[This Transcript is Unedited]
Subcommittee on Privacy, Confidentiality and Security
National Committee on Vital and Health Statistics
“Minimum Necessary and the Health Insurance Portability and Accountability Act (HIPAA)”
June 16, 2016
Capital Hilton Hotel
1001 16th Street, NW
Federal A Room
Washington, DC 20036
- Introductions and Opening Remarks – Linda Kloss, Chair
- Overview and Framing of Current Issues – Mark Rothstein, JD, University of Louisville Institute For Bioethics, Health Policy and Law
- Panel I – Policy Interpretations of HIPAA’s Minimum Necessary Standard
- Robert Gellman, JD, Privacy and Information Policy Consultant
- Adam Greene, JD, Partner, Davis White Tremaine
- Panel II – Practical Implementation of HIPAA’s Minimum Necessary Standards – Approaches for Compliance
- Melissa Martin, RHIA, CCS, CHTS-IM, President, AHIMA, Associate Vice President and Chief Privacy and Enterprise, Information Management Officer, West Virginia University Hospitals
- Marilyn Zigmund Luke, JD, General Counsel, AHIP
- Panel III – Minimum Necessary: Challenges and Opportunities
- Alan Nessman, JD, Senior Special Council, American Psychological Association Practice Office
- Rita K. Bowen, MA, RHIA, CHPS, SSGB, VP, Privacy and HIM Policy and Education, MRO, American Health Information Outsourcing Society
- Public Comments
- Subcommittee Discussion: Review Themes, Identify Potential Recommendations and Additional Information Needs
P R O C E E D I N G S
Agenda Item: Introductions and Opening Remarks
MS. KLOSS: Good morning and welcome to this hearing, convened by the Privacy, Confidentiality and Security Subcommittee of the National Committee on Vital and Health Statistics. Welcome to all members of the committee, those who are going to provide testimony to the committee, and to our guests.
We have a little formality we need to take care of first and that is to make official introductions for the record. And then when we conclude that, I will just frame our work today. Then we will be off with our first testimony.
I will lead off. I am Linda Kloss. I am a health information management consultant, a member of the Full National Committee, co-chair of this subcommittee, a member of the Standards Subcommittee and the Review Subcommittee. I have no conflicts.
MR. CORNELIUS: Good morning. I am Llewellyn Cornelius. I am at the University of Georgia Athens. I am a member of the Full Committee and the Population Health Subcommittee. I have no conflicts.
DR. EVANS: I am Barbara Evans. I am a professor at the University of Houston. I am a member of the Full Committee and am a member of this Subcommittee and I do not have any conflicts.
MR. LANDEN: Good morning. I am Rich Landen. I am with QuadraMed. I am a member of the Full Committee, the Standards Subcommittee, the Review Committee and I have no conflicts.
DR. SUAREZ: Good morning. I am Walter Suarez with Kaiser Permanente. I am the chair of the National Committee and member of the Privacy and Security Subcommittee and no conflicts.
DR. MAYS: Good morning. Vickie Mays, University of California Los Angeles. I am a member of the Full Committee, this committee, Pop and the Review. I have no conflicts.
MS. LOVE: Denise Love. National Association of Health Data Organizations and All Payers Claims Database Council Learning Collaborative. I am a member of the Full Committee, Subcommittee and occasionally the Population Health Committee and no conflicts.
MS. GOSS: Good morning. I am Alix Goss. I am a member of the Full Committee, co-chair of the Standards Subcommittee, co-chair of the Review Committee, frequent attendee to other subcommittees as possible and I have no conflicts.
DR. PHILLIPS: Good morning. Bob Phillips, American Board of Family Medicine, member of the Full Committee, the Population Health Subcommittee, this Subcommittee, no conflicts.
DR. RIPPEN: Helga Rippen. I am on the Full Committee, this Subcommittee, the Population Subcommittee and the Work Group on Data. I have no conflicts.
MS. KLOSS: Do we have any members of the National Committee on the telephone?
DR. STEAD: Bill Stead, Vanderbilt University, member of the Full Committee, co-chair of Pop Health and member of the Review Committee. No conflicts.
MS. KLOSS: Thank you, Bill. Any other members of the Full Committee on the phone? Let’s introduce staff.
MS. HINES: Good morning. Rebecca Hines, executive secretary to the Committee with the National Center for Health Statistics.
MS. BURKE-BEBEE: Good morning. Susie Bebee with the Assistant Secretary for Planning and Evaluation. I am staff, more comfortable with the Standards Subcommittee and will be sitting in as lead staff for today.
(Staff introduction off microphone)
MS. BOWEN: Hello. I am Rita Bowen. I am testifying today on behalf of AHIOS, which is the American Health Information for resources.
MR. RODE: Good morning. Dan Rode. I am an independent educator and consultant.
MS. MCGRAW: I am Deven McGraw. I am the deputy director for Health Information Privacy at the Office for Civil Rights at the Department of Health and Human Services.
MR. GELLMAN: I am Bob Gellman. I am a privacy consultant and a witness this morning.
MS. MARTIN: Good morning. I am Melissa Martin and I am here to represent the American Health Information Management Association and I testify on the second panel.
MS. RIPLINGER: Good morning. I am Lauren Riplinger with AHIMA, the American Health Information Management Association.
MS. LANE: Pam Lane. Also with AHIMA.
MR. LANE: Jeff Lane. Just observing.
MS. WEIKER: Margaret Weiker, NCPDP.
PARTICIPANT: I am Matthew. I am here as a summer intern for Wexler and Walker.
MR. DECARLO: Michael DeCarlo, the Blue Cross and Blue Shield Association.
MS. KOCHER: Gail Kocher, Blue Cross and Blue Shield Association.
MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC committee staff.
MS. KLOSS: Any others on the phone?
MS. HORLICK: This is Gail Horlick, staff to the Subcommittee, CDC Atlanta.
MR. LINCOLN: Mike Lincoln from the Department of Veterans Affairs.
MS. BERNSTEIN: This is Maya Bernstein. I am work in the Office of the Assistant Secretary for Planning and Evaluation. I am lead staff to the Subcommittee normally. I am very grateful to Rachel Seeger who put together most of this hearing and to Susie who is sitting in today to help Linda.
MS. KLOSS: Anyone else on the phone?
This hearing is called on behalf of the Subcommittee. I am pleased to announce that as we did at yesterday’s meeting that Barbara Evans has agreed to henceforth be the co-chair of this Subcommittee. We are real pleased about that. Our previous co-chair, Leslie Francis, her term on the committee expired last fall. We are real happy that Barbara will be joining us.
We have taken on an ambitious challenge this year and that is to conduct a hearing both on the topic of de-identification and HIPAA and today’s topic minimum necessary and HIPAA. These are both very critical integral issues in HIPAA. They are both practical and amazingly complex. Our goal with both of these initiatives is to perhaps useful recommendations to the secretary from the National Committee. This, in essence, is the National Committee’s job is to advise the secretary on matters of health policy.
This particular topic, minimum necessary, is the fifth leading cause of complaints to OCR. It does figure largely in the concerns that citizens and other individuals in the health care field have about how we have implemented and how we are managing HIPAA. But it is a topic for which the amount of guidance available is minimal. This is an ongoing challenge I know from my professional background in health information management, a daily issue that without such guidance is very difficult to push back or create a policy that allows one to push back in the face of what may seem like an unreasonable request for information that goes beyond the bounds of what appears to be required for the purpose.
I think it has been a longstanding issue and it is something that we hope through our discussions today and our deliberations following today’s hearing, we will be able to craft some useful recommendations.
Interestingly, two days ago, the National Committee approved a letter to the secretary to go forward with advancing the claims attachment standards. In that letter, we specifically called out the need to have that implementation guidance go forward, keeping in mind the notion of minimum necessary.
We also created another conundrum that we have a new standard coming forth that calls for implementing that and using minimum necessary policy. I think we have turned up the heat on us in terms of the need to really create a useful work product that aligns with not only policies and practices and information governance practices, but also implementation of standards.
I think with that set up, we will proceed in a quick overview of the agenda. We are really honored to have Mark Rothstein lead us off this morning and frame these issues. For those that do not him, Mark is the former chair of this Subcommittee. He is definitely an alumnus and understands that work of this committee very well and he served in that position from 1999 to 2008. I was at many meetings where I was sitting along the wall watching the work of the Subcommittee. We are really grateful that you are going to kick us off and help us frame the issues.
And then I am going to ask that Adam Greene and Bob Gellman, our Panel I testifiers, join Mark at the front and provide their testimony. Then we really have adequate time and ample time to have a good what I hope is a working discussion among these three who think a lot about policy environment in which minimum necessary lives and works. Our goal then is to learn as much as we can from Mark and our first panel by 10:30. Then we will have a break.
We will have Panel II. In Panel II, we are going to hear from the providers and health plans about practical implementation issues. I have a set of written testimony that has been provided by the American Hospital Association. We will read that into the record also. That will be our practical implementation panel. Again, we have organized this so we have a lot of time for discussion. We moved ourselves as a committee down a little closer to our panelists so we could convey this notion that this is really a roll up your sleeves working meeting. We want everybody to give their best thinking as to how we craft useful but practical kinds of recommendations for the secretary.
After lunch, we have a final panel where we are going to talk about drill down on some particular challenges and opportunities in the areas of mental health, psychological information, the industry that really represents outsourcing and disclosure management in the United States. The committee will then go into a working session where we will try to digest what we have learned today and that working session is certainly open to the public. Anyone who can stay and help us, you are welcome to do so.
Again, I think we have really important work to do today. I will just say at the outset that the work plan for the Subcommittee calls for us to really fast track the output from our work today. We are going to give it our best college try to have a draft letter with recommendations to the secretary for presentation to the Full Committee in September. This is work that is practical being fast tracked and this will be a really important working session. Thank you.
With no further ado, I would like to invite Mark to open up the hearing.
Agenda Item: Overview and Framing of Current Issues
MR. ROTHSTEIN: Thank you very much. I want to start by saying I very much appreciate the invitation from the Subcommittee members and the staff. It is great to see many friends and to once again be engaged with the Subcommittee on very important issues.
Today, I am going to talk about minimum necessary. I want to make three main points. One is that minimum necessary was drafted and created to have a very crucial role in the privacy rule. I am afraid that it has not been given that effect and that it is misunderstood and underutilized and we will talk about that in a minute.
The second thing is that I am going to propose that minimum necessary be extended to treatment.
Third, I am going to propose that for payment and health care operations that the disclosures should be in the least identifiable form consistent with the use or disclosure. I will explain that as well.
The reason that I say that minimum necessary is so important is that when you look at the privacy rule in complete form, one must be struck by the distinct lack of protections for the uses and disclosures of PHI. We are all familiar with how this applies, but just to briefly go over it. At the initial stage of an individual’s meeting with health care providers or other entities, there is no requirement that there be consent. That was a very controversial issue many years ago. And now we are in a situation where there is only notice of privacy practices and where there is a direct treatment relationship, a requirement that a good faith effort be made to obtain an acknowledgement.
In my view, this process has worked very poorly indeed. It has not succeeded in conveying the information that individuals would like to have that they need that they can use. In fact, it has had a negative effect because the privacy rule seems like just another paperwork requirement that they do not understand. And the only possible reason for this is somehow to protect the health care providers or their institutions. It automatically gets the privacy rule off to a bad start in the eyes of the public.
On top of this notice of privacy practices then we have the rule that says that there is no consent or authorization needed for the use and disclosure of – for information in the process of treatment payment or health care operations. That takes out of the direct relationship with the individual a high percentage of the uses of information.
On top of that, now we have the 12 public purpose disclosures for which no consent or authorization is required and everybody is familiar with the list that includes disclosures required by law, public health disclosures, et cetera. Very important things. But these are arguably over broad, ill defined, poorly understood, et cetera.
Once we have those areas cut out from the possible ways of protecting privacy that is a treatment payment health care operation, the 12 public purpose exceptions, I would argue there are only three things left that are regulated at all and that would be fund raising, marketing and researching. You can have an interesting discussion. We did many years ago about each of these and how broadly these areas should be construed.
