for other people who are coming in and out of the
facility was handled.

We went ahead and got that taken care of, handled all of our internal
issues, and then decided that we really needed to go and work directly with
those agencies that we worked with on an everyday basis, including the media,
and including law enforcement and fire and rescue personnel.

Our first step was to go to the fire and rescue personnel and talk to them
about what the new standards were going to be, how it was going to be different
in our response to the media. We spoke at big meetings for department of law
enforcement, also the Florida public information officers group, we went and
talked to them and explained what was going to be happening and how we would be
changing the way in which we would be responding to the media in the upcoming
year.

Once we completed that, we realized that now we needed to bring together
everyone. So we went ahead and pulled together all South Florida hospitals. All
media outlets in South Florida were invited to attend, all law enforcement to a
media summit that took place on April 2 of 2002. We had representatives from
the American Hospital Association and from the Florida Hospital Association
attend to tell everyone in the room what was going to be taking place and how
the changes would affect them and our relationship, and what we could do really
to work together. Our focus always, always, is patient confidentiality and
privacy first, but we also understand that the media has their job to do, and
we were always able to work with them, and we wanted to continue that
relationship and figure out the best ways to work together.

That actually was an excellent summit and an excellent time for us to gauge
everyone’s feeling. We followed up with lots of newsletters and lots of
answering of questions from the summit that we were able to send out by blast
e-mails and newsletters to the agencies and newsrooms so that they could make
sure to have it accessible. We wanted to be accessible to them so that it
wasn’t a huge change. We didn’t really look at it as — there wasn’t a whole
lot to change, but we did realize we would probably see some repercussions
after the fact that we were going to want to take note of and follow up with.

So the next thing that happened was that everything went into effect. We
actually started ours much earlier, just to get our media personnel up and
running and feeling comfortable with it. We have seen some consequences since
the HIPAA implementation. Some of them we expected, others we were just
learning about and feeling our way through in our dealings with the media.

I would say that one of our top concerns we received — and these are
mostly coming from our dealings with patients — is, we do have a lot of trauma
that shows up to our facility. Some of them are high profile and some of them
involve high profile people from the community as well. We had a recent
incident. I did get a consent to be able to explain this, but we did have a
recent incident where there was a small plane crash that involved three people,
a pilot, his son and the son’s girlfriend.

It just so happened that the pilot was killed in the crash and so was the
female, the girlfriend of the son. The son was transported to one of our trauma
centers, and the mother and wife of the pilot in this unfortunate situation
arrived at the hospital. She is a very prominent member of our community and
very well respected, and is actually is a corporate communications director for
a large company there.

When I met with her, there was a television on in the waiting area, she had
it on, and she said, one thing I don’t seem to understand is, you don’t give
out information, but how can fire, rescue and law enforcement be allowed to
talk about the injuries to my husband and what took place at the scene as far
as my son’s health. I sat with her and I explained the HIPAA requirements and
how we are bound by them, but law enforcement and fire-rescue aren’t bound by
the same situations. She was very bothered by this. She mentioned it a few
times during her visit to me. I explained to her that we would be the
go-between for her and the media, if that is what she wished. That is what she
wanted. We worked with her, sent out statements and releases. She felt much
more comfortable, but she still was very concerned about the fact that they
were not going to come to us, but they were able to go to the fire-rescue. They
could have come to us if they wanted to sign a consent, but she felt this was a
very private moment in her life and a very tragic moment, and she wasn’t ready
to share the health information about her son.

So that is one example. We have seen that a few times, where families don’t
quite understand why fire-rescue and police and law enforcement can discuss
information at the scene, but once in the hospital they have the protected
information.

The next consequence we have seen — and we expected this a little bit —
we realized that the reporters need to do their job and we are there to help
them do their job, but priority is confidentiality for the patients. So
reporters will do what they have to to get the information or get to the
patient or the family to get to get their story in first or get their job done.

We have had reporters who have snuck into our hospital, or who have called
patient rooms directly, where they are waiting outside for family members or
patients to be discharged. We have had to for patient privacy reasons find
other ways to escort our patients out of everything from different doorways
because they didn’t want to have to deal with the media at that time in their
life.

We also have seen where reporters are contacting — we have had lots of
families call, they are at my house, or they are calling a place of business,
and we don’t want to deal with this at this time. We do explain to them that we
are there to help them, and if they would like to sign the consent form, that
we are able to get information per their recommendation to the media, and in
some instances do press conferences or help them manage the situation. But we
realize that the media’s job is their job, and that is important, too. So it is
just an unusual situation.

The third consequence I would say that we have seen recently is John Doe
and Jane Doe patients. We have instances where we have had patients brought to
us who are unable to — that have no identification on them, they don’t have
any family with them, and they are unable to communicate to us. We need to find
help for these people, a next of kin to make decisions on their behalf.

In a very last resort prior to HIPAA, very, very last resort, we would
contact the media and have them come in. Prior to that, we would have law
enforcement come in and do their prints and we would do some other checks to
see if we could find out who these people are and get their next of kin there
without going through the media.

We used to as a last resort then ask the media to come in and take a photo
of the patient and take some information, and very instantly we would find
their loved one. That made our process much easier. We were able to get the
answers we needed from their loved ones. Now we are unable to provide a photo,
and in the last year we have had a few of these situations where, instead of
the newspaper and television, we would have to get a description, which is much
harder for people to realize, this is a family member. So we have to get a
description together and ask the media to then run it. It does add some extra
time onto what we would consider critical care time. Nurses and doctors come to
us to help them with that as a last resort, and now we are just not able to get
them the information they need as timely.

Other than that, I know that we have had a few other situations, but all in
all, I think we have always been so conscious of patient confidentiality. I
believe that most hospitals, the majority of them have been that same way. So
we are able to work in many of the parameters, but I do have some
recommendations on behalf of what I have experienced, and my colleagues.

The largest recommendation I can offer is more education. I am completely,
100 percent impressed with how the health care profession and hospitals,
medical centers, everyone has been educated on HIPAA, and exactly what it
stands for. It is very impressive. Anyone you meet, you can mention it, and if
they are in the health care field, they know exactly what it is.

Where we do see a problem is with the general public and with law
enforcement, and also with media. The general public we find it very difficult
to explain to them these rights that they have and what HIPAA is all about,
especially in a time of crisis. When we are seeing people, they are coming in
the door in a time of crisis. So they don’t want to see the extra paperwork all
the time. It is hard for them to understand what it is all about. I think it
would be most beneficial for us to be able to educate people prior to them
coming to the hospital, so they understand, and a user friendly format would be
very beneficial.

Also, I know that law enforcement and fire-rescue does not fall under HHS,
but I do believe that they should be educated and encouraged to be held a
little bit more accountable for patient information in the field. I have seen
personally what has happened with some of our patients. As a media relations
representative, you become more than just a media relations representative in
those times; you become a contact for these families in a hospital.

Other than that, I would just recommend for media to be able to work better
with them, to use them to get the education out there. Also, we realize it is
their job, and obviously we are doing what we have to for our patients first
and foremost.

DR. ROTHSTEIN: Thank you very much. Ms. Stewart.

MS. STEWART: Good afternoon. I am Emily Stewart, the policy analyst with
the Health Policy Project. The Health Policy Project is dedicated to raising
awareness about the importance of insuring health privacy in order to create
better access to quality health care on both an individual and a community
level.

In addition to educating both the public about their rights and providers
about their responsibilities, the privacy project conducts analysis on a broad
range of issues, including the HIPAA privacy rule, state privacy laws, genetics
and workplace privacy, e-health initiatives and bioterrorism and public health
surveillance initiatives. In addition, we also coordinate the Consumer
Coalition for Health Privacy, which is a coalition consisting of over 100 major
organizations representing both patients and providers alike.

The mission of the Health Policy Project is in general to build greater
trust and confidence in the health care system, so that patients feel more
comfortable fully participating in their health care and in research as well
without feeling that they are at risk for unwarranted disclosures of their
personal health information.

We believe as most here do that it is wrong for patients to have to choose
between health care quality and privacy. Unfortunately, when patients do have
to choose, they often have to forego quality health care in order to secure
their privacy.

According to a 1999 California health care survey, one out of every six
Americans withdraws from participation in their own health care for fear that
the medical information will be used without their knowledge or permission.
This could include patients either being dishonest with their physicians,
doctor hopping, which is moving from one doctor to another in order that there
is not a medical record trail, paying out of pocket or in the most extreme
cases, avoiding care altogether.

When Americans feel that disclosing their health information is going to
result in stigma and discrimination, they often choose not to disclose whether
it is to family, friends, coworkers. In April 2001, a Harris survey showed that
four out of ten people with multiple sclerosis had lied or failed to disclose
their diagnosis to colleagues, coworkers, friends, and even family members out
of fear of job loss and stigma.

This is obviously why we believe the HIPAA privacy rule is so important.
For decades, the public clamored for a federal safeguard to protect the privacy
of their personal health information, and the HIPAA privacy rule was a
significant step in rebuilding that public trust in the health care system.

Based on a principle of informed consent, the HIPAA privacy rule
acknowledges that in order for patients to have meaningful control over health
care decisions, they have to have meaningful control over their personal health
information. The most basic tenet of the HIPAA privacy rule, that personal
health information should be kept and shared where it belongs, in the health
care arena.

Which leads us to the issue of the media. By and large, health information
can be highly sensitive. There is no reason why it can’t be subject to public
scrutiny. In the past, disclosures in the media have not always been for
altruistic purposes. For instance, in 1992, New York Congressman Nidia
Valesquez’ confidentiality medical records were disclosed on the eve of her
primary. The information included information of a bout with depression and a
suicide attempt. After overcoming the fallout and winning the election, she did
testify very eloquently about her experiences.