But the point of this brief exercise is to try to make the point that the privacy rule does not in much of the time protect whether health information is disclosed. The individual has little control over that. If you want to get health care, information is going to be disclosed. The privacy rule does not protect whether health information is used and disclosed. To have any value, it must in my judgment protect the amount of information that is disclosed and the form in which it is disclosed. That is where minimum necessary comes in. Minimum necessary attempts to regulate the amount of information that can be used and disclosed at the current time, only in the areas of payment and health care operations. I do not think minimum necessary is well understood at all by anyone in this process and it is crying out for more educational efforts on the part of the department and other groups.
The lack of outreach education for professionals and patients alike was a recurring theme in our letters to the secretary from even before the privacy rule went into effect in 2003 and certainly for the next five or six years after that. We still need to do that.
This past weekend we had a very graphic example of how the privacy rule is still not understood. Many of you heard the stories I am sure about friends and family members of shooting victims contacted the Orlando Regional Medical Center to try to get information. It was the medical center’s position that they could not give this information out without a “waiver” of HIPAA. Of course, that is not true and the department issued a statement and so forth. But I think it is very telling that this could come up today after all these years.
One would think that every hospital would already know this especially a trauma center. The fact that they did not know or were unsure or wanted further information clearly says to me that we need better outreach and education. We need to coordinate with the American Hospital Association. We need to coordinate with professional organizations, et cetera. I know from my own experience in my institution that HIPAA is profoundly misunderstood. Nobody knows what it does, what it is supposed to do, how it works, et cetera.
The first of the two ways in which I would like to urge you to extend this concept is that I believe minimum necessary should be extended to treatment. I say that because when a hospital or a health care provider has a health record, the prevailing view is that any health professional gets access to the entire record. I am not talking about physicians. I am talking about dozens of other health care providers as well. Generally, they have access to the entire record. There are certain things that institutions do to limit that. One is role-based access restrictions. If your role is, you only get access to parts A, B, and C of the record, et cetera, but that is certainly not universal. Other institutions are required to have audit trails, which discourage individuals regardless of what their duties are from accessing files that they do not need to see. They are not their patients, et cetera.
But both of these provisions go to what providers get access to PHI and not what PHI they can actually see. I think the problem is at least theoretically available to viewing that is the entire medical record, including all the sensitive information and everybody’s file.
For many years and in several letters to the secretary, the NCVHS has recognized the privacy risk of sensitive information with no current clinical utility being routinely accessible by all health care providers. That means that one’s sensitive information generated by a psychiatrist or a gynecologist or urologist or pick the specialty is in the main body of the medical record and is accessible now once it is made and prospectively for as long as the EHR is maintained. This information would then be available by all health care providers and integrated practices or other providers that are asked to be a consultant in the case. I think this is not conducive to individuals feeling like they have privacy or in actuality having privacy.
The example I used in my written testimony is that a patient seeking emergency room care for a sprained ankle should be assured that their reproductive health information or their genetic information is not going to be viewed by those providing care.
One of the things I want to emphasize clearly is that the overwhelming majority of health care providers have no interest and no time for trolling through one’s entire medical record to look at sensitive information. I get that. But if you look at it from the patient standpoint, it is not so clear. Patients would be very concerned and are very concerned that their most sensitive health secrets are only a click away from any health care provider and will be only a click away for the rest of their lives. I do not think patients will be very happy with the state of affairs the way they are.
It is also important to recognize that protecting sensitive health information affects all of us, not just individuals who have sensitive material in their EHRs. Concern for privacy is a leading reason why individuals with mental illness, substance abuse, infectious diseases and similar conditions delay or forgo treatment so that ensuring privacy is important to all of us. Again, to mention Orlando, this tragedy brought to mind many similar tragedies unfortunately. A common response to these events has been the call for loosening HIPAA privacy rule protections for mental health information, putting on duty on certainly mental health providers, but also other primary care physicians who see mental health illnesses.
In April of 2013 in the wake of the New Town shootings, I testified before the Subcommittee on Investigations and Oversight of the House Committee on Energy and Commerce. The title of hearing was does HIPAA help or hinder patient care and public safety. The unmistakable subtext of the hearing in my view was that the HIPAA Privacy Rule by limiting disclosures to law enforcement, family members and others by health professionals who were treating mental health patients had the effect of placing the public at risk. I made the argument at that time that the privacy rule actually serves to protect the public. Here is part of what I said.
Health privacy laws are essential to the protection of public health and safety. To illustrate, this afternoon I will be going back to Louisville. At lunch, I do not want my cook or server to be someone who was reluctant to get treatment for hepatitis A because of privacy concerns. I do not want as my taxi driver someone with chronic tuberculosis who was afraid to get ongoing health treatment. I do not want my flight safety placed at risk by an air traffic controller with an untreated mental health problem or a pilot with a substance abuse disorder who was deterred from obtaining behavioral health care.
Confidentiality protections serve to advance both the patient’s and the public’s interest. It is very tempting to respond to these kinds of events by saying we need to routinely share mental health information with everybody so that we might catch some person who is going to do something awful. But we need to keep in mind that every year there are 40,000 suicides in the United States and 800,000 emergency department visits from individuals who intentionally hurt themselves. Can you imagine what the numbers would be like if people who were having these problems felt like if they sought some treatment that information was going to follow them the rest of their life, not only for use by or access by other health care providers, but when they wanted to get a job, when they wanted to fly for insurance. You know the whole range of areas where there are these compelled authorizations.
The NCVHS has recommended that individuals should be able to segment their PHI by excluding from routine access certain predetermined categories of sensitive information in an EHR. Amending the minimum necessary rule to apply to treatment would be consistent with these prior recommendations and I think would provide an impetus to adopt that longstanding recommendation of the committee.
Next, I want to make the case for payment and health care operations to contain a least identifiable form requirement. One of the things that we learned on this Subcommittee many years ago was the number of individuals in the payment chain who routinely see PHI. We do not normally think of that process as a way in which health information is breached because it is not a breach, but health information is seen and used in an individually identifiable form at a time when it is not necessary that individuals be identified by name.
I believe it would be relatively easy to convert from name-based billing to the use of a unique billing number and doing so would greatly advance the privacy of individuals. The number would not be a national patient identifier, but the number already assigned by a health insurer such as a member’s number on a patient health insurance card. On my health insurance card, I received it from my health insurer and I am required to present it to each health care provider I see often multiple times. It contains a 12-digit patient identification number, a nine-digit group number and several plan codes. I assume this is common. They do not need any more information about who I am. They know who I am. They know whether I am entitled to certain measures. My name is not needed to file and process claims.
In addition, removing patient names before using PHI for health care operations, I believe, is feasible and would significantly increase privacy.
To clarify, I am not recommending compliance with the detailed de-identification provisions of the privacy rule that we all know and love. I am merely advocating that names be replaced with a number for payment and health care operations.
To conclude, I respectfully propose that the NCVHS recommend to the Secretary that the minimum necessary standard be extended to treatment. In addition, a least identifiable form requirement should be applied to payment and health care operations. I believe these amendments would be extremely valuable in their own right, and they would also enhance the legitimacy of the HIPAA Privacy rule. Thank you.
MS. KLOSS: Thank you. Are there any questions for Mark?
DR. SUAREZ: Thank you, Mark. Very provocative as always. I guess I will start by asking you about the extension of the minimum necessary to treatment. Certainly, there is that interest and benefit and value of retaining privacy and certainly providing the control of privacy to the consumer. The challenge of course with dealing with clinical care, as you might be aware of and others probably are too, is that we do not know a priori what the patient has and what the patient needs when we see a patient in a clinic. We do not know if a sprain, that is the example that you provided, might be related to a condition that is associated with osteoporosis just to give an example that is associated with STD. Those kinds of clinical linkages are certainly difficult to be made without all the appropriate information.
I think as much as I understand that as you argued there is privacy of sensitive information with no clinical utility. The challenge is knowing what information has no clinical utility in which case a priori and without having that type of access again that is reasonable, responsible, and professionally done. It would be very difficult to assure the best care to a patient. I wanted to present to you with that argument and see what your thoughts are on that.
MR. ROTHSTEIN: Thank you. That is an argument that was made forcefully, repeatedly, and well during our many hearings that we had before this Subcommittee and then in the Committee itself on the issue of whether we are going to recommend the segmentation.
I think what we need to remember is that clinicians who think they need this information and you can make all sorts exotic arguments that everything from the time you were born until now is relevant to your care. But the fact of the matter is that medical records are never 100 percent accurate. They are never 100 percent comprehensive. If we do not have these sorts of protections that I am advocating, patients will self-censor the information that it is disclosed to their treating physicians.
The other thing that we did years ago that I assume is still part of this is that we did not say that patients had the right to sequester or segment anything that they wanted. We said only in certain narrowly defined categories of information. You can pick three categories or six categories. That does not matter.
And the other thing is that if a treating physician suspects that there might be information that they need and the implication in the record would be some information withheld at the patient’s request, you can query your patients about that as well as the fact that clinical decision support would operate in both records. If you wanted to sequester your mental health information, what meds you are taking for that is very relevant to what meds might be prescribed for anything. Theoretically, that contraindication would appear. The treating physician could say you have a case that could be complicated and I need access to everything. Please give me your special code that will allow me entry to your sequestered data and I will tell you exactly why. It will be re-sequestered after I take a look at it. I want to know what they found five years ago when you came in for whatever.
Is it going to be perfect? No. Are we possibly going to give up some clinical benefits in exchange for this privacy protection? Yes. But I think on balance we were convinced and I am personally still convinced that this is the sort of thing that we need to do because of EHRs. In the paper days, you could reinvent yourself medically any time you wanted by simply changing your physicians. In an era of EHRs and also an era of consolidation and health care, you cannot do that. Everybody is going to have access to everything. I think we need to revisit that in the context of minimum necessary. I appreciate the concern and I thank you for raising it.
MS. KLOSS: We will start at this end. Alix.
MS. GOSS: I did have a question that got prompted by that exchange, but I will start with my original question, which really gets back to part of your testimony, at least in your written testimony, the aspects about patients not getting the copy of the notice of privacy practices. They do not understand it. I have had my own experiences where I know a lot and I want to read it. I pick up samples for other work that I have done within the Commonwealth of Pennsylvania. I have had actually people say you really do not want that. I will say yes, I do. That paragraph on your page 2 testimony really resonating for me. There is one thing for us to look at a policy dynamic shift that we might recommend, but how do we overcome the citizen view and attitude towards HIPAA and privacy from a health literacy perspective is a huge challenge especially when you look at a lot of the requirements for readable level keep you between a fifth and eighth grade reading level. When we were doing health information exchange consumer materials, interoperability, health information technology. It is hard to get it below a twelfth grade reading level. And especially when you think about consent forms, they are supposed to be educational.
I am curious as to your thoughts about the apathy across the country related to this or maybe the disdain might be a better word and what we could do regardless of what we choose to recommend for policy changes just the general lack of understanding and resistance to being engaged.
MR. ROTHSTEIN: Thank you for that question. That has been a concern of mine for a long time. As I say, I think the typical patient gets a negative view of HIPAA from the very start. Like you, in my encounters, I sometimes pick up information or what is done. The situations I think are most curious are that many times I have been asked to sign an acknowledgment without ever being offered even the privacy rule. A couple of times that happened I tried to engage in a Socratic dialogue with the clerk and saying are you asking me to sign that I received something that you did not give me. Do you think that is right? Then I thought do not be a jerk. This person is trying to do their job. They do not understand HIPAA. They want you to sign something. Sign it. To all of you clerks out there who might be listening, I am sorry. I will be good in the future.
I remember in the early days in 2003, 2004, and 2005, I would get the stuff and I would then correct the errors that were on there and give it back to them. I am not going to do that anymore.
I think allowing individuals to segment information would change the whole dynamic. Here is your piece of paper. You sign anything that you do not –
MS. GOSS: How are they going to understand what that means?
MR. ROTHSTEIN: I am not an expert on health literacy, but one of the things that I would suggest is that we have a notice of your rights that is one page long. It basically says here are the five or ten things that this law gives you a right to. You have a right of access to the information. If you want more information, it is a very complicated rule. We can give you that information. Here is a link to the OCR website. But at the initial encounter, a one-page document. I am not saying what all the things that the health care provider can do with the information. What are their rights?
MS. GOSS: I think one of the things we should also do is start teaching HIPAA like in kindergarten. I do think that we need to start helping people understand their role and responsibility in health care very much earlier in life.
You also made a reference to medication listings and contraindications. I have seen some diversity across the country. Some states say you can share that medication listing freely among your clinicians like in a health information exchange environment. Other places are saying no. There could be sensitive type of information there by extrapolation. And then there is the complexity of multiple uses for medications. But it is critical information for a clinician as you described to know I could have an issue. Do you have any thoughts about what we could do to solve that variance across the country on whether it should be freely shared or not shared?
MR. ROTHSTEIN: I think anything that bears on the ability of a patient to tolerate medications well either their past history with those meds, prior adverse reactions, prior in efficacy of certain treatment. That needs to be available in virtually all cases.
The situation that I am trying to protect individuals from is where you have a certain drug that is listed and it automatically confers the diagnosis. If you have that situation then I would be reluctant to make that available to everybody. Everybody is a long list of providers, not just your treating docs, but all the techs that see you and so forth. That should be initially not available unless it is relevant and then there ought to be restrictive access approved by the patient. I think patients will be comfortable with this.
It is interesting, during one of our hearings when we were considering this issue many years ago, we heard testimony from the head of Denmark’s Health Information System. And the reason we did that was they were a very small country and they had electronic health records for a long time. In Denmark, we asked them what can the patient elect an edit or whatever, and he said, we let them do whatever they want. They can take things in, take things out, and put things in. We cannot do that legally for all sorts of reasons in the United States. The interesting thing that he said was nobody ever does it. They love the fact that they could do it, but they do not actually do it. How many? What percentage of people in the US would actually segment their health information? I do not know. Maybe we need some pilots. Maybe we have been arguing all these years about something that is not really an operational issue.
I think people here would love to have that option whether they exercise it or not. If we go down that road then we need to deal with Walter’s question and a whole list of other questions that go to how can we make this actually work and not be burdensome on health care providers, et cetera.
MS. LOVE: My head is spinning. I have so much I want to bring up. I think I am going to bring up a different tack here from the public policy tack. What you are proposing makes sense at the individual patient level, but we have another patient that I spend my time dealing with and that is the health delivery system, which is fragmented, broken, does not talk to each other. I even think within a major health system where I live, I am not sure that electronic health record is read by provider A to B because I provide the same information over and over.
When we think of the data at the patient level and care, that is one level. But that data if we do our jobs right flows to other entities, be it a health system doing quality improvement, but outside the health system to states who have to survey and protect the health and improve the delivery system in their states. By segmenting and fragmenting, we are stunned with opioid use and abuse and the magnitude of it because that data may not be available to the state in the surveillance realm. I always say. We need to really balance this privacy issue with access to the appropriate data, with the usefulness of the data. And if any one of those is emphasized at the expense of the others, the public good is not served. If we overemphasize privacy be it substance abuse or identifiers or data flows at the expensive of the usefulness of the research and the policy information, I do not see how the public good is served.
I am wondering if HIPAA privacy rule is meant for one purpose, but we need other laws. I would love to see a federal law that says if you use researcher de-identified information inappropriately, you go to jail. Instead of trying to lock it up and then let it out in dribs and drabs and I am not a lawyer, but is there another way to say we need additional protections because our system is so fragmented. We have to put the jigsaw puzzle together somehow. You will hear tomorrow. States are struggling with putting that jigsaw puzzle together. It is like figuring out what is happening in this train wreck of the health system. I will just stop there. It is a little rhetorical, but how do we reconcile as it relates to minimum necessary. I am just trying to pull us back to our topic. Sometimes minimum necessary has been used in the public policy realm to argue you do not need the data for the surveillance. It is tough.
MR. ROTHSTEIN: Let me give you a minimum necessary answer to your question. In 49 states, there are prescription drug monitoring programs that require health care providers who write certain prescriptions to notify the state. The minimum necessary rule does not apply to disclosures required by law; therefore, the narrow problem that you are raising I do not think would actually come about because you would have to by state law send the PDMP information in.
But just quickly on your other point about the overall big problem. I will keep this brief. Privacy is not free. Privacy costs. There is a financial cost. There is a health care cost. There is a public health cost. There are all sorts of costs. We need to decide whether we think those costs are worth it. If we do then our other job is to say how can we minimize those costs and maximize the privacy doing a certain amount of things. Your point that it is going to interfere with something and Walter’s earlier point, I agree entirely. What I am trying to recommend is ways that we can strike a balance where we not interfere with people who are trying to save my life and people’s lives that I love and care about, but also that is attuned to the consequences of the system that we are creating.
MS. KLOSS: In three minutes, we are going to invite Bob Gellman and Adam Greene to join us. Let’s do the questions. Helga, Barbara, Susie, and then we will have —
DR. RIPPEN: Thank you. It was funny because I was thinking about the whole oath thing of health care and privacy and confidentiality to enable a really good relationship between a patient and a health care provider as kind of the basis a long time ago and the costs associated with it. And then the movement to an electronic record environment where now you can access things in ways you would never think about it. And then the individuals themselves. There is sensitivity about what a patient will tell a physician that they trust versus not and what are the implications from a societal perspective as far as who goes to whom for what information.
Actually, it is very poignant in some degree with even a study that just came out where 20 year olds were actually evaluated to see would they collect even privacy information about mental health. Even though we let it all hang out in Facebook and things like that, there is a pretty significant nuance of individuals as far as sensitivity to being labeled with certain sorts of things. I think we have a bigger philosophical question from a societal perspective on where the balance is.
Some people have even said in focus groups that they do not think their health information is a public good. Societies have to make that balance. I think that the question of HIPAA even in the tongue and cheek in the beginning to some degree of not releasing names for HIPAA. As we know, there are a lot more sensitive nuances associated with it. HIPAA is one, but there are also other things that we have to take into consideration with regards to sharing.
As we start thinking about what is minimally necessary, we do have to put that perspective in and remember that and figure out how do we strike the balance. Thank you.
DR. EVANS: I wanted to request your clarification on two issues that seem always to become confused in any discussion of this topic. In the treatment relationship, is minimum necessary information minimum necessary in the view of the patient or in the view of the physician? In whose view is that determination to be made? That is question one.
My second question is some of your remarks made me sense that you were including within minimum necessary a view of the minimum number of acceptable recipients. Some information is okay for the doctor to have, but we do not want the cleaning lady to have it. And yet I understand minimum necessary to mean something different than that. It means the minimum necessary quantum of information to serve a particular purpose. Could you clarify which meaning is minimum necessary and whose view will that determination best be made?
MR. ROTHSTEIN: Thank you. The first question is who makes the determination has to be by the providers. The way in which patients might have that opportunity is if some sort of segmentation regimen were adopted and certain areas chosen by the patient. You will not have to choose them all. I just want my substance abuse issues not really available. That would be the answer to the first.
The other – I did not explain too clearly is that role-based access and not minimum necessary would determine who in a hospital would get access to patient information based on what it is that they do.
MS. KLOSS: I have just one final question while our first panel comes up. Do you think the current definition we have of minimum necessary is as crisp as it should be? The way it reads is when using or disclosing protected health information or when requesting protected health information. I see two different situations. When using and disclosing or requesting. The burden is on the provider, but it is also to some extent on the requester as I am reading the current definition.
MR. ROTHSTEIN: I interpret requester to be another health care provider who wants information from the first health care provider. In answer to your question of is it as clear as it could be, no. And not only do we need a reworked definition, but we need lots of examples and FAQs and the like and educational efforts to get out the word on what minimum necessary is and how you —
MS. KLOSS: Terrific. Can we ask Bob and Adam to join us? Mark, I do not know what your schedule is, but I hope you will stick around.
Welcome and thank you for being with us. Robert Gellman, who has written extensively on privacy and certainly was a mentor and one that I have read and learned so much from over the years. We welcome you and ask you to provide your comments.
Agenda Item: Panel I: Policy Interpretations of HIPAA’s Minimum Necessary Standard
We all know that health records are large. They have a lot of personal information. They pass through many hands. The burden here is significant. The minimum necessary rule is a general constraint. It is an important one. I think the committee should reaffirm the importance of the rule. It is not something that should be taken for granted. It is not something that can be overlooked.
At the same time, however, I acknowledge that there is always a need to accommodate the practicalities of the situation and that there are tradeoffs that are required and that the administrative consequences of standards in this area have to be acknowledged and they have to be recognized and they have to be dealt with. Privacy does not win all the battles, but it has to be considered in those circumstances.
Under the privacy rule, many of the nonconsensual disclosures are really broad. In particular, disclosures for law enforcement and national security are especially broad and they lack adequate standards and sufficient procedures to protect individuals. Under the rule, it is lawful today for any provider or any insurer to take every single health record that they have and turn it over to the CIA or the NSA or any other intelligence agency without a court order, without a subpoena and without a request from the agency. That is how broad the national security rule is.
The only constraint on that is the minimum necessary rule. A physician would find it very difficult to justify under the minimum necessary rule why it would be appropriate for him or her to have turned over all of the records in their possession. Other nonconsensual disclosures – many of them are less troublesome in that way, but they all could stand to have stricter controls. That is not a problem before the committee today. But the minimum necessary rule is relevant to all of this and it cures at least some of the ills that are already in the rule. It obliges the disclosure of information to at least pay attention.
Another reason the minimum necessary rule is important is that when a covered entity discloses a health record to a third party who is not a covered entity, no privacy rules may apply. That third party could be a policeman. It could be a public health agency. It could be anybody who receives the record lawfully and is not subject to any privacy rules. The HIPAA rules do not flow downstream with the records. I am not suggesting that they should. That is a different problem. But the reason that the minimum necessary rule, another reason the minimum necessary rule is that this is a constraint on what can be disclosed and what can escape from the HIPAA zone of protection.
I think that the exemption for minimum necessary for treatment disclosures is probably still an unfortunate necessity. I am not quite prepared to go as far as Mark and say that we should do away with it. I think that a prudent approach here – Mark pointed out a lot of the problems. We all know the lack of understanding of the rules. My wife is a treating physician and runs into the problem of not being able to get records on a patient she is treating without consent. That is pretty simple stuff yet it has not been absorbed into the health care system. Too many times people default to say we need to go through a procedure either because they do not understand the rules or they are lazy or in some cases facilities over implement HIPAA in a way that is probably inappropriate.
I think that in the treatment area trying to do too much here right now is probably not likely to work. However, I think we have to take a long-term view here and we have to prepare the health industry for a transition to a time when we will put constraints on treatment disclosures. I think Mark pinpointed the problem as health records become lifetime health records. As the American tradition of moving West to escape your past in this context, it is going to another provider or if you have the opportunity, selecting another insurer to get away from your old record. That may disappear. I think we have to provide patients with some degree or control. I think that control has to be – it is not complete. I think we have to recognize the other interests. We have to find a practical way to accommodate the interests. I think perhaps most patients will not care. I do not think that all patients will not care. I think most patients will not care to control their records.
The doctor’s argument that we may need to see everything because we never know where something is going to go is likely to succeed with medications, but it will not succeed with all of this. It is a difficult problem and I think you have to make choices here and you have to recognize that we do have an interest, for example, in controlling misuse of narcotics. You may not be able to avoid that kind of a problem.
Other things you have to make different kinds of determinations about. Patients – I think the burden here has to be put on patients to come forward and say what it is they want to do, but the system has to be able to accommodate patient requests in some reasonable way and channel them in a way that is administratively possible to do.
I want to talk for a minute about the notion of sensitive information. This comes up all the time. I am resistant to the notion of sensitive information as predefined categories. I think it is a very troubled concept. One person’s sensitive information is another person’s cocktail party chatter. If you have had the same experience I have, you have people who are friends of yours and acquaintances who have seen psychiatrists. They are undergoing psychotherapy and you know it because they talk about it. Some of them endlessly. That is their choice. Saying that all psychiatric information is by definition sensitive just does not work. Sensitivity varies by culture and nationality. That is not the predominant concern here.
I just want to point out that in Europe there is a definition of sensitive information under the European Data Protection Directorate. It includes trade union membership. Nobody here would think trade union membership is a sensitive category, yet almost everybody here would say that financial information is sensitive. Some people would rather disclose their medical records than their salary. But in Europe, financial information is not identified in the directive as sensitive category. This is a difficult thing to define. I think patients have to be given menus and to say what they think is sensitive to them.