That same year, the now late tennis star Arthur Ashe was forced to publicly
reveal that he as HIV positive, in 1992, after a health care worker tipped off
USA Today. The editors of USA Today showed up to his home with a reporter and
photographer to confirm the story. Coerced into publicly revealing this
sensitive information, Ashe called a press conference to announce he had
contracted HIV through a blood transfusion. The next year, he died, but before
that, he did publicly say how distraught he was over having felt forced to
disclose this information. Him and his family found out that he was HIV
positive, I believe in 1988, and one of their top priorities was keeping this a
family matter, private family matter.

These stories serve to highlight and align that the privacy rule
intentionally draws — patient medical records are not public records, although
hospital directory information is available for people who know the person’s
name, as long as the person did not choose to opt out of the directory.

In the past, the media’s access to any information they had access to was
by custom, not by law. Prior to the privacy rule, the media may have become
used to lenient practices at certain hospitals that treated patient records as
public records, but the privacy rule clearly now prevents this.

The privacy rule regulates information both in the health care industry and
in the core health care system, whether it is having an opt-out for the
directory or the next of kin, or the minimum necessary disclosures, minimum
necessary applying to non-treatment relationships, and then disclosures outside
of the health care system are even more strictly regulated, barring disclosures
to employers, for instance. The media is not and should not have access to
special privileges.

The privacy rule also allows for access outside of the core health care
system, whether it is for quality assessment or accreditation or reporting to
law enforcement or assisting public health authorities. Representatives of the
media are not deputized to be law enforcement or public health officials, and
their investigations should certainly not trump the privacy of patients.
Although the media does play an important role in informing the public and
investigating misdeeds within the health care system, these investigations must
proceed within the bounds of personal privacy.

We recognize that this issue does pit civil liberties against one another,
the public’s right to be informed and a patient’s right for personal privacy.
This 1989 Supreme Court case serves as an informative backdrop. The reporter’s
committee sued the government because the FBI refused to give them information
on a Charles Medinos’ rap sheet. They were arguing that the rap sheet was a
matter of public interest, because Medinos’ family business had inappropriate
relationships with the Congressman who awarded the business contracts, defense
contracts. The Supreme Court held that the media did not have a right to access
the rap sheets, and that the disclosure constituted an unwarranted invasion of
personal privacy. The Court also affirmed that the rights of the press
respondents in this case are no different from those that might be asserted by
any other third party, such as a neighbor or prospective employer.

While the media would be accessing information for reasons that might be
different from a neighbor or an employer it is still important to note that
they should not have special access. In this situation too, medical records are
more sensitive than rap sheet records. Whereas rap sheets contain information
available to the public, it is just that the rap sheet brings the information
together. If you knew where the person had been arrested or been before a court
in the past, you could collect this information on your own. Medical records
contain highly sensitive private information that is not available to the
public. Whereas rap sheets are compiled by the government, medical records are
compiled by the private sector. And whereas rap sheets contain information
about criminal proceedings, medical records contain information that was
collected in a very private setting.

The HIPAA privacy rule was designed to keep information within the health
care arena. The media’s interest in recording medical information, whether in
pursuit of a story or to aid in public disclosures in an emergency does not
trump peoples’ right to medical privacy. We therefore urge the NCVHS to keep
the privacy rule concerning media as it stands.

DR. ROTHSTEIN: Thank you very much. Just to remind all of our panel
members, we will have questions at the conclusion of all the presentations. Now
we will go to Tonda Rush.

MS. RUSH: Thank you very much. I have to confess that while I did prepare a
Power Point presentation, a gentleman with a crowbar got into our office the
night before last, and he now has my laptop, so I have no machine on which to
show it. Do we have any independent projection possibilities here? I think you
have written copies.

DR. ROTHSTEIN: If you want, we can skip you in the queue and get something
set up.

MS. RUSH: That’s fine. If you want to take someone else first, it might
make it a little bit more organized.

(Discussion off the record regarding presentation arrangements.)

DR. ROTHSTEIN: Ready to go.

MS. RUSH: Thank you. My name is Tonda Rush. I am President of American
PressWorks, which is a private consulting — an association management firm
here in Washington. We represent the National Newspaper Association and others,
and have done some work with other media organizations on HIPAA related issues.

It probably bears a few moments to explain to you what the National
Newspaper Association is, particularly for all of us who are accustomed to life
inside the Beltway. These newspapers are small dailies and weeklies that
operate around the country, many of them more than 100 years old. There are
2500 members. There may be 6,000 weekly newspapers in this country. It is not
something that you would necessarily recognize if you lived your life inside
the confines of the Washington Post and the New York Times media world. So when
I am talking about the press, often in my mind’s eye I am talking about the
people that live in Missouri and Utah and New Mexico and Minnesota, and places
that may not be as familiar to all of us unless we happen to come from one of
those areas.

Clearly, interests of very large cities and their media are involved here.
We have two other folks here who I think probably will address some of those
maybe more pertinently.

Let me talk about how the news media use health information. I want to say
in this context that mostly what I am talking about here is the kind of
information that would have before the HIPAA privacy rule fallen into the
context of directly information and possibly a statement of condition. In some
cases, there may be something that would become more detailed and possibly more
intimate than that, but I think it has been true for some time that because of
the practices of health care institutions, most media organizations have
learned to work with public affairs people to talk to patients directly and
receive consents in many cases.

So most of what I am talking about here is a very simple statement of name,
maybe an injury and maybe a statement of condition.

News media will pick up this kind of information to connect the community
through people stories, provide information on public events, at times put
health care institutions and the state of health care in this country into the
public spotlight, remembering that newspapers are not textbooks, they are
organizations that try to tell stories through people, and on occasion to
provide vital information about public officials.

Since the privacy rule went into effect, and to the media, HIPAA is the
privacy rule in a lot of ways, we recognized there is a lot more to it than you
all have examined than that, but HIPAA has become shorthand for a lot of
trouble we have had in the past year.

The peoples’ stories are often gagged. The news sources that reporters
would have gone to have found themselves confused, sometimes illegitimately,
sometimes rightfully so, about what they can say and what they can’t say. I
receive still to this day periodic reports through our legal hotline of people
that say, I spoke with the small hospital, the public affairs woman said our
CEO says we are not going to disclose anything because we are not sure what we
can disclose. We would rather break the law by not telling than by disclosing
something that we are not supposed to say.

Very often, official sources that do have public record responsibilities in
the states and they are not covered entities, they don’t have patient
information, but may have public records, are using HIPAA as an excuse to not
reveal things that they otherwise would have said. Or possibly otherwise would
not have said, but they just found a new reason not to say it. That is not an
uncommon circumstance.

There is a history of the involvement of the media organizations here. I’m
not going to go through this in great detail. It is all in your public record.
But a fair summary would be to say that we probably were late in coming to the
realization that the privacy rule would affect news gathering. The Reporters
Committee and the Society of Professional Journalists commented on this very
early. Other organizations have been involved in this kind of conversation. As
recently as last June, an organization that included NNA, Radio and Television
News Directors Association, Newspaper Association of America, which represents
large media, and American Society of Newspaper Editors met with the Office of
Civil Rights. We discussed some of the problems we were having, and I think for
the most part it is fair to say that we simply agreed to disagree. We said what
our problems were. Some of them were not really their problem. They involved
public records. OCR could not think of any good reason why they should not be
involved in the discussion. In some cases, it was a matter of our trying to
convince the office that waiting until patient consent could be given as a
practical matter would kill the story, because it would never happen within a
news cycle, and OCR felt that that wasn’t important.

We did get to a point where we very seriously discussed whether the very
excellent decision making tool that OCR has in its website should include and
could include a statement that the privacy rule does not affect public records
laws held by law enforcement officials, for example, so that we would have a
place to point to when the county sheriff cites HIPAA as a reason not to
release an accident report. We thought at the time that we had an agreement to
do that. There has been no followup on it. We had another discussion in March
about it and one more letter, and we have not had a response to that at this
point.

Most people in our industry have decided that for the most part, HHS is
indifferent to the concerns, and if there is a solution it should be found in
Congress. There is great fear on many sides, including some Congressional
offices that we have visited, that a public disaster similar to 9/11 will be
the springboard from which we get into this public discussion again, and that
could be a very uncomfortable place for all of us.

The types of problems we have run into, to be more specific, do involve law
enforcement agencies. Typically they are not covered entities. Typically they
do have public records filing responsibilities. It is not unusual to find that
a sheriff’s office or a police department will file a public record, and that
the information that the media are trying to access would be in it if it were
filed on time. But it may not be filed for a day or two, and often by the time
it is publicly available, the access is not meaningful any longer because the
story has moved on.

We have had a lot of trouble with hybrid agencies, particularly in small
towns where there may be first responders, EMS services and fire departments
operating under one roof. The regulations do allow them to segregate themselves
out and protect patient information, and still observe their public record
responsibilities, but many of them have found them way too confusing and too
expensive, and have not gotten into it. Therefore, I think what is going on out
there, and you may have investigated it more thoroughly than we, is that they
are treating themselves as a covered entity for purposes of press accounts, but
not for purposes of any other thing that they are doing. That is probably way
too broad of a generalization, but I have seen some specifics of that.

To give you some examples, and I’d like to say, I hope this is the
beginning of your inquiry and not the end. There certainly are file cabinets
and clippings and things that with a little more time we can assemble and give
you, and are happy to do that. Sara and I unfortunately had played phone tag
for almost a week before I found out that you wanted me here today, so this is
about what I have had time to put together for you.

We did have a case in Denver that did reach the public record, federal
court case, where a hospital had some accreditation problems, tried to stop
reporting on that story, citing HIPAA. The newspaper prevailed so far in that
case, but there was quite a legal skirmish, and fortunately it happened to a
newspaper that had deep enough pockets to have counsel to address that.

The kinds of hotline calls that I get as an attorney for our media groups
have involved a hospital worker wanting to talk about patient abuse and afraid
to do it, talking to the newspaper, and the newspaper being afraid to write the
story now for fear of inviting a firestorm of subpoenas against the newspaper
to find out which hospital worker had actually been the source.