I also think that we have to recognize that definitions of sensitivity will change over time. Someone’s preferences for privacy will be different at age 12 and at age 50. This will require tradeoffs and it will have to be done with some degree of pardon the expression sensitivity.
I want to go back to this notion of taking a longer term view. I recognize the need to provide current guidance, but I think the committee should recommend that the secretary basically tell covered entities that the current minimum necessary rule for treatment is likely to change in the future even if you do not change it today. Put the industry on notice that this will change and that the technology needs to be developed in order to support that. A lot of technological problems are very cheap to solve if you give people enough notice. If you say to somebody, you have to retrofit your system in order to do something, that is enormously expensive. That is typically a bad idea. We have to recognize the cost of things as well. But if we tell people in advance that we are going to do something and they have ten years to develop the software, it will be much simpler to do. I think you have to take a short-term strategy and a long-term strategy in what you recommend.
I want to give into some of the weeds a little bit. I think areas that minimum necessary guidance should address include some of the major categories of poorly defined disclosures like law enforcement and national security and public health and research and fund raising in particular. I think the activities that affect the processing of large volumes of information should receive priority and guidance as oppose to the case-by-case individual decisions that are involved in specific treatment of specific individuals.
I am going to talk a little bit about – there are some FAQs already on the OCR website on minimum necessary. I went through them all. I want to make a couple of points. One exception – there are exceptions to the minimum necessary rule that we already find. I do not understand how these exemptions apply. This came up in the questioning. If I authorize the disclosure of my PHI of my last doctor visit say to my employer as an excuse for why I was not at work, the exemption itself is broadly stated and suggest that it is okay to disclose all of my records even though the authorization form said my last visit. The minimum necessary rule does not apply. Why pay attention to that?
If you look at FAQ 210, it has a better gloss on this. It says that covered entity can disclose what is requested on the authorization and that makes sense. The rule itself is not so clear, but that is a little better.
Another exemption for minimum necessary covers disclosures required by law. If a law requires the disclosure of a communicable disease to a public health authority, as it does in many cases, does that exemption mean the covered entity can disclose psychotherapy notes that are not specifically covered by the law? The minimum necessary rule does not apply. That is what the exemption says.
If these disclosures are routine and recurring, which is one of the standards for how you make minimum necessary disclosures in the rule, are the disclosures that are exempt like these public health disclosures which are recurring and routine? Are they also exempt from the requirement and the procedures for routine and recurring disclosures that use standard protocols? That does not make any sense. I do not think that is what was intended. But the exemption is too broadly written in the rule. And the problem is that there are two elements I contend to the exemptions.
One question is what do you have to do to respond to a specific request. Let me put the other one on the table. The other is whether the covered entity has to assess whether the disclosure is necessary to accomplish the purpose. Those are two different things in some cases. I think that needs to be separated out and made clearer. In the case of when there is a request either from an authorization or required by law, it should be okay for the covered entity to comply with the request period as narrowly as possible, but to comply with the request. There is no requirement. There should be no requirement to assess the purpose. I want to disclose this record to my employer. You do not have to assess. You just disclose the record. That falls under part one.
In other circumstances where there is a lot more uncertainty about what is going on, there may be a burden on the covered entity to make a decision about what the purpose is because the request may be broad. Even though it is lawful, it may be incumbent on the covered entity, making the disclosure to fight about what it is and to make a substantive decision and perhaps negotiate, if you will, with the requester about what it is they are doing and why they need all the records. I do not expect negotiations to continue on an individual basis request by request. I think the notion in the rule about having standard protocols makes sense, but I think we have to pick apart the pieces here and put them back together in a more logical way, in a way that people can implement and do not just throw an exemption at something.
One of my experiences is when I was a congressional staffer, working on legislation, people would come up and say your bills are terrible. We need an exemption. My agency needs an exemption. My industry needs an exemption. You talk to them and you hear what their problem is. If you change two words in the law, they went away happy. It solved their problem. Broadly stated exemptions create more problems than they solve.
I think that revising the FAQ or providing additional guidance and ultimately I think revising the rule to some extent may be appropriate. All things in good time.
FAQ 215 says facility redesigns are not necessary to meet the reasonableness of standards for minimum necessary uses. I think that in the short term is a perfectly fair policy. This goes back to what I said about retrofitting existing computer systems for new standards. It is hard to do. But in a longer run, that perspective is too narrow. I think that much can be done with new technology if you give clear requirements and long leave times. This could all be done without great cost.
FAQ 217 says that a covered entity can rely on an institutional review board’s determination that the information requested by a researcher is the minimum necessary for the researcher’s purpose. I am not so sure here. I do not have any evidence to offer. But in my inner reactions with IRBs, I found that they often do not understand privacy and the notion that they will understand the minimum necessary rule in HIPAA and be able to apply it routinely in their activities is something that I am not prepared to accept across the board. At a minimum, I would like to see guidance that says a covered entity has the ability at least to make its own determination about minimum necessary in a research context if it chooses to do so.
I also make the same point about representations from public officials about disclosures required by law. Does anybody think that a public official who is demanding records lawfully from a covered entity has any sense of what minimum necessary is? They just say give me all the data. Give me everything. They are not paying attention to this. I think just relying on the fact that there is a law or there is a public demand that is lawful and it is okay disclose means that the minimum necessary is automatically complied with. I think this requires a little bit of rethinking.
Those are the points I wanted to make. I will be happy to answer questions later.
MS. KLOSS: Thank you so much. I was remiss in not making sure that all the members of the subcommittee knew that Bob Gellman also chaired this subcommittee in the past.
Adam Greene is a former member of HHS and certainly helped to evolve the implementation of HIPAA. We are real pleased to have you here today.
MR. GREENE: Good morning. Thank you for this opportunity to speak before the Subcommittee. Currently, I am an attorney in private practice and pretty much all of my practice is health information privacy and security with maybe a little meaningful use thrown in to spice things up every once in a while. Before that, I was at HHS. I have seen both sides of this. I know what the regulators are trying to accomplish, but then I have seen in practice what is actually on the ground reality to some of these issues. When clients come to me with minimum necessary questions, it is usually – they have their heart in the right place. If they are trying to really ignore the law, they do not tend to go and pay for council in this area. I see issues where health care providers, for example, technology companies want to do the right thing, but are seeing real challenges with implementing minimum necessary.
Make no mistake. In the abstract, I think the minimum necessary concept makes complete sense. It is virtually irrefutable. When you request information, you should not be requesting more than the necessary amount of information. When you disclose, you should not be disclosing more. The entire medical record should be the last resort. These are concepts that I think in principle are very hard to argue with. What I found in moving to private practice is sometimes very good policies in the abstract have very real unintended consequences and problems.
I would like to focus my testimony on three areas that I have seen as recurring challenges in the actual rubber meets the road practice of minimum necessary. The first is how this is how this is actually playing out in health information exchange and causing an obstacle to potentially very good health information exchange opportunities.
The second is some guidance that I have seen with respect to business associates and what the expectations are with respect to business associates and minimum necessary.
And the third is the implementation specifications of minimum necessary and the idea of essentially standardized protocols for all routine requests and disclosures.
First, on the front of health information exchange, I think there is little debate that health information exchange holds a lot of opportunity to improve the health care system overall. Part of that is of course the ability to more readily exchange information for treatment purposes. The idea of more readily if you send the patient to another provider, being able to more readily provide that information or if you see a patient getting all the information you need upon request.
The good news here is minimum necessary, as it currently stands, does not stand as a roadblock to those treatment exchanges because treatment is exempt from health information exchange. In light of the testimony we heard today, I would caution the Subcommittee to take deep consideration of any change of that, any recommendation to in any way apply minimum necessary treatment and what kind of effects that could have on what is right now I think working well in health information exchange.
In contrast, health information exchange is not only about treatment. There are a lot of other good opportunities with respect to health information exchange. Opportunities to improve the quality of care at a population level, reduce costs within the health care system. These are referred to in the rule as health care operations. They are subject to minimum necessary.
Health information exchange also not talked about as much, but has a lot of opportunities with respect to payment activities, making it less administratively burdensome to engage in certain payment activities whether it be moving towards a more pay-for-performance system where you have to see potentially quality metrics to be able to see what sort of payments should be made or whether it just be something as simple as medical necessity determinations in the payment field.
Here are areas where minimum necessary is causing fundamental problems. As it stands today if a health care provider gets a request and they do from a health plan to say we want to be more active in care coordination or we want to be more readily able to access information to make medical necessity determinations, essentially taking some of that burden off of the health care provider. It is hard to say that you can do this under the current minimum necessary standards with health information exchange because the realities of health information exchange is you are either opening up pretty much the entirety of the medical record. For example, you are giving someone essentially a log in to the EMR or alternatively it is some sort of standardized set of information as being disclosed that is almost invariably going to be too little or too much for any given situation.
When you get these examples, you have real problems with doing these things with respect to health information exchange. For example, if a health plan wants to utilize health information exchange to determine whether a patient’s powered wheelchair is medically necessary, it likely cannot request only the information related to the condition that necessitates the wheelchair. That is not the way health information exchange is constructed currently or how I see it being structured any time in the foreseeable future.
Likewise the health care provider cannot provide access to, for example, the entire medical record because under the rule, providing access is a disclosure. If you are providing access to the entire medical record, you are making a disclosure of the entire medical record and that arguably is a violation of the minimum necessary standard right now. The answer is no. You cannot do that. We have to go do this on a much more individualized basis.
I think the situation puts all parties involved in health information exchange at legal risk. The health plan is always seemingly at risk for – it is tries to participate in health information exchange requesting more than the minimum necessary because they have the standards they have been given and that potentially is more than the minimum necessary if it is a particular standardized amount that is available.
And the health care provider is always at legal risk of providing access to more than the minimum necessary. The answer is sorry, we cannot do this. We have to just go back to the old fashioned way of doing things. I think that really is curtailing a lot of opportunities in the world of health information exchange.
As much as I am a technology optimist, I am not sure that there are ready technological solutions in the foreseeable future. I think part of this is just a fundamental aspect of it is almost impossible to always request exactly what information you need or at least even to make reasonable effort as the regulation suggests to limit your request accordingly. You sometimes do not know what exactly information you need until you have seen it. You have a fundamental problem on that side.
We have been talking about data segmentation for a long time and I do not see any immediate solutions that would allow. We cannot even get data segmentation at part two records, for example. The idea of segmenting data for individualized necessity of determinations seems like a near impossibility. As much as I am an optimist on the technology front, I do not see ready answers on that.
I would recommend that the Subcommittee consider recommending to HHS that they reconsider how minimum necessary applies in the age of health information exchange that they are issuing guidance that indicates that you can, for example, provide access to the entire medical record for permissible purposes and that that is not inherently a violation of minimum necessary, but that rather actually using more than the information. Letting curiosity get the better of you and accessing more information that is necessary. That would be a potential violation of minimum necessary. This is not a big departure from the rest of HIPAA. This is actually how the rest of HIPAA often times works.
For example, in the treatment context, yes, treatment is not subject to minimum necessary. But in reality, a treatment provider may have a relationship with patients A, B, and C and not hundreds of other patients. We rely on trust essentially that they are not going to abuse their authorized access to look at all these other patients. We do not try to create a system that would be untenable where each physician can only see the patients who they previously had a treatment relationship with. I would suggest something similar in the health information exchange. I think we do have some room in guidance here to improve the situation dramatically.
The next area I want to talk about is some current guidance out there with respect to business associates. The guidance provides a covered entity’s contract with a business associate may not authorize the business associate to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. So far so good. Thus, a business associate contract must limit the business associate’s uses and disclosures of, as well as requests for, PHI to be consistent with the covered entity’s minimum necessary policies and procedures.
This was guidance that was originally in 2002 and then resurfaced in the Omnibus Rule in 2013. I will admit. I saw this in 2013 and said this does not make much sense and did not even really recognize that this had been longstanding guidance. But the reality is I have seen contracts where the business associate contract comes to the business associate and says – it echoes the same language. And the reality is I have business associate clients who are business associates to thousands or sometimes tens of thousands of covered entities across the country, literally clients who are business associates or subcontractor business associates to pretty much every physician in the country and there is certainly plenty that are business associates to pretty much every hospital in the country for one reason or another.