I have heard of several cases like this personally. I’m sure there are many
more out there. You may have seen the story in the Washington Post a couple of
weeks ago about one case of viral meningitis. There was one paragraph in there
that said, there may be many more cases, but the public health department is
not required to report it, and the hospitals aren’t able to tell us.

We have had several stories of indigent patients brought in to the
emergency room, shuffled from place to place, no one knows where they are or
how to find them. They don’t have a name to seek a patient directory listing. I
just yesterday had a hospital staffer say, I would rather break the law by
saying nothing.

Had an interesting case come out of Louisiana not too long ago where there
was an amnesiac, just the kind of thing you would expect to see on the soap
operas, where the person bops his head and you get five or ten weeks of, the
person doesn’t know who he is, you have seen all of those. This really
happened. He didn’t know who he was, and neither did anyone else. As it
happened, that case unfolded and developed before the privacy rule went into
effect, so the man was identified.

I was curious to see how you would ever ask about him by name, since he
didn’t know his name. It would have created some interesting conundrums.

I did have a personal experience just along these lines not long ago with a
friend whose brother had gone into the hospital for cancer surgery. The family
was not in touch with him. It was an emergency surgery. He was rushed to the
hospital. The family couldn’t reach him, could not get through to anyone in the
hospital. As it happened, he was in Bangkok and the family was in Florida, and
we had an 80-year-old mother who was almost hysterical. We were very fortunate
to find an American working in Bangkok with enough Thai to call and speak to
the head nurse and find out who he was and that he was all right, and tell the
family that he was okay. If they had been in the United States, we could not
have done that. So HIPAA has had some real-world impact.

I think probably it is hard to get the Washington community to really
understand how these work, but these do happen in small towns. We still have a
lot of newspapers that have been in the practice of running the nursing home
admissions, and people would send them the flowers and the cards. Birth
announcements that used to be around are discontinued. Of those cases, consent
forms would solve the problem, but no one has got the time to do them. The
hospitals aren’t staffed to collect them,and the newspapers aren’t staffed to
get them, either. We have had some complaints from churches saying we used to
get the paper on Saturday to get our prayer list. We don’t do that anymore.
People go to the hospital and cannot be found, because no one is able to reach
someone who can tell them what the patient directory says at that point, and
possibly hasn’t been updated.

I’m sure many of people have talked to you about the list on the hospital
doors for 9/11. I am going to pass out in a few moments a reference to a
workplace shooting that happened in a small town near Kansas City recently,
where the family members were basically herded into a community center, and the
police told them almost nothing for three hours. Five of their family members
had been shot by an irate worker. There was near hysteria. We had a reporter
with them, and the police department later said, you know what? Talking to
those people was not our priority. We were trying to find out where the shooter
was and what happened, which is as it should be. That was the source however
that under the present law the media and the families would have to rely upon,
and that source in that case was unable to do anything to try to assuage the
community concerns. They couldn’t have called the hospitals, they wouldn’t have
talked to the ambulance workers, which quite frankly were newspaper sources
before the privacy rule. So there was a lot of anxiety, and probably needlessly
so. A little public affairs management might have solved it. But in this case,
HIPAA was one of the complications.

You may have heard stories of family and press trying to identify and find
the people injured in the Chicago collapse, the Providence Nightclub fire. I
was interested in the derailment from Amtrak that happened outside
Jacksonville. It was just about a week before the privacy rule went into
effect. Obviously the institutions involved had begun compliance.

Here is how the story went. I don’t know if any of you remember this, but
the train was the car train, I forget what that is called, that comes up from
Florida to Washington, and it derailed, and there were a lot of injuries. The
Post ran three stories on it. The first day’s story said there were a lot of
injuries, that the injured had not been identified because of privacy rules.
The second day’s story said that there were a lot of injuries and a lot of
people were in the hospital, but their identities had not been disclosed. By
the third day, when you might expect that all of the public filings would be on
record, the Post story had moved on to whether the track was bent.

Now, you may say to yourself, so what, it was no one I lost. The world
didn’t come to an end because I didn’t get to find out whether my second cousin
was in that train accident. But the fact is that the names of the people who
were in that accident never appeared in the press. Had there been someone on
there that you might have known that you stumbled across, you certain wouldn’t
find it out from the news media in this kind of circumstance.

Why didn’t the newspaper wait until it was all finished and get all the
disclosures and talk to the patients and get their consent to put their names
in there? Because in the real world, newsprint is dear and time is short, and
the story moves on to something else. That space is occupied by another story.

The press will continue. The stories will continue to happen. I think it is
the readers in this case that wind up not getting the information.

There have been a number of solutions to this problem proposed. I don’t
know, to be quite honest with you, that any of them operate in a perfect world,
and I’m not sure a perfect solution is available. A number of them have been
involved with trying to find a little bit better synergy between the privacy
rule and the public records laws.

It is quite true that before the privacy rule went into effect, a lot of
the information that would have appeared in the public print didn’t happen as a
result of a public record law. It was part of custom. It would have been the
practice of a hospital, for example, to tell the name of someone who was in a
highway accident the night before. That doesn’t happen any longer. It might
have been in the practice of the ambulance service to give that person’s name.
That would not happen anymore. Those wouldn’t be public records disclosures,
but they are the kinds of things that would have led to names being attached to
those stories if the stories had run.

In today’s world, the stories often are not being run, because if there is
no name, there is no story. In the cases where there is a very large story, if
there is enough time and the story continues long enough for all of the parties
to get all their ducks in a row and the hospitals to feel comfortable and the
public records to be filed, then you may get the kind of story that you had two
years ago.

Unfortunately in the nature of media, media don’t usually tell the story
that they don’t tell. So if reporting is not happening and if information is
not reaching the public, it is difficult, other than by running around and
interviewing the reporters or getting their legal questions as I do, to find
out what is missing that you would have had before. I think as time goes on, we
will probably become unconscious of the loss, quite frankly. What I think will
be lost in the process is all the benefits, both direct and intangible, that
come from having a spotlight on public events, on accidents, on public
institutions, upon disasters, anything that you might have had some benefit
from public disclosures.

It is quite true, as my colleague of a few moments ago said, that these
aren’t always altruistic. The press are not nonprofit organizations, or at
least not intentionally so, although I own a piece of one that seems to be
headed that way. They are in the business to do stories. I think it is left to
the public arena, the public officials, to try to look at whether the kinds of
information that they are unable to access and the stories that they are unable
to tell or the ones that they are not able to tell, make us richer or poorer as
a society.

I appreciate the opportunity to talk to you. I am going to quickly pass
this little clipping around. I have about 20 copies of this, Sara, and I am
happy to send you some more if you need them. It is a commentary from an editor
about how HIPAA played into the hysteria in this workplace shooting last week.
I thought it might give you a bird’s-eye view.

Thank you very much.

DR. ROTHSTEIN: Thank you very much. I’m sure we will have some questions
for you later. Now we will go to Ms. Cochran.

MS. COCHRAN: Thank you very much for giving me the opportunity to testify
today. I was so pleased to receive the invitation, because as Tonda just said,
after our last meeting here, we were a little discouraged about whether the
issues that we are seeing were going to get any attention. So we are very glad
to be able to talk to you about them today.

My name is Barbara Cochran. I am the President of the Radio and Television
News Directors Association. We represent 3,000 journalists working in
television and radio and new media in about 30 countries. But most of our
members are here in the United States, and so are affected by this law, and
most of them work as executives in local television and radio stations.

For myself, I also have been a journalist for about 30 years here in
Washington, beginning with the Washington Star, working at National Public
Radio, NBC’s Meet the Press, and I was the bureau chief for CBS News here in
Washington.

We have participated in the efforts before the regulations became official
to make some accommodation for the needs of the news media in these
regulations. So I won’t review all of that history with you, but I do want to
make a couple of points about the importance of this kind of information to the
news media, but even more importantly, to the public. Particularly in times of
emergency, disaster and other events of high public interest, we believe that a
certain amount of identifiable health information reaches the public through
the press, and we believe that the HIPAA privacy policy has had the unintended
consequence of placing the blanket of secrecy over health care information.

The public’s interest in health care information should not be
underestimated. There is a public interest in knowing whether victims of crime
or disasters are being treated in the hospital and what their general status
is. There is a public interest in knowing the health of our public officials
and its relationship to how those officials carry out their duties in public.
There is a public interest in uncovering corruption or mismanagement at the
facilities where individuals receive medical care for themselves and their
families, and there is a public interest in learning about a wide range of
health care issues that affect the community, and about being able to make
informed decisions regarding those issues, including where individuals will
seek health care.

Tonda spoke about the importance of health information after major events
of public importance. Certainly after the terrorist attacks of September 11,
journalists used hospital lists and other records to chronicle the devastation
and to do compelling vignettes about the victims. Directory information also
enabled the public and journalists to keep track of victims who were felled
during the Oklahoma City bombing, the school shootings at Columbine and in
Jonesboro, and during the anthrax attacks. That information helped the public
to fully understand the effect and extent of such tragedies.

But since the HIPAA rules became effective in April of 2003, those rules
have stood in the way of stories that regard matters of public importance that
used to be reported every day by electronic journalists across the country. No
one wants to run afoul of HIPAA. People are afraid of giving out information
that will expose them to litigation, penalties or fines. Because of HIPAA, many
traditional news sources can or will no longer discuss patients with the press.
Journalists are having a hard time finding out names of disaster and accident
victims and investigative reporting or malpractice or patient abuse is
difficult or hazardous to chronicle.

HIPAA has made it more difficult for journalists and other interested
members of the public to obtain health care information on matters of public
interest that used to be routinely available. HIPAA has handcuffed reporters in
their ability to perform due diligence on sources. We are not able to say where
a certain amount of information has come from, or to confirm that this
information is available from a hospital, which used to be the routine way of
confirming information.