And the idea in practice that they will comply with potentially unique set of minimum necessary policies and procedures of each covered entity is just completely unrealistic. I think this is guidance that in theory makes a lot of sense. Certainly if the covered entity – they set the minimum necessary. It is their information. If they cannot do it, the business associate cannot do it. But in reality, it just is not feasible. It is something that I think should be revised in guidance to indicate that a business associate has the same responsibilities as a covered entity with respect to minimum necessary, which includes implementing minimum necessary themselves, but not subject to a particular covered entity’s unique minimum necessary standard protocols, for example.
This is no different than other areas such as the security rule where we would not expect that every business associate is going to have to comply with each covered entity’s potentially unique implementation of the security rule. I do not think minimum necessary needs to be an exception here.
The third area is the burden with respect to the current minimum necessary implementation specifications. We have implementation specifications that essentially state that for each recurring request for protected health information there should be essentially a minimum necessary standard protocol, if you will. Similarly, for each disclosure that is subject to minimum necessary that happens on a routine basis, there should be essentially a unique standard protocol.
That is something that I understand the benefit of, but I think the actual burden far outweighs the benefit here. In practice, I think it is very difficult to actually comply with these implementation specifications.
Covered entities are already drowning in a volume of paper with respect to HIPAA. What I have found is HIPAA policies and procedures are sometimes the most voluminous of all policies and procedures across the entire covered entity. Covered entities and business associates, especially covered entities like hospitals, are incredibly complex systems with huge amounts of recurring requests and disclosures. And to ask that they create a separate protocol for each one and presumably that the workforce is familiarized with that particular protocol I think is something that the burden with respect to the paper far outweighs the actual benefit as opposed to just complying with minimum necessary. I am not questioning the need to comply with minimum necessary to limit requests and limit disclosures, but I am questioning the idea of in theory having to do hundreds of protocols, updating those each year. I think there are better uses of covered entity’s resources and therefore that burden far outweighs the potentially limited benefit of creating these protocols.
Make no mistake. The minimum necessary standard is one of the most important parts of HIPAA. I am not questioning that at all. The principles underlying it are as important today as they were over a decade ago when the regulations were first passed. But we have gained a lot of experience witnessing what works and what does not. We have seen exciting technological changes that were not envisioned when the privacy rule was first drafted. I think we have an opportunity here to revisit those regulatory provisions and improve upon them, holding fast to the general principles of minimum necessary, but improving the actual practicalities for today’s world. Thank you for your consideration of these issues. I look forward to answering any questions you might have.
MS. KLOSS: Thank you very much. Questions? Walter, are you going to lead us off?
DR. SUAREZ: I will ask a few questions. Thank you very much for the testimony. Very insightful too. One thing I wanted to ask about is more of a clarification of some of the provisions that you referenced – both of you referenced. First of all, I think the concept that minimum necessary exists of course and needs to be complied with and then going down to the establishment of individual protocols like you mentioned that you would need to follow every instance there is an attempt to request data or to disclose data. I was somewhat confused about that. I am not certain or I am not sure whether the mentioning of that is a statement of fact that the regulations require that you establish as an organization a protocol for each of the instances where there is a request or an attempt to request data or for each of the instances you are going to disclose data. Or is it more like you have a general process internally within the organization to define how you are going to handle the minimum necessary aspect of it?
Maybe the concern or the question is really – we will probably hear later on what are the practices of organizations and in the process of handling requests for data and as part of that request considering minimum necessary or disclosing of data and then as part of the disclosure considering that part.
I wanted to ask you if you could clarify that particular statement and then I will ask one question for Bob.
MR. GREENE: The regulation currently provides – for a request that is made on a routine or recurring basis, a covered entity must implement policies and procedures, which may be standard protocols that limit the PHI requested to the amount reasonably necessary to accomplish the purpose of which the request is made. There is virtually identical language with routine disclosures.
I think what this is suggesting is that for each routine request or disclosure, you are essentially creating unique policies and procedures for that routine request or disclosure, essentially standard protocols.
My suggestion is not in any way that you should not be applying minimum necessary to routine requests and disclosures, but rather that you could probably employ two or three people just dedicated to drafting standard recurring requests protocols and disclosure protocols because there are in an organization so many of those. That is not the best use of any one’s time or resources necessarily. It is this idea of the implementation specification that we have to go and identify each routine, request or disclosure and create essentially a protocol for it that I think is not the best use of resources compared to the benefit that would be obtained.
MR. GELLMAN: Could I just make a comment? This may be an area where you read the rule that says they must develop these things. Perhaps if it is said they may develop these things and rely on them, which would allow more flexibility and not require the resources except in cases where a facility determines it to be appropriate.
MS. KLOSS: Just a follow up because that was an area — is there an alternative?
MR. GREENE: There is no alternative for routines. There are different circumstances for non-routine where you could have a set of criteria that you apply for certain non-routine ones that comes up. But under the current regulation for routine, it says you must develop these protocols with no alternative that I am aware of.
MS. GOSS: Could they not identify protocols that are criteria based?
MS. KLOSS: Or have a way of categorizing routine and limiting the number of protocols to a certain group of routines.
MR. GREENE: It is a good question that I do not have the answer to because if you do try to – I think general those that are in compliance with HIPAA will create a general policy and procedure minimum necessary and will say you must apply minimum necessary. Where is the line drawn? If you start essentially lumping routine together into big categories, you eventually get to that general policy. I think we would need guidance to clarify to what extent you could lump together categories of routine disclosures or requests.
MS. KLOSS: I think we will be able to probe this more as we move along.
DR. SUAREZ: My other question to Bob and maybe it is to both of you and maybe even to Mark too is something that has not been covered yet in the comments. Hopefully, we will cover it at some point. The relationship of minimum necessary and breach and breaches of information. There is a concept and I think HHS has made some argument about this that if you release data that is more than the data that is minimally needed that could be considered a breach. I wanted to hear your perspectives on that. I know you did not cover directly, but I wonder if you could make comments about that. I think there are some significant concerns about the effect of and then the implications of having a possible breach scenario in instances where there are questions about whether you in fact disclosed more than what is “minimally necessary”. Any thought about that.
MR. GELLMAN: I think you are on to something. I think that there are legitimate questions about what is the threshold. What is the definition for a breach? Some of them we can all agree on that when information has been disclosed to the wrong person that has been hacked or what have you, those are the easy cases.
The case that you bring up where you just disclosed a little bit more information than you needed to. Is that a breach when it was an authorized disclosure? The issue here is ultimately – a lot of things come down to this. It is a question of resources. How many resources do you want to devote to certain kinds of activities when there is a hack of data? That is a big data and there is a circumstance in which we want to devote. But even there, there are questions that are raised about what are the harm consequences of it? Is this likely going to cause harm to people? There is a significant difference among the privacy community, which does not want to have a harm standard measuring this and a business community, which does in order to avoid the expenses of breach notification when it is not necessary. I think there are a lot of elements here to play with.
I think there are choices to be made about where you want to devote the breach resources. The decision could well be that in cases where you made an authorized disclosure, but it just happen to go over the minimum necessary line that maybe that is not a breach. But whether you can always tease all of these things out in a rule is a problem.
DR. SUAREZ: Just to quickly mention as an example to frame it. Linda mentioned at the beginning that yesterday the committee approved a letter to recommended attachments as a standard. A very common practice or not very common, but at least some common practice in the past and maybe still is in the industry is that whenever a provider is going to send an attachment in some cases a provider just submits the entire record because they want to make sure that the payer has all the record information that they need in order to process my claim. Of course the concern becomes then I might be actually in some sort of a breach situation by virtue of sending more than what it was supposed to be the minimum necessary.
That is one example where a very frequent practice in treatment payment operations becomes a question as to whether am I actually violating HIPAA by virtue of a breach.
MR. GREENE: There is preamble commentary that makes clear that disclosing more than minimum necessary is a potential breach. But of course, you also do have to look at whether you can demonstrate a low probability of compromise, for example, where you disclose more than minimum necessary, but it is to a covered entity who says they will not do anything with it. There might be a basis to find a low probability of compromise.
But actually I want to tweak it a little bit and say in the area of breach, I think that breach can be improved a lot by taking something from minimum necessary, which is minimum necessary is the only part of the HIPAA rules that refers to requests for information. Essentially the rest of the HIPAA rule is entirely based on use and disclosure. If you disclosed more than an appropriate amount of information, that is on you. But in the age of health information exchange, the reality is we have more and more power going to the hands of the requester and less and less in the hands of the disclosure. You are not going to be sitting there for health information exchange and making individualized determinations on each one.
In the area of breach, I think we should actually take some from minimum necessary and change the focus to not necessarily whether you made an impermissible disclosure, but there are circumstances where one covered entity does everything right, but another covered entity’s workforce accesses information out of curiosity, for example. The current breach rule is focused on was there an impermissible disclosure by the one who did everything right versus we can take the minimum necessary concept and say maybe we should be focusing on who requested information inappropriately there. I think actually in the area of breach, minimum necessary may be very helpful.
DR. EVANS: You mentioned a role of IRBs and their difficulty in wielding minimum necessary. Could either of you share your experience with do IRBs in privacy feel that it is their role to oversee minimum necessary? Where are they getting the regulatory authority for that?
MR. GELLMAN: I do not have any specific evidence to offer on this at all. I want to make that clear. But I have had interactions over the years with IRBs. There is a significant lack of understanding of the basics of privacy and this is a detail in the statute that does not apply to them and I really doubt they have the expertise. You have to ask IRBs though and other people who deal with IRBs for actual evidence.
MR. GREENE: I am going to actually defer on that because while I have my suspicions, I have not had much direct interaction with IRBs in either of my roles. I am not in the best position to really say.
MR. ROTHSTEIN: Among other things, I am a former IRB chair. Protecting privacy and confidentiality of research subjects or participants is within the broad remit of IRBs. It is my opinion that there is very little effort in training IRB members on the privacy rule and they are generally unaware of the various nuances. They know that they are supposed to protect privacy and confidentiality somehow, but that is about it.
DR. RIPPEN: This refers to the HIE, some of the comments. HIEs right now are kind of evolving especially as our business models are evolving. There is the question of reuse and the information and scope. There is one component as far as sharing information for clinical care, which is the underlying premise. There are many that are going into alerts now, being a platform for research. There are some interesting nuances as it relates to HIEs.
I guess the question is for minimum necessary and maybe an interesting way to think about it is the continuity of care documents and continuity of care records have been negotiated as far as here is the summary of information that you should share during a transition. I am just wondering. If one was to consider thinking about minimum necessary in the context of care, is that already a de facto industry practice?
MR. GREENE: I think that this is an area where guidance could help out a lot with respect to – we have, for example, some clarity that with respect to HIPAA standard transactions that there is guidance that indicates that you can rely on that as the minimum necessary. There is a standardized set amount. Even if that includes more information that might be needed for a transaction, you have to follow that standard. But there is nothing like that for health information exchange. I think guidance, clarifying that the CCD – that it is reasonable to rely on the CCD as the minimum necessary in a variety of health information exchange circumstances would be very helpful. Right now, the reality is the CCD may have significantly more information than maybe needed in a particular use case, but there is no way to further limit it.
There are going to be other circumstances though where the CCD is not necessarily the vehicle where you do have a lot of health information exchange where it is more accessing the entire electronic medical record. Sometimes that is not appropriate. I am not suggesting that is always going to be appropriate, but sometimes it is. There is really no vehicle right now to allow that between a health care provider and a health plan for I think any laudable purpose because of the current minimum necessary requirements.
DR. PHILLIPS: This has been interesting from a variety of perspectives, but the fact that there is some disagreement across the three of you is where I am most interested.
Thinking of the big health system level, I think you could argue across your points of view very well. There are health systems now that outsource a lot of their IT especially when it comes to reporting whether it is quality measures or sending their entire health records somewhere for that to be done for them. That is the majority of the case for small practices. It is the small practice I am most interested in because it is still where the majority of care is delivered. Those practices will not have the sophistication to be able to deal with the policy implementation about minimum and necessary because it is very hard for them to think about what I am sending to whom and how I parse it. I think the technological solution is actually maybe the best route for them because it automatically parses the data and says – at least it sets up the possibility that this requester gets this amount of parsed data that is already segmented for me. I do not have to worry about how I segment the data.