Because I have been asked to testify on behalf of the broadcast media, I
wanted to say what makes our situation of particular interest. First of all,
broadcast media is a very important source of news for the public. We conducted
our own study in 2003, and we found that local television news is the chief
source of information for 49.9 percent of the public. Network news is
responsible for 23.2 percent, and local newspapers are the prime source of news
for about 13 percent of the public. Our study also showed that television is
rated highest as the most trusted medium. The FCC Nielsen survey in 2002 found
that almost 60 percent of Americans rely primarily on radio and television for
local news and information.

So our members are those who are providing the news of local interest that
is the first source that the public thinks to turn to, especially when they are
looking for local information. Certainly this is true in breaking news. A fire,
an accident, or still worse, a school shooting or something of that nature, the
citizens turn to local television and local radio for information on that kind
of event, and HIPAA has made that kind of event much more difficult for our
members to report on.

One of the things that we have found is that HIPAA has affected not only
the covered entities, but also the non-covered entities and what they feel free
to report. Many non-covered entities such as police, firemen, even athletic
directors and victims’ relatives believe that they cannot give out information
because of HIPAA. You have probably had the experience yourself of watching a
sporting event that is televised, players injured on the field, and the
announcer says, we can’t give you the information on this athlete who you just
saw injured before your very eyes, because of HIPAA regulations. No wonder the
public is confused.

We have collected lots of examples. I will run through just a few of them
with you. A department of corrections used HIPAA to withhold information about
inmates who had died in state prisons, certainly a story of public interest.
One of our news directors had a news team removed from a hospital after the
patient and the family had expressly invited that news team to come in, and had
agreed to a taped interview about the patient’s treatment and recovery. The
hospital said, even though you are interviewing this patient, we can’t tell who
the camera might inadvertently pick up, and therefore you have to leave.
Routine requests for 9/11 recordings, which are part of the public records,
have been denied, because public officials mistakenly feel that these fall
under HIPAA and can’t be given out.

Because of all of this confusion, RTNDA has prepared and distributed and
posted on its website a set of frequently asked questions and answers on the
backgrounds and the fundamentals of the privacy rule, so that reporters can
assert their rights to obtain information when it is mistakenly being withheld.
We also joined in writing to Mr. Campenelli to ask that the information be
posted on the HHS website, that clarifies that HIPAA does not pre-empt state
public record laws, and that the state law enforcement agencies that are not
covered entities may still provide patient information. So far, we haven’t
received a response to that request.

We also face problems not just because of misinterpretation and
misunderstanding, but because of the application of the rules as they are
written and intended. Some of the examples that Tonda mentioned are examples
that our members have also encountered. A story about emergency room procedures
that would show that particular emergency rooms are not taking appropriate care
of poor patients, those kinds of stories are now impossible to document because
of HIPAA regulations. We talked about the Amtrak train derailment. We also have
had the example of sharks who began attacking swimmers off Virginia Beach, and
reporters were stifled in their efforts to report on those attacks and the
status of the shark attack victims. When 57 partygoers were injured and 13
people died in a porch collapse, Chicago listeners and viewers learned almost
nothing about what happened. When there were reports of SARS cases in the
United States, 1.51 suspected cases in 21 states, U.S. and state health
officials held back the identities, conditions and locations, and refused to
disclose how the cases might be connected. Certainly the public had a deep
interest in understanding more about the degree to which SARS was affecting
American citizens.

You have heard just now about the meningitis case in Fairfax County, and
Tonda detailed exactly how that was a matter of public interest, but where the
public was shortchanged in the information that they received.

Even a feel-good story was stifled because of HIPAA. There is a young girl
in Milwaukee who had been a victim of leukemia. Her story had been widely told
in the pre-HIPAA days, and she had thankfully recovered from leukemia. In
gratitude for the treatment she had received from the local children’s
hospital, she went every year to distribute Christmas presents to the young
patients who were at the children’s hospital. This year — and that was a story
that was also frequently told on local radio and television — this year when
she tried to go back at Christmastime, the hospital said, we are sorry, we
can’t allow the media to come in to chronicle this story of one little girl who
recovered and who was offering hope to other patients in this hospital. So a
story that was uplifting and that provided something for people to feel good
about at the holiday season was untold because of HIPAA.

Finally, the thing that we have discovered is that HIPAA penalizes whistle
blowers. Again, Tonda talked about that. But the kinds of stories, so that the
public can understand the quality of health care that they are giving, so that
they can go to health care providers who are providing quality care, so they
can avoid health care providers who are not providing that care, where the
quality of health care can be exposed at the local level, at the national
level, those kinds of stories are simply not coming to us anymore because
people who might have been willing to blow a whistle before are not willing to
take that risk.

We have also talked about the public disaster. I agree with Tonda, I think
the thing that will disclose the problems with these rules will be another
disaster. We hope it is not another home and security disaster. But I would
suggest that at a time when the federal government is so intent on insuring the
security of the homeland, so intent on protecting the public that the HIPAA
rules which were adopted and being worked on and were never changed after 9/11
occurred, that those rules are in contravention to the goals that the federal
administration is trying to achieve now in making sure that there is quality
information after a homeland security disaster occurs.

What happens? What do people do if there should be another disaster? They
tune in to radio and television to find out what they should do and how they
should protect themselves. They tune in to find out information about their
loved ones. If this information cannot be disseminated because of HIPAA, what
will happen is that something that began as a crisis can quickly develop into a
disaster because the public is being denied important information that would
previously have been available through the news media.

One local example again. In Syracuse, a public school bus was carrying
about 40 pupils on a trip. The bus had an accident. Almost all the students
were injured in some way and were taken to a variety of hospitals around the
area. The hospitals couldn’t release the information about what kids they were
treating. The parents turned to the news media for information and were unable
to get it because it wasn’t available. So these parents were in a position of
going from emergency room to emergency room, all around the Syracuse area,
trying to find their children and be with their children. This is surely not
what was intended when HIPAA was drawn up.

We have offered nine specific proposals that we would ask the committee to
consider and the Department of Health and Human Services to consider in trying
to remedy what we are experiencing now under HIPAA. Just to very briefly state
those for the record, number one is that we ask that the rules be revised to
allow a covered entity to disclose basic information about an individual’s
medical information to the press and the public, so as not to interfere
inappropriately with news reports on matters of public interest.

Most patients who come in to hospitals will never be affected by this. We
are talking about the few instances where this information is of public
interest because it involved an accident or a disaster or a criminal incident
that is of public interest.

The definition of a covered entity should clearly exclude public agencies,
including fire, public, police and law enforcement departments and youth
homicides of 9/11 emergency services. The definition of health care should
clearly exclude emergency services provided by emergency and law enforcement
agencies. State laws should be pre-empted, and that should be clearly stated.
The regulations should be revised so as not to limit protections for whistle
blowers. They should insure protection for whistle blowers to report their
concerns to journalists or others charged with investigating the quality of
health care. The regulations should state that they do not apply to health
information of individuals who have died. The rule should not afford the
ability to restrict public access to directory information. The regulations
should not apply to entities including public health authorities and law
enforcement agencies that receive disclosures of health information from
covered entities. The regulations should clearly state that the civil and
criminal penalties do not apply to the news media, where even information
disseminated by news media is received from a third party who may have violated
HIPAA.

I will conclude with that, and wait for your questions. Again, thank you
for the opportunity to raise all these concerns with all of you.

DR. ROTHSTEIN: Thank you very much. I’m sure we will have several questions
for you. We will now go to Ms. Daugherty.

MS. DAUGHERTY: Thank you very much, and thank you for inviting me to talk
to you this afternoon. I am Rebecca Daugherty, and I am the FOI service center
director at the Reporters Committee for Freedom of the Press. We are a small
organization that runs a hotline for reporters who encounter legal difficulties
in gathering and covering the news. Probably nine-tenths of the questions that
we get from reporters have to do with the inability to access information from
government or from other entities such as hospitals.

Today in my written testimony which you have, I have highlighted our
concerns over two things: the effects of these rules on would-be whistle
blowers, and the need to dispel the widespread theorem in other bureaucracies
that these rules apply to them, and that they would be subject to penalties for
giving information to reporters.

The effect on whistle blowers is certainly pernicious, but we have no idea
how to document what that effect has been, other than to point out the kinds of
stories that we have gotten from whistle blowers in the past. We do not know
what whistle blowers faced with fines and possible criminal penalties of
$25,000 to $250,000, how those people are going to be affected when they have a
story that they feel needs to be disclosed through the press.

A classic example is the 1960 story of Miss Evers’ Boys, a four-decade long
experiment on black men who had syphilis and who were not treated with the
standard of care that people knew at the time. They were not given penicillin,
they were just allowed to deteriorate as there was a study of deterioration of
people who had syphilis. This was a study that was approved by the American
Medical Association, it was a study that was approved by the Centers for
Disease Control, and it was only when a doctor who was treating one of these
patients for something else mentioned to an AP reporter what was going on that
the public had a chance of finding out what was going on. When AP published
that story, it took a week for that experiment to be over.

That is something that that doctor might or might not tell a reporter about
today, because these penalties go right to that health care professional who
gave that information to the press, and caused a much-needed change.

A more recent example occurred in a fertility clinic at the University of
California-Irvine, which was selling embryos. This is a horrible thing to
happen. The people who worked in the clinic notified the press, worked with the
reporters who covered the story, which was an award-winning story. The
reporters themselves went through some psychological training in how to
approach the parents of these embryos to tell them what had happened as they
were covering this issue. Of course, as soon as the story was reported, that
situation stopped.

These are the kinds of things that we don’t hear about now. We don’t hear
people saying that HIPAA has caused these problems, because we don’t know what
we are hearing about, what we are not hearing about. We don’t know what effect
we are having on whistle blowers.

The other thing that we want to mention in our testimony today is the real
need — and Tonda and Barbara talked about this at some length — to dispel the
widespread fear among bureaucracies that they might also be covered by these
penalties, so they can’t talk to the press, either. Certainly we would prefer
to get medical news from medical professionals than to get it from policemen
and firemen, but if we can’t get it from medical professionals, at least we
could find out something about what they observed and be able to provide that
information to the public, which in many cases really needs to have that
information.

In our comments which we made among the 52,000 or so that were made in
2000, we articulated a number of concerns that we had about what these rules
were going to cause for reporters. I think those concerns hold today. This is
going to eliminate any undercover reporter by reporters who are not willing to
also pay fines. Reporters who posed as nursing home assistants, for instance,
are not going to do that, because they will undoubtedly be subject to these
penalties as well.

There are some stories that can only be reported by undercover reporting,
as heinous as some of us find that kind of reporting. In our comments that we
made in 2000, we talked about a story of an abortion clinic in Chicago that was
doing abortions on women who were not pregnant. To get inside and see those
medical records was the only way that the reporter who did that story could get
the story. She needed to know who the patients were by name, even though she
published no names, in order to do the story and also to protect herself from
liable claims. So we can imagine that these rules will affect that kind of
reporting.

They make no provision for disclosure of the health of the officials. They
make no provision protecting information about candidates. We have heard some
discussion here about the New York Congresswoman who suffered from depression
and had that revealed, and was nonetheless voted into office. I think that fact
says something to us as well. I think it says that the public is able to digest
information and address it in a sympathetic way. No one has a monopoly on how
to be sensitive to these concerns. Yet it is a concern when your public
official suffers from depression and tries to commit suicide. It is
unfortunate, and I am certain that there was pain caused by the revelations,
but traditionally in tort law, these are public figures, and they are, to be
quite crass about it, fair game for reporting, and that is a good thing,
because it tells the public things that they public needs to know.

While we are on the public figures area, I think it is also important to
remember the circumstances of reporting Arthur Ashe’s AIDS disease. This was
something that was done very carefully and with a lot of discussion in the
newsroom. This is a much-loved public figure whose life had been exemplary. The
press did not punish the Ashe family for any kind of wrongdoing that it saw; it
simply reported that this is a man who has AIDS, and it reported it at a time
when people saw some kind of a social stigma to having AIDS. If you had AIDS,
it meant that you were sexually promiscuous, that you had somehow — that you
used needles and shared them with other people. There was a tremendous stigma
at that time to the public’s understanding of what AIDS was.

I think if the public is going to fund research, health research, it needs
to know something about how far these kinds of diseases go, and if they can
touch an exemplary figure like Arthur Ashe, then that is important, too. So the
press has taken a lot of hard knocks for that story, but I think it is one that
needed to be told.

These rules don’t allow any publication of information about health care of
people who we trust our lives to. It says nothing about the health care of
pilots. Are we supposed to be able to find out that pilots have alcohol
problems? Are we supposed to be able to find out that bus drivers have drug
problems? These are points that the public has a lot of interest in, and the
public cannot get this kind of information from whistle blowers, if whistle
blowers are going to be facing these huge penalties.

There is no provision for disclosing information on persons who benefit
from prosecutorial decisions made on the basis of their bad health. The example
that we gave in our 2000 comments was the decision of the British government
not to prosecute Pinochet because they said he was not able to withstand
prosecution, and then would reveal no details that satisfied a public that was
hungry to know whether or not they were giving a buy to Pinochet in this or
not. So there are lots of interests here.

We heard some testimony — and I’ll close quickly, because I think Barbara
and Tonda and I have had many of the same concerns — we have heard some
testimony that police and firemen don’t get it right. So there is a reason not
to have them give out information, and a hint that maybe if they think they are
subject to these rules, that is just as well. That is not the case, in my
thinking. I think that it is very important for HHS to make clear to those
entities who are not covered by these rules that they are not covered by them,
that the penalties will not apply. We need that in order to be able to report
the news that you need to have from us.

Thank you very much.

DR. ROTHSTEIN: Thank you very much. Our next witness is Debra Goldschmidt.
Are you online?

MS. GOLDSCHMIDT: I am.

DR. ROTHSTEIN: I am going to ask you if you could hold your testimony for
just a minute. I want to go slightly out of order, because Sara Howley has a
plane to catch. So I want to ask the members of the subcommittee if they have
any specific questions for Ms. Howley before we get your testimony. Then we
will have questions for the entire panel. So are there particular questions for
Sara Howley?

DR. HOUSTON: Especially in light of what I heard from Barbara Cochran and
Rebecca Daugherty and Tonda Rush, you had said you had a media summit. Clearly
there is a lot of interesting discussion here about what the media’s rights
are. Did any of this come up, and what type of solutions maybe were discussed
at that summit regarding the issues that they described?

MS. HOWLEY: The media summit that we had was prior to the implementation of
the HIPAA rule on April 14, 2002. What we did was, it seemed to me that we
introduced a lot of new information at that point to the media that they were
not otherwise educated was going to happen. Also, we were able to clarify some
issues to them.

We have however — about two months ago, we had a media meeting to discuss
some issues with just a few of our local affiliates and newspaper publications,
and HIPAA was very much — and patient privacy was very much an issue that they
wanted to discuss and had concerns about. A lot of it had to do with the
consistency of how hospitals were responding.

I think that actually, we are planning on doing another one. We are going
to invite everyone to it, kind of a followup a year later, to really get some
good information and find out what we can do to work better.

I go back to the fact that I think we do need some more education. A
benefit to us in this field would be some real-life scenarios, some more
direction. Some of what we are told to do is use our best judgment. I can tell
you that as our first priority on patient privacy, use the best judgment might
be to err on the side of caution because of what the implications might be.
Nurses, doctors, a lot of people I work with would feel that way. There are a
lot of areas where use the best judgment, if we had a little bit more direction
on that, we might be able to work a little easier and much better in certain
situations. We see 210,000 emergency room visits in our system a year, and a
very small portion of those are ones that we would have to — or inpatients,
60,000 a year — are ones that we would have to deal with the media. At each
one of those situations is a different scenario. As we are entering and getting
over this first year, we are realizing education on real-life scenarios, but
also education to the media and the general public, also to some of the
advisors to the hospital might be helpful as well, people who are advising the
hospital need to be consistent as well, as the media says some hospitals do
this and others err on the side of caution and won’t say anything.

DR. ROTHSTEIN: Thank you. Dr. Harding.

DR. HARDING: Does your hospital system have a different HIPAA standard for
VIPs, athletes, politicians or victims of terror, compared to the others?

MS. HOWLEY: No, it is all handled under one policy. I do have copies of the
policy, but it is all handled under the one policy which is very — patient
information is HIPAA compliant. So there is no difference. If someone were to
enter our hospital or we knew that they were there, we definitely would contact
them, but everything goes back to them signing off on consent before we would
release additional information, other than a one-word condition, unless they
opted out.

DR. HARDING: So if the governor came in with chest pain, you would not say
anything. There would be no release of information.

MS. HOWLEY: He would ask the governor if he would like to opt out of having
information released, and we would work directly with his press people as well.

MR. FANNING: One factual question. I take it that your district does not
itself run ambulances?

MS. HOWLEY: No.

DR. ROTHSTEIN: Other questions?

DR. HOUSTON: I have one more, Mark, just briefly. You indicated that the
media has used other means to access patients. Have you found any cases where
the media has actually impeded patient care by the way they have gone about
trying to access patients?

MS. HOWLEY: Not that I am aware of. It is more of a — obviously with even
the domestic security standards that we have in place at the hospital, you have
to show an ID to enter. We have ha a few situations where they have shown an
ID, but not their press pass, just their common ID, to say that they are going
to visit a specific patient. The patient is looked up in the system. They had
not opted out of the directory, but they also — we require us to escort the
media and ask the patient first when they have shown up in a unit. Usually, I
have to say our nurses and our staff are very, very aware, and just ask that
they leave, or we go ahead and ask the family if they would like to talk with
the media. But we have those rules and regulations in place as well.

DR. ROTHSTEIN: Other questions? Thank you very much, and if you have to
leave before we are done, I understand.

MS. HOWLEY: Thank you.

DR. ROTHSTEIN: Ms. Goldschmidt, thank you for being patient, and we will be
happy to have your testimony now.

MS. GOLDSCHMIDT: Thank you, Mr. Chairman and members of the subcommittee.
My name is Debra Goldschmidt, and as a graduate student of the Columbia
University Graduate School of Journalism, I spent the 2003-2004 academic year
researching and tracking the impact of the HIPAA privacy rule. I looked at many
different areas, including police investigations, fundraising research, media
access and more.

As a working journalist with more than eight years of experience, most of
it specializing in health and medical news, I experienced first hand the tide
change that came with the April 2003 compliance deadline, while working as a
medical producer at CNN.

Today I have been asked to provide an overview of the impact the privacy
rule is having on medical archives. This is an area many people do not realize
is being affected. Archivists and librarians are struggling with the law and
feel their issues were overlooked when it was created.

This first came to my attention when I read a story written by Julie Bell
in the November 13, 2003 edition of the Baltimore Sun. The headline on the
article read, privacy of dead perplexes living, new rules meant to guard health
reports could block some historical research. This prompted my own research on
the issue.

The August C. Long Health Sciences Library at Columbia University is home
to an extensive collection of archives which document the history of medicine.
Included is the collection of Dr. Jerome Webster, who founded the Department of
Plastic Surgery at Columbia Presbyterian Medical Center. His collection
contains patient files and photographs of his work. This is the kind of
information historians and researchers rely on to write books and conduct
historical research.

Stephen Novak, who is the head archivist of this library, believes that
access to this collection and much of the contents of health science libraries
is in jeopardy because of HIPAA. The problem is that many of the records
contain protected health information. Archivists have always been sensitive to
people reviewing records that contain patient information. In fact, anyone
wanting to has to sign an agreement that they will not use any names or
personally identifying information. But this is not enough anymore.