I am very interested in this idea of when you are talking about a policy solution, Adam’s specifically rather than technological solution, how would you help me think about how that might apply to a small practice where they just do not have the ability to discern what the policy should be for their data?
MR. GREENE: Yes, I would like to think that small practices across the country are struggling with the minimum necessary implementation specifications right now. But I imagine on their list of things to do, this is fairly low. I do not see that changing any time soon.
I think the policy should be oriented towards focusing on the practical realities. With respect to a small practice, if they are potentially participating in health information exchange, I do not want the policies to be focused on what they need to specifically do to comply with minimum necessary to make sure that they could participate in health information exchange. I want the policies to be focused on if someone is abusing health information exchange. Whether it be that small practice has an employee who is accessing information inappropriately including more than the minimum necessary, that is where I want the policies to be focused rather than –-
The reality is the complex hospitals are the ones who are coming with questions about can we open up our records to health information exchange. The smaller practices do not even realize this is an issue.
To your question, it is not necessarily that there are technical solutions that are necessarily going to fix that situation. I think it just needs to be more of a focus that whether – where our priorities are going to be. Is it those who access more than minimum necessary rather than providing more access than might be necessary?
DR. PHILLIPS: Just as a follow up, I am concerned that the reaction from most of the small practices is just to say I do not have time to focus on this. I am now stuck because I have one policy that says I have to be discerning about how I share the information or looking at people who potentially are abusing that within my practice. But I have a meaningful use requirement or an ACI that says I have to be able to connect to other registries. They are stuck. Their temptation is which one of those pays me and therefore I give full access to my data to make that happen. But if someone says to them for every potential breach that this represents, there is $50,000 fine per. They may say the payment side of this is not sufficient. They are stuck between these two things that are driving what they do with their health data.
MR. GELLMAN: Welcome to Washington.
MR. GREENE: That was a fundamental issue with the HITECH Act was let’s encourage everyone to use health information technology and scare them into not using health information technology by exponentially expanding the penalties there.
We are putting the small practices and even frankly the sophisticated health care providers in untenable situations here. We have meaningful use. There is not much meaningful use guidance where it says you must connect to registries that says and keep in mind whether minimum necessary applies or let alone if minimum necessary applies how you are going to negotiate that. I think it is an afterthought at best in reality because, as you said, the incentives are focused on share this information, but we have concepts that have not caught up with that.
MS. GOSS: Technology really is only as good as our ability to have if-then statements and that has to be based upon good policy decision making and policy tends to be scalable based upon size and resource availability. My question is not about this, but – from a health information exchange perspective, I have spent the last eight years working on Pennsylvania’s architecture and policy framework. I am validated that our struggles are not just our own in this space and that there is a lot of you have to follow the laws. What laws and how do they apply? It is very challenging. I appreciate your question especially for the small organizations.
My question really is back to something Bob said earlier related to some of the exemptions and the federal law and the complexities that we see not just with having HIPAA privacy, but you then have the SAMHSA rules. You have the state stringent rules and that interplay. I am interested if you have any commentary as panelists on enabling a federal regulatory floor with states being more stringent and if there are some opportunities related to minimum necessary to help clean up the conundrum.
MR. GELLMAN: I think I am stumped on that. You have connected to many things to give an off the cuff answer. I recognize that. I think just sort of a general comment that to some extent – a general comment on the privacy rule. There are lots of details in the privacy rule. I have come to believe over the years that there are too many details. The security rule may be a better model. It says here are a bunch of things you have to think about. You have to do these. You have to think about the rest of them. Figure out what works for you. I am not sure that is not a better model for the privacy rule. As it is, we provided a lot of details. It does not answer everybody’s question. Every time you come up with more guidance or better rules you get more questions. You may do better giving people more discretion to make decisions. Maybe you need some kind of minimum necessary rule for the rule itself. I am not sure about that.
You have to give people discretion and you have to judge them on how they exercise that discretion and limit your enforcement in some way. It is not really a response to what you are doing. There are just a lot of parts in motion here. You cannot disengage all the parts because all the different policies are reasonable by themselves and they are reasonable together, but you do get in the middle of the circumstances now come up a number of times where you are torn in different directions by different reasonable policies. It is not always clear how you can get out of it. Washington cannot reconcile the policies and sometimes that is impossible. You have to find other ways to let people off the hook if they have done something reasonable even if it is not necessarily the best solution or the same one the other guy did.
MR. ROTHSTEIN: I want to address the very important question that you raised. I think that the minimum necessary standard is the best vehicle for improving the privacy rule. If we do not breathe life into the privacy rule, a good argument I think could be made that from a patient standpoint as well as a covered entity standpoint that we are better off without it. I say that for the following reason.
If you think back before the privacy rule went into effect, if I went to my primary care doc and he said Mark, I think I need to refer you to a cardiologist. I do not like what I am hearing. I would have had to sign what was called a release to send my records to a cardiologist and we would talk about maybe who that cardiologist was and what the credentials were of the cardiologist and perhaps if I had concerns, we could say what exactly are you sending this cardiologist because I have something in there and you know what it is. He might say we will just send your records from the last five years or ten years or whatever.
Today, what happens? Disclosure for treatment purposes requires no consent or authorization. In many cases before even consulting with the patient, the records are sent to a consultant and now there is no requirement that there be any limitation at all on what is sent because it is for treatment purposes and the minimum necessary standard does not apply.
What does the patient get from the privacy rule other than breach notification access and a few other minor things? Patients pay a heavy price for this privacy rule. It is not comprehensive, as we all know. It does not apply to all people who have health information. It does not follow the information. It can easily get out of the system. There are no remedies available for individuals whose breach has cost them lots of things. It provides health care providers unfortunately and we all know these stories with an all-purpose excuse not disclose anything that they think is a pain in the neck to do.
From a policy standpoint, it provides an illusion that we have a privacy law in the United States when we in fact do not have privacy legislation in the United States. It dissuades states from acting. It dissuades Congress current or future from acting because we have something in effect. From the covered entity standpoint, everybody knows what the costs and burdens are.
I think we need to be thinking very clearly. I do not want to sound – I guess I do want to sound apocalyptic. Is this worth it? The privacy rule arguably is the fossilized remains of a statute that largely does not matter anymore after the Affordable Care Act was enacted. That was a source of this add-in privacy protection to the extent it exists. Are we going to take privacy seriously? If we are, these are the kinds of things we need to do. In the current framework, I think we could do what I am proposing. If that is not in the cards, how valuable is what we have?
MS. GOSS: One of the things I do want to acknowledge is that 56 states and territories under HITECH were incentivized through federal funding to assess their privacy and security principles, not just around the privacy, but around eight guiding principles. We have through the Health Information Privacy and Security Collaborative under the Bush administration and then the HITECH HIE grants has provided a lot of narrowing down of the issues and the variances. I think that there is a much better framework now for us to leap frog forward. But I still think that there is so much variance across the states based upon politics, laws, et cetera that it unfortunately is a little bit murkier.
MR. GELLMAN: Could I make a short comment? I want to disagree in part with what Mark said. There are plenty of shortcomings in the privacy rule. If you have a week, I will tell you them all. I think the privacy rule made a substantial improvement over what came before. There was no universal right to access or correction. There were no privacy notices. They had plenty of shortcomings, but there was not anything. There was no privacy training. And the reality was when you went to see your doctor, you signed a blanket consent form that any and all of your information would be disclosed to anybody. There was no discussion with your doctor. It is no better now than it was then. The blanket consent form solved all problems. You could not see the doctor unless you signed the form. There are a lot of problems with the rule, but there were a lot of improvements as well.
DR. MAYS: One of the things I am concerned about is what we need to do in terms of patients. On the one side, patients think they are being protected. On the other side, they have the sense that all of the information in the world is just passed around and they do not have a sense of who this information goes to.
I am really trying to get a sense of what kind of guidance can we offer patients so that they understand it better. It is almost like what Alix is saying. You come in. And Mark said the same thing. It is really more of a legal form of what they have been given. I thought I was sophisticated enough.
I recently had an appointment and then I realized they did not have access to my records. I thought I had asked all the right questions. It is interesting. The ability to be able to either speak a certain language, know a certain regulation seems to be what is required and patients do not have that. What kinds of things can we recommend?
PARTICIPANT: With respect to minimum necessary.
DR. MAYS: Yes. In respect to minimum necessary. What can we recommend?
The best that you can do with respect to individuals in all context is first of all try and have some reasonable policies that are in place or required and secondly make information available to them when they care about it. Most of the time, most of the patients do not worry about getting access to their own records or whatever it is. They do not know what the limits are on disclosure. At that time when they care about it, they should be able to find the information and find a way to easily implement the rights that they have been given. I think that is the best you can do.
MS. KLOSS: We have five minutes left. I do have one question. If we could go to Walter.
DR. SUAREZ: I appreciate the opportunity to ask a question. It seems like in the spectrum of things we are either blocking information or disclosing too much. It seems like there is an interesting dynamic going around that. Maybe it is both. Maybe in some cases we are blocking and in some cases we are disclosing.
My question is this what is from your perspective and your experience the experience of other industries handling this like financial management or even other countries. I was looking at the European Union and that they have a lot of stronger privacy consumer-driven practices including minimum necessary that applies to personal information on health information. I do not know if you have any perspectives in the US of other industries like financial sector has to deal with respect to minimum necessary, which I do not hear too much about that in the financial sector as much as we deal with it in health care and then maybe in other countries.
MR. GELLMAN: There are other privacy laws of variable quality and applicability. One that I think is important, but I do not think it will be helpful in this context is the Fair Credit Reporting Act, which says credit reports can only be used for permissible purposes defined in the law. That is in a statute. If you want to change the permissible purposes, you have to go to Congress. That is just too restrictive. We can define appropriate uses for credit reports and inappropriate ones. This is just the health care world is a movable feast. There are too many things going on here. There are too many players. There are too many objectives. There are conflicts here and we just have to recognize that. You are being pulled in different directions.
Other privacy laws either tend to be narrowly focused like the Fair Credit Reporting Act or in Europe where you have general laws. One of the things you get with the general law applicable to everybody is you do not have a circumstance where you give a record to a third party and it is no longer covered by privacy law because the general law applies to everybody. That is helpful in some regards. The fact that there is a general European privacy law and it has policies like minimum necessary does not mean that you get away from the problems that you are dealing with here. There is always a pull and push in different directions.
My advice when I deal with clients about what to do about privacy – the top line answer is you do the right thing, but figuring out what the right thing is not always easy and you have to keep an eye on what the legal standards are and what data subjects would want and what the costs and practicalities of the world are and what the technological limits are. You have to find the solution within all of those constraints and it is not easy.
MR. GREENE: I am not going to pretend to be an expert in other fields. I certainly have not heard minimum necessary discussed in other fields. Fair credit is a good example. We do not try to micro-manage. This is the specific part of the credit – you cannot disclose a full credit report. You have to try to micro-manage what part of the credit report you can disclose for a particular situation. We do not have concepts like that elsewhere. I think we tend to address it more through potentially limits on use. Yes, you get the full credit report potentially, but you cannot misuse it for one reason or another. I think that is potentially how this may be addressed.
I do not know that health care is truly unique, but it may be a bit unique in trying to micro-manage exactly how much information it is disclosed in this manner.
MS. KLOSS: Thank you so much. We have heard just what I hope we heard. A range of perspectives and yet each of you brought some really practical recommendations to us.
And what you all agree on is that minimum necessary is an important concept in the law and at the same time one that is probably the most underdeveloped. We understood coming into this that this seemed like one area where we could just recommend some tweaks, but we also knew it was going to have many layers and complexities and especially as we learned at the de-identification hearing a couple of weeks ago. We are in a period where there is a collision between privacy and data. I particularly appreciated the idea of taking both a short-term and a long-term view and being pragmatic, but getting back to core principles and doing that in a way that really hopefully raises consciousness and begins to recommit to the importance of this.
I keep going back to the definition of what this is because I think that is where we are going to have to start if we are going to clarify what minimum necessary is and reintroduce this concept in a more practical way. I have a better understanding now of some of the weaknesses because even here we have talked about the minimum necessary burden being on the provider of the information, but yet the definition does make reference to the requester also. I think more and more this is a two-way street and we need to look at that.
I hope we will be able to call on all three of you for guidance as we go forward over the course of the summer to tease out important ways in which we can contribute and make this practical. We thank you very much.