There are two professional organizations representing archivists and
librarians who work with medical archives, the Society of American Archivists
and the Archivists and Librarians in the Health Sciences. They sent a joint
letter to Secretary Thompson in October, expressing their concerns over the
impact of the privacy regulations. The groups expressed their frustration about
ambiguities in the law that have caused confusion over access to records. There
is even a question as to whether or not these libraries are covered entities.

At Columbia, for example, the library is part of the medical school, and
the hospital, therefore. So hospital attorneys say the library is a covered
entity and must comply with the law. However, at Harvard, the Francis Countway
Library of Medicine is part of the university and not part of the hospital, so
they consider themselves exempt.

Differing institutions are interpreting the rule as they see is
appropriate. The result is confusion. As is the case for many other issues
talked about today and in previous hearings, some institutions are suffering
from overzealous application and interpretation of the law, because they are
simply playing it safe. According to the letter the archivists sent to
Secretary Thompson, certain aspects of the privacy rule will lead to simply
denying access to any records that might contain protected health information.
One specific question, is this law retroactively applied and if so, how far
back does it go? Another is, if a letter written by a doctor contains a patient
name, does that count as protected health information? And can consent be
assumed for the use of photographs previously published, even if the original
consent form is missing? The letter asks the Secretary for clarification in
hopes of ending the confusion.

According to Nancy Parkin-Belmont, who is the director of the Society of
American Archivists, they have not gotten a response. In the meantime, at the
Columbia University Health Sciences Library, requests for records containing
protected health information are now reviewed on a case by case basis by a
hospital’s privacy board. Mr. Novak said he had one request recently, but when
the person heard about the new process he has to go through, he said, forget
it. The concern is that this is the response others will have, too, and the
rule could discourage historians from using the valuable archives.

The law does have an exception for research, but Mr. Novak is skeptical
about the amount of leeway it provides, given the decision last fall by the
Department of Health and Human Services. Two biographer/historians requested
the records of two deceased individuals from the National Library of Medicine
under this exception, and they were told that historical research did not meet
the criteria for research as defined by the privacy regulations.

Mr. Novak said if that is the case, he and his colleagues may as well lock
the door and shut the lights off, because they can’t show their collections to
anyone. He also fears that valuable records that are not already part of
archives may be destroyed, because the small practices or town halls that have
them may feel the prudent step is to get rid of them. Archivists say this will
be a real loss to future historians.

The archivists and historians are a small group compared to police,
hospitals and other much larger groups, but their concerns are real. Archivists
worry about having to de-identify records that would leave historians with
incomplete research, as well as having to seal records of deceased patients who
are identified in journals, letters, papers and photos. They feel HIPAA is
standing in the way of history.

Thank you very much.

DR. ROTHSTEIN: Thank you very much. That is an issue that is very
interesting, and many of us have not given adequate thought to. Before this
hearing, there was some discussion about whether we need a separate panel,
separate hearings on the issue of medical archives, and we certainly can take
that up in our committee discussion period, as to whether we should do that.

But we are ready now for questions from the subcommittee members, and we
will start on my right this time, Harry or Richard.

MR. REYNOLDS: Very interesting testimony. This is a tough one. I was just
drawing myself a chart here, trying to categorize this and think it through. If
you listen to the testimony we heard, when you talk about information, we heard
all the way from none to all. Then when you talk about the status of the
person, we talked about an unemployed story versus a public figure. The issues
you talk about, an entity says we have a problem and they disclose it, versus a
whistle blower. You take normal currents versus a disaster, and you take
identity and location, where the family is known and the person is known, you
get them together, versus a John Doe. So that is a lot. That is great
information, but that is what privacy has created.

You have all made recommendations, but it is really difficult to sit and
deal with the individual person’s privacy and what we just want to be able to
say right up front about. So mine is not so much a question. I have heard a lot
of testimony, but it is what we face over here. You see the rule and you deal
with it, but adjusting it is a very fine screwdriver that can push it one way
or the other pretty easily. So you can shed any — a lot of information, so if
you don’t have anything to add, fine, but any insight on how to adjust — this
is a tough one. That screwdriver is a little bit like a lot of things. You turn
it a little too far and you throw these continuums and this whole thing
sideways.

MS. RUSH: Let me try a conceptual approach to this, if you don’t mind,
recognizing that we are definitely looking at this from the point of view of a
public viewer and not as the custodian of a record. Obviously if you are a
physician or you are an attorney, as several of us are, and you have got to pay
attention to specific professional obligations, you have got a different view
of things.

One of the things that we are seeing going on that Mr. Reynolds has
identified, and I think quite succinctly, is that we have very gradually in the
area of computerization and the concern about privacy been shifting away from
an open society to a need to know society. Once you go down that slippery
slope, you find yourselves in exactly the position that I think this panel may
have found itself in.

It reminds me very much of the debates that I hear some of the
environmental groups talk about with respect to the Amazonian jungle. If we are
going to destroy it and we are going to put houses there, and move cultures and
take away all the plants, are we going to be able to go through one by one and
identify which plants we want to keep, and justify why we want them? And of
course, the folks that understand the value are wanting to say to us, you don’t
know the value. You don’t have any way to predict what use this plant may make.
It is too soon. You are going to be destroying something that you will never
see there again, and you don’t even know what you would have used it for,
because it will cease to exist.

I think very often, for those of us who are in the world of trying to
understand public information and private information, we are in that kind of a
situation. It feels to me — and I have practiced in this area for almost 25
years now — that we have very gradually and almost imperceptibly made a shift
into this need to know situation, precisely because fears about access to
greater amounts of information in the computer age has caused us to think
differently about information.

The case that was cited in testimony a few moments ago, about the rap
sheets and the Supreme Court case, was absolutely a computerization case. Every
record that was being sought in that case would have been available on paper,
if you wanted to trot around to 5,000 different courthouses and look them up.
It was the existence of the compilation in the computer file that changed the
way the public information looked to the Court.

HIPAA, I believe, was the medical record analog to that. I went through —
many years after the Kennedy-Kassebaum Congressional debate, I went through to
read what I could of the Congressional debate there. There really isn’t very
much there to enlighten what Congress really meant to come out of the privacy
aspects of this. It was a very belated thought, after the fact, pitched it to
the agency and said, it is too hard, Congress can’t agree, and you guys figure
it out without very much guidance, which the agency did. I think to its credit,
it took the best it could understand and took some basic principles that the
agency believed in about the right of a patient to control records, and
installed a standard that Congress had never really debated.

Now you have got it. Now I think the agency is hovering around the idea
that the should patient have as absolute control over those records as
possible. Then you carve out from that those who need to know. That is exactly
where I think you are right now.

Who needs to know this? The medical researchers need to know it, and
clearly the law enforcement people need to know it, and people investigating
child abuse need to know it.

You start to make that list, and I will tell you where it is going to end
up. We have seen this from a number of privacy statutes. You will wind up with
such a Swiss cheese of people who really do need to know, that the consequences
are, now there are a whole bunch of people that need to know, that you can’t
possibly control, and the media are going to go to them as third or fourth hand
sources of information, and whatever information does reach the public record
will be even more distorted and even more confused, because it came down
through a chain of need to know people out there, who get increasingly further
away from whatever the essential purpose was.

I don’t know how you go back from need to know. It is not even right to
know, because most of this information was never required on public record. You
might go back at least to the point where it has been required on public
record, and try to look at the state public records laws, and go back at least
to that point and say, what have we done here? What have we done here to try to
make what about have been just a free-flowing information society, that mind
you, had tort law to protect information that was truly intimate.

What have we done here to try to defeat the purposes that were meant by the
public records laws by at least those agencies that had responsibilities to the
taxpayers through the services that they are performing? If I were tackling
this problem, I think I probably would begin there. I’m not sure I would end at
that point, but that is probably the easiest of the problems to try to attack.

DR. ROTHSTEIN: I want to respond to that before I recognize Dr. Harding for
his question. I would respectfully disagree with your framework, because I
don’t believe that the change in the way we view medical records and privacy
really started with HIPAA. I think it is a 50-year trend in American health
care that we see in research ethics, that we see in patient care. It is
conferring greater autonomy on individuals to decide who should have access to
their information and what sort of medical care they consent to, what sort of
research they consent to, et cetera.

So there may be problems with HIPAA in where the balance is drawn in one
respect or another, and we will try to work with you on that. But I don’t think
that HIPAA and the philosophy underlying HIPAA just showed up in the year 1996
or 2003 or any other time. I think if you go back to the Nuremberg trials, it
starts in 1947, really. We are now placing a greater public primacy on the
individual and the individual’s right to control medical information.

So with that aside, I will now recognize Dr. Harding.

DR. HARDING: I’d like to ask Ms. Stewart and Ms. Daugherty, you both
brought up the issue of Arthur Ashe. When you were both talking, I was thinking
about the issue of the greater good, the individual versus society. You are
saying that the thrust to destigmatize AIDS and so forth in 1992 or whenever
that was, ’88, trumped the individual’s desire and right to have privacy about
a medical condition that was stigmatizing, and that someone made that
determination in the press that it was the greater good to release the
information against the individual good of the person who obviously didn’t want
that to happen, and probably hastened his death, I would think, in that
process, with the pain and anguish that the person went through.

That is a tough call, the greater good. How do you both look at that? Do
you see it that same way, or when is it all right to release information
against a person’s wishes, individual’s wishes, for the greater good? I guess
that is why you do it, for the greater good of society. Isn’t it?

MS. STEWART: First of all, I want to point out that in the Arthur Ashe
case, there were actually a number of reporters who knew of his HIV status for
years and chose, in order to respect his wishes, not to disclose that in the
media. The reason why he was forced to is because the editors at USA Today did
decide to go ahead and show up at his house.

I would say, in terms of Nidia Valasquez’ situation, those records were
from when she was 19 years old. I just wanted to point that out as well. Those
situations occurred at least 20 years before that election. I would say that in
this situation, it was most important for us to look at what is the greater
good. We are looking at the HIPAA privacy rule. It is designed to improve
public health.

I would say in the Arthur Ashe situation, outside of his individual right
to be able to protect his own personal health information, to be able to
protect his privacy, I think it is important to look at — in terms of greater
good, what kind of impact does that have on a public with such a stigmatizing
disease which was on the verge of a greater epidemic in the United States? What
kind of impact does that have on the public, when you read that somebody’s HIV
status was just disclosed, because they found out about it?

There have been cases, for instance, with the Planned Parenthood case in
Iowa, where law enforcement had found a dead child, a dead baby, that had just
been born in Iowa, and they tried to subpoena the medical records of every
woman who tested positive for pregnancy in one Iowa clinic. That Iowa clinic,
in that month, had a 70 percent drop in the women who came to their clinic,
because women were afraid to go to the Planned Parenthood clinic. Especially
with HIV-AIDS, you have a real need to convince people that their privacy is
going to be protected in order to get them to come get testing. I think if you
go to any AIDS clinic or you talk to any case worker in an HIV-AIDS clinic,
they will tell you that is one of the most important things, because people are
so afraid of that being disclosed.

So I guess in that case, I would say Arthur Ashe’s individual right to
medical privacy was compatible with the public good.

MS. DAUGHERTY: I would disagree. I think that it was important for people
to know that Arthur Ashe, a person with Arthur Ashe’s stature and character had
this kind of disease. I think it educated the public about HIV in a way that
countless lectures by countless physicians would not have educated them.

Do I think that everyone who has HIV should be outed? No, I don’t. I think
that this is the kind of decision that whistle blowers make. This is the kind
of decision that editors make. There have been other cases where people who
suffered from HIV were outed, and with good reason. There was I believe a very,
very promiscuous young man in New York a few years ago who was actually
indicted for trying to infect others with HIV. This is the kind of thing that
is also newsworthy. It is very difficult to come up with these bright-line
rules that say, if it is HIV, it is secret.

MS. COCHRAN: I think we are getting into a little bit of a red herring
here. The Arthur Ashe story is a story that really is not the norm of what we
are talking about. We are talking about being able to report who the victim was
in the car accident on the bypass in a timely fashion on that night’s news. I
think you could make a couple of cases, one, that the Arthur Ashe story might
be just as likely to come out now as it was then, depending on whether the
person who had that information, how that information was obtained,whether it
came from a health care provider or not. I think you could make a case that the
Arthur Ashe story actually had the effect of — as Ms. Stewart says, if it kept
people from going and seeking treatment, you could maybe say that it had the
opposite effect. We are not social scientists and we don’t have the
information, and we can’t find that out right now.

Look what happened a few years later in the case of Magic Johnson. Someone
who openly took control of the situation and announced his disease, and went on
to become a great spokesperson for treatment and a cure, and to this day serves
as an example of how that disease can be dealt with.

So I think it is very hard to take one isolated extreme example and try to
make a policy based on that. I would urge us to focus on the day to day, bread
and butter news coverage that before HIPAA was commonplace and the community
was not outraged about, and was of great use to people living in their
community, and that didn’t really have very much to do with electronic
recordkeeping, but that now, this kind of information has become much more
difficult to access and is off limits.

DR. ROTHSTEIN: Mr. Houston.

DR. HOUSTON: I am troubled, I hate to say it. I parrot what Harry had said
a little earlier. Being involved with research a good bit at my organization
and the great pains that we take to protect the rights of human subjects in
research and medical privacy, and the fact that a big part of why we have
privacy in HIPAA is to allow patients to be confident that their medical
information is going to be kept confidential, so to encourage them to seek
treatment, it scares me that we bend at all with regards to the release of
patient information.

I think that we have to look at the public good. The public good in my
mind, as Emily indicated, the balance is far on the side of insuring that
people feel comfortable seeking medical treatment. I think that a lot of what
was described here as need could be accomplished through authorizations.
Obviously there are cases where you have a disaster, and maybe there are narrow
exceptions, and maybe there needs to be better coordination with public
authorities to get information to public authorities so they can release it,
but I’m afraid that we are going way to the other extreme.

Again, the best example I can think of as a barometer is the great pains
that we go through when we are dealing with research data and research
subjects, and insuring that their privacy protections are guaranteed. To look
here and say here are great examples of why we think we need to have this
information made available, and leaving the discretion in the hands of the
press, personally I’m not convinced. I’m sorry, but this all very much concerns
me.

MS. COCHRAN: May I?

DR. ROTHSTEIN: Yes, please.

MS. COCHRAN: But before HIPAA existed, you didn’t have problems. You didn’t
have reporters crawling all over and trying to get your confidential patient
information.

DR. HOUSTON: I’m not sure that is the case. I think there are examples of
that. I think Rebecca even described the needs of the media to get at
information, and that does concern me. I’m just voicing a concern. I think what
Rebecca described in her testimony concerns me.

MS. COCHRAN: Do you think it was improper to disclose the syphilis study at
Tuskegee?

DR. HOUSTON: I’m not sure what the best way to handle a lot of these things
are. I believe in a lot of cases you can damage peoples’ lives. Arthur Ashe may
be a great example where, had it been another public figure, and had the
circumstances been different, that would have really been an invasion. Maybe in
other cases it would have been more appropriate for somebody to work with the
public authorities in the case of Tuskegee and try to get that information out
in a different avenue.

But again, I am very concerned about what this means to people and their
willingness to go and seek health care.

MS. RUSH: Let me try to draw some bright lines here. I think that one of
the things that — it is difficult for people who are schooled as licensed
professionals, and I don’t know if there is anyone on the panel who is not
either a physician or an attorney, but all of us who owe allegiance to the
court or to the medical society — journalists are usually real people or
something akin to it. I have been both in my life, so I tend to look at it
through two different lenses.

When you are accustomed to working within a world that is codified and
licensed, and you get specific duties and responsibilities, and someone is
holding you to those by your license, it is very difficult to put those things
aside and look at them the way journalists look at them. It is very natural for
an attorney to say, if you have got a problem with the way an institution
works, you should go to the official channels and tell them. There are channels
to do that, that are bound to protect the privacy. A journalist will tell you,
you know what? That doesn’t always work. Sometimes the people in the official
channels are the problem.

I have many times thought back to a case — I’m almost afraid to say it,
because it reveals my age here, but there was a New York Times reporter that
spent a number of days in jail not too awfully long ago. His name was Myron,
and Rebecca is going to have to remind me of his last name, I have forgotten it
now. He had a source inside a nursing home who was presumably a low-level
worker. I don’t think it was a nurse and I don’t think it was a physician, who
knew that a doctor was injecting elderly with a muscle relaxant. Their
complaint had been made through the nursing home channels, and had been made
through the medical society, and nothing had been done.

Myron Farber, thank you very much. See, aren’t you glad it wasn’t three
a.m. when I thought of this and I called you all up?

The story was told, and of course, the physician was taken up on licensing
procedures right away and eventually charged with homicide. And of course, the
attorney subpoenaed the reporter to find out which worker had disclosed. In
that case, one has to presume that the story would never have been told, and
the patients would have continued to die, if someone there hadn’t been
courageous enough to go outside the official channels and talked to the
reporter.

It is easy for us all to pick those heroic examples. The Tuskegee is
another one. Somebody really took a risk there to say, these institutions
aren’t doing what they are supposed to.

But I think if we try to take the Arthur Ashes and the Tuskegee and the
Myron Farber case and try to make our policy around those extremes, we are
going to get ourselves into some real difficulty. We are once again going into
that need to know.

I don’t think that in most cases what we are talking about here is the kind
of thing that I think Mr. Rothstein is addressing, about the trend toward
giving patients control over their information. Usually that has been in the
context that I have studied, in the context of their trust relationships with
the professionals who are caring for them, or in a network of people that are
supporting the care. Without getting into personal views about whether that is
appropriate or not, that clearly has been a trend, and I think a lot of the
privacy law has developed around that, and the HIPAA privacy rule sprung from
that.

i understand the origins of it. I don’t think that is exactly what the
press organizations are talking about in this case. I think what the press
organizations are talking about is when you draw too widely the net of
protecting all the incidental information that might fall within that ambit.
You are moving very quickly from privacy into secrecy, in a society where you
want the press, whether it is doing it for good motives or ill, you want the
press to be paying attention to what is going on there.

We hear all the time, people saying how come the press doesn’t cover this,
and how come the press doesn’t cover that. One of the reasons the press doesn’t
cover more what people would like it to cover and scrutinizing what goes on in
the world is, it is very difficult to do, and privacy rules are sometimes one
of them.

So I’m not sure you were taking issue with my trend thing. I was talking
more about common law privacy, where an individual might complain about
disclosure through the media of something that wasn’t revealed by a physician
or an attorney or something like that, that something came through an
unofficial source. Privacy law I think has struck a reasonable balance.

DR. ROTHSTEIN: I was talking in general terms, to try to ut the privacy
rule in context. But now I’d like to get to a much more concrete level than we
have been talking about, and see if we can work out some recommendations that
are satisfactory.

One thing that I think we all need to keep in mind is that the privacy rule
only prohibits covered entities from making certain disclosures. It doesn’t
mandate that a hospital provide you with information if they don’t want to. The
fact that traditionally they have done so, HIPAA is not going to be the source
of that.

So the only thing that we could do by way of recommendation is to clarify
that HIPAA can’t be used as a shield to protect people who don’t want to
disclose stuff to the press from asserting that. So in other words, if there is
some public official who has information that is deemed by the pres to be
newsworthy, not necessarily relating to any particular individual, and they
want to assert, we can’t give you that information about our hospital because
HIPAA prohibits that, we can recommend that the Secretary have guidance out
there and education programs or whatever to make it clear, so everybody knows
that that isn’t the case under HIPAA. We can’t make recommendations that some
local somebody answer all press calls.