A 15-minute break. We will reconvene at 10:45 with our Panel II.
Agenda Item: Panel II: Practical Implementation of HIPAA’s Minimum Necessary Standards – Approaches and Compliance
MS. KLOSS: At the break, someone asked the question, are we going to find out how it really works. That is what our next panel is about. We want to dive in now between now and 12:15 to practical implications of HIPAA’s minimum necessary standards, approaches for compliance. We have two terrific panelists to educate us on this. As I mentioned earlier, we also have written testimony from the American Hospital Association, which we will introduce into the record before we adjourn today. First up is Melissa Martin. Melissa is the current president of the American Health Information Management Association and she is also the associate vice president and chief privacy and enterprise information management officer at West Virginia University Hospitals. She is going to be able to speak to us on behalf of the HIM field generally and what was learned in a survey that AHIMA did of its members on this issue and compliance and really share her practical experience working in a complex organization on these issues day by day.
And then we are going to be represented by the American Health Insurance Plans representing the health plan perspective by Marilyn Luke. We are grateful to both of you. You have written testimony to both and I think Melissa is going to use some slides too. Take it away.
MS. MARTIN: Thank you very much. Thanks for inviting me to come and represent the American Health Information Management Association. Just briefly I wanted to let you know a little bit about AHIMA. We represent over 103,000 health information professionals that are credentialed within our association. We are a nonprofit association and we specialize in the collection, storage, analysis and use and disclosure of information. Privacy and security is a key part of our core function within health information management as well as information governance. We believe that privacy and security is the foundation for information governance.
From a regulatory perspective, as many and most of you are aware, covered entities and business associates are required to take action to make sure that we are releasing information on a limited basis for disclosures and requests of protected health information. We will talk about that from a practical sense in a couple of slides. And then there is also the challenge with covered entities and business associates to assure that they are limiting the amount of information within their workforce. We heard a little bit about that this morning with rule-based access.
There are many challenges and confusion, most of which have been spoken to this morning, but just to give you some high-level understanding. We too believe that there is a lot of confusion around the definition for minimum necessary and it varies from organization to organization. We will talk a little bit about a survey that we did as well.
We believe there are interpretation loopholes in the process, which put health care organizations and others at risk to provide information and not meet the minimum necessary standards. And then we also heard earlier today a little bit about business associates and we will talk about that specifically. Within our profession, we often use outside vendors to perform the release of information function and they are challenged with which definition do they follow. Do they have a definition of their own in which they use or do they follow a definition of each individual organization or each individual entity? Obviously, we are here today to talk more about the needed guidance.
The other areas of confusion we also heard about this morning revolve around technology. I will share some specific examples from West Virginia University and the tools that we use in a future slide. But in general, we know and we have heard that many systems are unable to define specific segments of the record and provide that to requesters in an easy fashion.
Also, metadata can be challenging. We heard about research this morning as well and just the general patient access. Hopefully, we will be able to share some specific examples with you.
The other area of confusion we also heard about is around regulatory improvements and we are all striving. AHIMA has always been a long-term advocate of sharing data across the health care ecosystem to improve patient care. You can see some examples of some initiatives that are out there.
Let’s talk a little bit about the survey that we conducted. We surveyed some of our members and some of our practice councils. I believe that some of these statistics are very telling that more than half of those that were surveyed did not have policies and procedures implemented on minimum necessary. Also, that more than half of those that used outsourced vendors did not know what criteria the release of information company was actually using to determine what was the minimum necessary. We believe these are significant risks.
Thirty-eight percent did not know if they had a policy at this point in time and 27 percent had adopted a definition. I will share with you a little bit about the definition that we have adopted at WVU and I think that many will agree that even though we state that we have a definition, it is extremely general and mostly reflective of the exact regulations.
Fourteen percent do not have a policy and knew that they did not have a policy. Twenty-one percent are actually working on a policy. Some of the specific graphs were provided in the written testimony. If you have further questions, we can address those later.
Now I want to talk a little bit about where I am employed, which is West Virginia University Medicine. We are a large academic teaching facility. We are a part of a health system. Most of the information that I will share with you today is specifically about the academic facility in which I work although I will reflect a little bit on some of those partners that we have as part of our health system.
I want to talk with you a little bit about disclosure of protected health information. We will talk about the growth of the request, which I think is a significant and very telling item for this particular committee to hear about. And then of course technology challenges and some things that we have been able to do as well.
Also, we struggle at the state level. We heard that with some of the other speakers talking about different regulations at state levels and then some opportunities that we are exploring because again AHIMA is very much interested in moving forward with providing information for our patients in a timely fashion.
WVU has chosen to not specifically define the minimum necessary. We have rather adopted the HHS minimum necessary requirement. I believe we all probably know what that statement is, but we do take reasonable steps to limit routine and non-routine uses and disclosures to the minimum necessary.
We often make the statement when we are educating our staff that access to PHI should be based on the minimum necessary for the employee to adequately perform their duties. We look at minimum necessary in two categories and I think we heard this earlier as well. The first category of course is how we allow our staff within our organization to access that information, i.e. role-based access. And then the second is how we provide that information to third-party requesters. And that I believe is the most challenging aspect of this.
Role-based access if we can step back to that for a moment is a very complex process, especially in an academic setting. I do not want to minimize how that is set up in a community hospital or a smaller critical access hospital, but it is very complex in academia because there is always a potential teaching moment. Although we have made the decision that our physicians and some specific clinicians have full access to all records, we do have some allied health care professionals that fall into different roles and they might be participating in some sort of study or some type of interaction with the patient that then requires them to have access to that.
I would like to talk just a little bit about that because that puts the facility in a situation or a position where we are constantly dealing with exceptions to the rule or exceptions to the role. That is a pretty laborious process within the organization.
Physicians sometimes become confused and we did have much discussion this morning about the IRB process, but they have become very confused about the difference between a research study that is actually approved via IRB and what is actually a teaching moment or a presentation for grand rounds or a variety of other things that they may or may not do.
The greatest area of concern as I mentioned earlier is the reference to releasing information to third-party requesters. I want to talk a little bit about the volume of those requests. At WVU Medicine at our academic facility in Morgantown, West Virginia, we process over 85,000 requests annually. The size of the records has grown exponentially with the advent of the electronic medical record. There is much data captured and much data used and much data that is requested. We process requests that could range from one to two pages of paper for someone on a particular day to thousands of pages of which we provide to those requesters. Often, we meet the challenge of a request that says any and all records.
I understand that we are not necessarily required to review every one of those records and assure that we are not providing something that should not be there. In order to protect our patients and do the right thing from a health perspective, we do review those. There is someone who is handling each of those requests to assure that all the right information is given and also the information that is not requested is not given.
From a technology perspective, I believe that at WVU medicine, we are at a bit of an advantage. We do have a very progressive electronic medical record that does have some tools within it that help us to identify where sensitive information is in the records. In some cases, it can help us find the location. In some cases, it can actually hone in directly to where it is in that record. However, there are many cases where it cannot. Therefore, there is a need for someone to do a review of those records.
This is a very time consuming process and we spend many hours every day contacting requesters to ask them to clarify their request. Each and every day we have requests that range from any and all records, to entire record, to the first year, the last year. It is any variety of requests that come through.
This will probably always be our extremely challenging area. I do understand that we are not necessarily here to talk about cost and charging for release of records, but I must at least recognize that the minimum necessary clarification is often lacking and that is what put requesters in a position to ask for any and all. That is what actually drives the cost up from the release of information perspective.
I recognize this is an unintended consequence. I know that from state to state things are slightly different. I can speak specifically from West Virginia’s perspective. We have had numerous class action suits over the course of the past 12 years in this particular area. Again, I recognize we are not here to talk about cost of that specifically and how we are charging. But I would argue that not having a clarified definition for minimum necessary promotes the idea that folks ask for the entire record plus driving up the cost in general.
Now we also strive to provide more information to our patients at WVU Medicine and we do this through portals and open notes and a variety of different means through email, posting the information, wherever they request that we provide it especially in a patient situation.
However, I do think that our biggest burden is the third-party requester perspective. We seem to be working through things like role-based access and we seem to be working through things like research although still very challenging. But we do not seem to be making as much progress in this third-party requester world. Those requests that come in asking for any and all records are extremely burdensome and challenging. That would be my perspective from WVU Medicine.
Now, what I would like to do is provide you with some recommendations. In your written testimony, there is significant detail attached to that as well. These recommendations were developed through the survey with our members and our practice councils. And some of the areas that we would recommend would be of course the clear definition with objective criteria in which stakeholders could meet the minimum necessary standard.
An updated definition of the minimum necessary could include differing levels of minimum necessary. We heard that earlier today. For example, the minimum necessary standard for research might include gender and age versus location and name.
We also would suggest that we need to keep in focus the role of metadata and have some clarification from that perspective as this is a growing area within the industry.
And then recognizing of course as was suggested at previous panels, the technology capabilities as well as limitations. I spoke to you specifically about our academic facility in Morgantown, which is the largest facility within our health system. We have seven other hospitals within our health system that range from critical access to community hospitals. The struggles that we experience in some cases are similar at a smaller level, but then sometimes whenever you are working mergers and acquisitions, you find out that it is not a problem at all because they fall into the category of not having a definition and not having policies and procedures.
We, of course, want to always focus on the needs of our patients as well as the stewards. We consider ourselves in the health information management profession a steward of providing the information and we believe that it is important that we clarify those roles and the responsibilities as well.
And of course standardization for the implementation is key. As always and as we have seen in other regulatory clarifications, we would request that we have adequate educational materials provided to the consumers. We heard this discussion earlier this morning specific to the consumer, things like fact sheets and frequently asked questions are typically received very well across the industry.
I thank you for your time and we will be willing to take questions at the end of the panel.
MS. LUKE: I appreciate the opportunity to speak today on behalf of America’s Health Insurance Plans. Our organization represents the majority of health insurers across the country that provide products both in medical arena as well as supplemental benefits through all of the products that you would expect: employer-sponsored coverage, the individual insurance market, and public programs like Medicare and Medicaid. One of the main things that we advocate for is the ability to expand access to affordable health coverage across all Americans through a competitive market place.
I thought it would be helpful to share a little bit about my background because I have been dealing with HIPAA since I graduated from law school and it was still the Kennedy-Kassebaum Act. I can tell you that in my work through the years and particularly at America’s Health Insurance Plans, I have been the privacy person who has worked with key privacy officers across the nation in a variety of health insurance plan settings whether it is a smaller organization, a national plan, or a company that operates perhaps in just a regional level. They can offer a variety of products within that portfolio.
I am so pleased to be here today because I have been monitoring along with a number of my team at AHIP all of the NCVHS activity since the first day that I started with the organization. I am really happy to see Janine and Walter and Mark and Susie and Mike and so many others. I really feel at home today and I am really happy that you asked me to share our perspectives.
I did submit copies of our written testimony, which is fairly detailed. I will refer to it in terms of some examples. I will not go into detail about all of the information we have provided about the minimum necessary rule and what that means. The Office for Civil Rights is an excellent resource. They have done a great job in providing that kind of information on the website. I do encourage folks to go to the website and look for that if they have any additional need for follow-up information.
Also, as we prepared for today’s event, I was not able to do any sort of statistically valid survey or sampling of the membership. But we did receive a lot of anecdotes that I think would be helpful and can help inform the topic.
Overall when I talk with the health insurance plans, the general consensus was that minimum necessary among our membership is working well and there is no need for significant regulatory changes. I cannot reinforce enough the commitment that health insurance plans have made to implementing HIPAA all of the various components and the privacy and security requirements particularly.
We have worked with the membership from the time that the statute came about. We supported it and we are actively involved in all of the regulatory developments. We fully support all of the privacy protections because we understand the need and the importance of benefiting the consumers particularly with regard to their health information. They are customers we serve and that really is the forefront of why we do what we do and why so many folks are committed to really taking this to heart and trying in good faith to comply with the requirements.
In terms of minimum necessary provisions, I think it is important to understand that while health insurance plans have implemented a lot of policies and procedures around this, oftentimes minimum necessary is incorporated into a policy, but it also helps comply with some other aspect of the HIPAA rules, be it security or privacy.