There are a few things in the privacy rule that I would like to go over
with you to see exactly what it is that you have in mind by your
recommendations. The first one deals with the issue of whistle blowers. In
terms of the whistle blower provision of the privacy rule, — I have marked the
page and lost the page. Well, until I find it, I’ll just go with my best
recollection of the whistle blower provision. There is a provision in the
privacy rule that says that it is not a violation of the privacy rule for an
employee of a covered entity to disclose protected health information about a
patient in good faith, if it is part of a report to law enforcement officials,
to a lawyer to represent that individual, to a regulatory agency, to an
accrediting agency. I think those are the four exceptions or provisions.

Am I correct in assuming that the wording of that provision would be
satisfactory to you if we added a fifth category under that, and that is the
media? Is that what you have in mind?

MS. DAUGHERTY: Yes. And I don’t think that is too far removed from whistle
blower statutes that protect whistle blowers in other contexts.

DR. ROTHSTEIN: I just found it, so let me read the provision. Disclosure by
whistle blowers. This is in 164.502 and it says, a covered entity is not
considered to have violated the requirements of the subpart if a member of its
work force or business associate discloses PHI, provided that the work force
member or business associate believes in good faith that the covered entity has
engaged in conduct that is unlawful or otherwise violates professional or
clinical standards, or that the care, services or conditions provided by the
covered entity potentially endangers one or more patients, workers or the
public, and the disclosure is to a health oversight agency or public health
authority authorized by law to investigate or otherwise oversee the relevant
conduct or conditions of the covered entity, or to an appropriate health care
or accreditation regulation for the purposes of reporting the allegation of
failure in the professional standards, or to an attorney retained by or on
behalf of the work force member, blah, blah, blah.

So if we added media somewhere along there, that would satisfy your
concerns?

MS. DAUGHERTY: That would go a long way to tell whistle blowers that they
would not be penalized for going to the media. The Tuskegee case is again the
best example of this. In that case, both the AMA and the CDC had approved of
these experiments, and I think it says that going to the public is going to
invoke a different kind of reaction.

DR. ROTHSTEIN: It is my belief that there are in fact some whistle blower
statutes that do mention the media or the press in there, either by statute or
by regulation or certainly by case law. But I don’t have those handy, and you
might. Do you have access to that information?

MS. DAUGHERTY: We can find them and provide that.

DR. ROTHSTEIN: That would be very helpful to us in our work.

MS. RUSH: May I just jump in on this one point? I don’t want to disagree
with my media colleagues here, but federal laws and regulations that somehow
distinguish the press from the public always make me a little uncomfortable. A
friend from the hospital organization made the point that the press doesn’t
have any other right of access, other than what the public does. That has
generally been true as a legal principle.

I don’t necessarily know that it is necessary to carve out a press
exception specifically to solve the kind of problem we are trying to address
here. There are some whistle blower statutes in the context of occupational
health and safety and fair labor standards that I think do go down that road.

The problem we get into is, what is the press? Is Matthew Drudge a member
of the press? Is my nephew, who is doing a high school underground newspaper, a
member of the press? Can he be press credentialed? At what point can he be
regulated? That gets to be a slipper slope in a hurry.

I would rather — and I have to say, I haven’t ever finished the research
project on this that I hope to start one day — I would rather see the
exception carved out to say members of the press or the public that are
reasonably designed to lead to, and then fill in the blank, lead to prosecution
or enforcement or something that is the desirable end of that.

DR. ROTHSTEIN: For purposes of bringing —

MS. RUSH: Yes, to bring it to light. I think you do want to leave that open
door there for the circumstance where — whistle blower really is almost too
much of a pejorative to use for these people. I am talking about the person
that empties the bedpan in the nursing home.

DR. ROTHSTEIN: Well, I appreciate that comment.

MS. RUSH: You may not necessarily be a glorified whistle blower in that
sense, but you may see things going on there that would make me uncomfortable
if it were my parent.

DR. ROTHSTEIN: I think there is a way that we can do that without opening
it up to make any disclosure by anybody for any reason. So if we key it to who
in reasonably good faith believes that such-and-such will happen as a result, I
think that would be —

MS. RUSH: I think you have to recognize that if you talk to three media
attorneys, you are going to get five different opinions, almost by definition.
We have discussed this as a cure or an option. This is really off the top of
our heads, but I think we probably all share some of the same values in this
sense, and probably can work out some kind of ideas.

DR. ROTHSTEIN: Ms. Stewart, what is your thought on this? Is that opening

MS. STEWART: I would have to look more at it and discuss it with Jan-Lorie,
who knows the rule far better than I do. But I am going to say that my sense is
that we would disagree with that. I don’t really know in what way — how do you
prevent it from being a slippery slope? What does reasonably lead to law
enforcement or what does corrective action meet, in a legal sense.

DR. ROTHSTEIN: Let me take up another specific provision. There is a
provision allowing the reporting in emergencies to law enforcement officials.
It would as you read it not apply to press coverage or publicity surrounding
victims of accidents so that the family would find out or whatever.

If we were to recommend some sort of exception to that, what would that be?
In other words, I might be persuaded that in emergencies, there would be some
limited exception to reveal minimal identifying information that Joe Schmoe is
in Hospital X, and that’s it. You are not going to get me to tell you what his
condition is, or whatever.

For the benefit of family members and so forth, is it possible to craft
some provision that would do that without opening up a can of worms?

MS. COCHRAN: I would say, yes, we would be glad to work on something. We
don’t have the language in front of us, but something that would make it clear
that news media could be included in the group that information is released to
in a time of emergency.

DR. ROTHSTEIN: I have one last question, and then I’ll take some comments
from my colleagues. You don’t really, Ms. Cochran, recommend that I not be
allowed when I go into the hospital to tell the people in the hospital, don’t
tell anyone that I am here, because I am a very private person? You don’t mean
to suggest that the hospital is required over my objection to tell anyone who
calls that I am there, et cetera?

MS. COCHRAN: The instances that I think are the most difficult for our
members are where someone has been brought to the hospital because of an injury
or a crime, that that name may be known to the public safety officials, but
that the hospital can’t confirm that. I think that is an instance where if it
is known to the public safety official, we would like to see it be confirmed.

DR. ROTHSTEIN: But your recommendation is much broader than that. It says
the rule should not afford the ability to restrict public access to directory
information. I just got off your bus on that one.

MS. COCHRAN: This is the number-one recommendation.

DR. ROTHSTEIN: No, this is number seven, on page 11.

MS. COCHRAN: I think, not being a lawyer, what we mean here is what I just
said, but I cannot clarify that.

DR. ROTHSTEIN: I’ll take that as a motion to withdraw number seven.
Comments?

MR. REYNOLDS: I have another comment. First, I appreciate your labeling me
as a normal person. I will take this testimony and I will use it in many ways.

I guess the question that I have, a lay person and all this, a person’s
health information — I’ll use me as an example. If a source gave you my health
information, and you used it, you would have used my information, but my
understanding is, you would protect the source. So when you think of the
general public out there, and you think of people listening to it, my coveted
information has been given by someone else that I may not covet and you may not
covet. But yet, that person is more important to be protected in a private way
than I am.

I’m not saying that is a fact. I am talking about a perception, and I am
trying to understand where this thing gets back to my continuums again, all the
way or not all the way. So in that case, it would seem like both of us were in
it together. My health information is far more important to me than what they
did or didn’t have to say. So I’d love some comments.

MS. DAUGHERTY: Could I make the point here that there is a long tradition
of tort law that protects against the publication of private facts, in
circumstances where you have every expectation of privacy, and there is no
public interest in disclosure.

MR. REYNOLDS: That is good information.

DR. ROTHSTEIN: Ms. Goldschmidt, are you still with us?

MS. GOLDSCHMIDT: Yes, I am.

DR. ROTHSTEIN: Would you like to comment on any of the discussion that we
have had?

MS. GOLDSCHMIDT: Thank you. Back when we were discussing the examples of
Arthur Ashe and of Tuskegee, I agree with what the members of the committee
were saying. It is like one extreme to the other. It is like comparing apples
and oranges, or not even two fruits. There are examples like Arthur Ashe, but
there are also examples — and this comes to the issue of what was said about
what was happening before HIPAA and how much of an issue it was, that you had
when Barney Clark was in the hospital with the artificial heart. You had
reporters posing as doctors and nurses sneaking into the hospital to find out
who he was and what was going on with him.

Then more recently, when you had the most recent cases with the Audiocorps
artificial heart, it was much more strict, the facility was much more strict.
Perhaps they learned from the example of what happened with people sneaking in,
in the case of Barney Clark. But there are also — like with the conjoined
twins from Guatemala, who were separated at UCLA. That was highly covered by
the media while they were there, while they were going through the surgery at
UCLA. Over a period of time, they improved, they went back to Guatemala. Then a
point in time came when the girls needed to come back to UCLA for further
treatment, and when they arrived and they were at the hospital, the hospital
spokespeople told us that they could not give us any information. They couldn’t
even confirm that the girls had indeed arrived back in the U.S. and at
Mattelle’s Children’s Hospital, until they had a signed consent from the
parents, because of the privacy rule, which had gone into effect. The parents
were not with the children. They were back in a remote village in Guatemala,
without a fax machine, and it was quite a struggle.

That was something where it wasn’t a new case, it wasn’t something new that
had just happened. People throughout not just the U.S., but back in Guatemala
and throughout South America were waiting to see, they had been following the
progress of these girls, and knew that something may — wanted an update on the
progress. There was this long, long delay of many hours.

So there needs to be some sort of compromise, even if it is just
troubleshooting. I admit, it is very difficult to try and put into words a
policy that is going to encompass every possibility of what could come up.

DR. ROTHSTEIN: I want to thank you for your comments. Other staff or
subcommittee members?

I want to thank all of you of your testimony. It was very stimulating. It
is too bad that we are not at a J school or law school seminar. We could spend
the whole semester on that. But we are not, so with that, we will adjourn
today’s meeting, and we will begin tomorrow morning at 8:30. Thank you.

(Whereupon, the meeting was adjourned at 5:05 p.m.)