I just wanted to point out a couple of examples. There are more detailed examples in the written statement. For example, privacy officers have implemented checklists, which really help them to ensure on a consistent basis when they get a third-party request for information that it is properly verified, that there is thought and analysis about the minimum necessary rule. And before the information is sent to a third party, these activities take place, for example, if they are getting a request from an attorney who is representing an individual perhaps in a civil suit because of a personal injury situation.
We heard a lot about role-based access. That is true within the health insurance plan environment.
I also want to highlight another example that has to do with some companies who have established an actual committee. When there are questions raised or the situations that need to be evaluated, there is a team of trained professionals who take that very seriously and who evaluate those kinds of requests. It really helps to ensure that there is an objective process and that there is proper vetting before information is released.
I cannot tell you how many resources and times the health insurance plans do corporate wide training. Many of them were very complementary of their claims processors and they felt that in terms of the employees that they hire, the employees particularly in that area are highly skilled. They are very knowledgeable and they do take it to heart to protect the privacy health information.
Now in an ongoing basis from a compliance perspective, each health insurance plan will implement different procedures. They certainly do quality assurance reviews. They may do internal audits or they might have department checks and retraining depending upon on the organization’s needs and how they are structured.
I think it is important to note and it goes to a question that was raised earlier, the health insurance plans have not heard a lot of concerns from consumers about an ability to get access to their health information because of the minimum necessary requirements. While I have stated that I think health insurance plans feel that things are well and there is no need for regulatory changes, clearly the fact that we are having the hearing today and the fact that this is within the Office for Civil Rights top five issues of compliance concerns that comes up when they either do an investigation or receive a complaint, we really want to be able to respond to that request or that set of data. If that is existing, we would like to get more information.
In the written testimony, we have actually laid out some things that we think OCR could improve to really make a transparent what types of compliance violations or concerns they are seeing particularly within the covered entity and business associate contacts.
We do know that they have a wealth of information about all of the corrective action plans and settlement agreements on their website. But in reviewing those, we do not have a lot of detail particularly to minimum necessary so if it is within the top five. What we would like to know is specifically what has covered entities done to be noncompliant. How was that evidenced? Has OCR implemented or recommended changes to workflows and if so, what are they? We would like this information and we do not really think it is appropriate or want any sort of proprietary or individually identifiable data. But we think that overall we can get some more information to better improve our compliance processes and procedures.
Particularly in terms of minimum necessary, one of the questions that we had over and over was we think that there may have been over disclosure, but perhaps OCR feels there was not enough disclosure. If they have evidenced that, we would like to hear about it.
I want to spend the rest of the time for the segment today talking about seven recommendations that we have indicated and the rationale and additional detail is indicated in an appendix, which we have written materials and which I know will be posted on the NCVHS website as soon as they can do that.
First of all, one of our key recommendations is that we need to maintain the flexibility that was built into the minimum necessary provision. I feel like every time the committee meets and health insurance plans testify, we are always talking about changes that are ongoing. This is just a continual process and we are accustomed to dealing with it, but we have had ICD-10 implementation. There are a number of mergers and acquisitions that are taking place. The Affordable Care Act has implemented a number of requirements that plans have implemented. In the Medicare Advantage space particularly, there were some recent regulations that addressed the Medicare Access and CHIP Reauthorization Act of 2015 to really change how Medicare incorporates quality measurements into physician payments and how they are going to provide incentives for participants who are eligible.
All of these changes, the new delivery systems that we are starting to see at accountable care organizations, they were not in effect at the time that HIPAA was enacted and the regulations were promulgated. We do want the regulations to be able to have that flexibility so that as these changes are becoming evident and taking place within the markets, the health insurance plans and covered entities are able to adopt the minimum necessary provisions based on their own environments.
The second recommendation that we have is what I am hearing as a consistent theme today. That has to do with the secondary and downstream uses of protected health information. This was a major concern of the privacy officers when we asked them for input in preparing for today’s event.
The conclusion was that if one entity is taking great steps and spending a significant amount of resources to protect the privacy and security of consumer’s health information. But then that information gets released to another entity that is not within that stringent framework. It is really the consumer’s data who is going to become vulnerable and in many cases, the entity that is making the disclosure is not always aware of what that subsequent or secondary entity is doing with that information. We have two examples that I want to highlight today.
I know tomorrow you will be talking a lot about the All Payer Claims Databases and I encourage you to explore this more in that session. We do have a representative from our organization who will be testifying. But as we were preparing for today, it was evident we did find research that some of the states who require health insurance plans to report this information because of laws and regulations and they are bound to report it. They are then selling the data. We heard that we really need more transparency about what that sale involves, what they are disclosing, what they are charging. I encourage you to think about that in your events tomorrow.
We also heard about some of the state based and other exchanges that are compiling and amassing huge amounts of consumer data. They use entities what we refer to in our testimony as data aggregators. Again, we would like more transparency and specifics about what exactly these data aggregators are doing.
Oftentimes when you get involved with these subsequent and secondary entities, there are certainly contractual relationships that exist. But we think that there can be more oversight and perhaps enforcement in terms of reviewing of those arrangements and contracts and relationships.
The third thing I want to touch on has to do with the Federal Part 2 Confidentiality Regulations. We did have some regulatory activity earlier this year that the Substance Abuse and Mental Health Services Administration will be commonly referred to as SAMHSA. Propose some regulations to try and modernize the Part 2 confidentiality rules.
We recognize and support SAMHSA’s efforts, but we do know that they are limited by statute in terms of how far they can go. We have very detailed recommendations that we made to SAMHSA. We have restated them in our written testimony. But overall, we think that there needs to be some statutory change to the governing statute for the SAMHSA Part 2 disclosures and then of course promulgation of additional regulations.
What we think is that consumers need more education about sharing their information so that they do not unintentionally compromise their own privacy. They should be at least aware of the risks so that they can be informed. If they still want to do it and have common sense and decide to disclose, they are aware about the proper handling and the risks that lie in that.
The fifth point I would like to make has to do with cybersecurity. I and many others within my organization are participating in a variety of forums. I participate with the Department of Homeland Security. We have others who are working at the state levels with the National Association of Insurance Commissioners and various other federal and state agencies and bodies who are delving into cybersecurity attacks and trends.
When folks think about cybersecurity, they often differentiate that from HIPAA privacy and security because it really applies to all entities, even federal and state agencies whether you are a public or private entity. This is really something that is a national security concern.
But in the HIPAA context, we recommend that the committee consider cybersecurity for HIPAA-covered entities and business associates particularly for minimum necessary because they are very astute and prepared to deal with data breaches, but not all cyber events result in a data breach. If something happens in the future, there are going to be a number of entities or agencies that might want to be involved and come in and review information or partner with the entity or perhaps review several entities within a region or across the nation. We think that the laws and regulations are not always going to be anticipating and clear about what to do in a cybersecurity situation, who to disclose it to and when and sort of who is on first.
We encourage additional thought about cybersecurity situations, the investigations that are and might occur and how the minimum necessary provisions could be or should be analyzed in those types of situations. Hopefully, OCR will give some thought to that and the committee as well.
We commend the committee for doing so much work on the electronic claims attachment standards. I know yesterday you approved a letter. I want to say that we support your recommendations that you made for minimum necessary, but we do think that there is more work to be done in this area.
The claims attachment standard is unlike any of the other HIPAA electronic transactions, which really set forth data fields that are either mandatory or optional. Claims attachments and the types of information that might be needed to support or justify an individual situation are going to be based on the facts and circumstances of a person’s medical condition. I think it is going to be very difficult in terms of claims attachments when we talk about minimum necessary to set forth some stringent or maybe even clear guidelines. Again, we are going to need flexibility, but we encourage additional dialogue.
We think that the standard setting organizations should again be consulting about this. The operating rule authors and all of the other affected stakeholders who use the electronic transactions and the business operations.
Finally, I think it would be helpful if OCR could expand on the guidance that they already have implemented that explain the firewalls between group health plans and employers. Employers do try in good faith to implement the privacy and security protections when they offer a health insurance plan. But as I have mentioned earlier, we have seen a lot of changes in terms of plan offerings, benefit designs and the ways that consumers are now purchasing health insurance products. We think that OCR could do more in this area. We think that there could be additional clarification about the types of information that can be legitimately disclosed to employers, for example, summary information if they are putting the health – policy out for bid and such.
There are also can be legitimate business functions particularly if someone is working in an integrated delivery system and they have health care providers and other individuals on the workforce who may need to have tests such as required for public health like tuberculosis or other things before that person is allowed to enter the workforce and perform their jobs. We think that there has been some uncertainty in this area and we would encourage additional guidance and clarification on that.
We appreciate the opportunity to provide these perspectives. I know that that is a lot of information to digest. Again, I encourage everyone to review the detailed statement that we have prepared. It has a lot more sites and rationale and analysis, but that is the high-level points that I wanted to share with you today. I thank you all for this opportunity.
MS. KLOSS: We thank both of you for the preparation that you have put into your testimony and for delivering it so effectively. We are open for questions. Walter, are you going to lead us off?
DR. SUAREZ: Thank you so much for the testimony. I think this is really a critical part because I think we are getting down to how do we practically find ways to improve the implementation. At the end of the day the way I see it is really we have the policy. There is interpretation of policy issues. We can clarify them. But when it comes to the execution of the policies where we begin to get some of the challenges.
You mentioned standardization and implementation of the minimum necessary. What I was thinking was – and the recommendation that you provided us. We can work and assist and advice OCR on standardizing or clarifying the policy, the interpretation. But I was trying to think of ways in which standardization of the actual implementation could happen and get some guidance. I do not know if you have any thoughts or maybe through the AHIMA membership there could be some. And maybe the same question for – if there is something that can be done on the health plan side.
As it was mentioned earlier, minimum necessary is one of the only places where there is a responsibility for not just a disclosure of the data, under user of the data, but also for the requester of information. It covers the two ends of the exchange.
I was trying to see what would you think about whether there would be benefit in defining scenarios where minimum necessary comes to play and then needs to be executed. My question is really what could be some of the more practical standardization of the implementation side.
And then my second question is totally different topic, but it is very critical. It is a question I asked before, which is the relationship between minimum necessary and breach and the extent to which you see that as a concern, as a challenge, and any experience that you might have heard or seen within the industry about the implications of by virtue of disclosing more than these minimally necessary being exposed to a potential breach.
MS. MARTIN: I will go ahead and start then. I completely agree with the idea of scenarios as part of implementing the standardization. That is exactly what occurs in the industry now. I am sure the checklists that we heard about are out there and we have all determined how we provide the minimum necessary to attorneys versus payers versus other requesters. I think that the industry and AHIMA would be more than happy to provide examples. We can have our practice council address those specifically and potentially even survey the membership to see what we have out there.
Specifically from West Virginia University, we have exactly that. We have checklists. We have identified scenarios that we use with our staff to help them better understand how to handle those particular situations.
And then to your second question with minimum necessary versus a breach. I have seen cases where we have released information to someone based on a request and the patient would then come back to the health care provider and question why we provided certain pieces and parts of that information. And often times it is because it is an any and all request. It really does not rise to the occasion of a breach at that point. Let’s just say we have a patient or a customer who is not happy with the fact that that information went to that level. We do see cases.
As part of my role with WVU, we have an audit group, an audit committee. And the privacy and security audit team is responsible for reviewing any of those phone calls that come in and the requests and having discussion and determining next steps.
MS. LUKE: Walter, I think what you have asked about standardization is a very interesting concept. What I would like to do is give that some additional thought. We are not opposed to it, but I think it would be very – we would have to give it more thought because we really want flexibility based on each individual organization. If we were to standardize compliance guidance or put out some sort of information that really limited that flexibility, I do not know that that would be the best thing for the consumer.
The point I would like to make is that it is the individual entity whose responsibility in terms of penalties and compliance and corrective action plans if OCR or the states’ attorneys general office determines that there had been a violation. They are the ones that ultimately do the analysis and make the decision about what to lease or use within their business operations. From my perspective, I think that that good faith compliance and the flexibility about minimum necessary are going to be unique to each individual company.
I would also be concerned about potential anti-trust issues if we were to standardize things to a point and require companies to share information that might somehow give insight into their internal compliance plans of operations. Again, I am not opposed to it. I am just thinking off the top of my head about some of the additional analysis that we have to think about.
With respect to breach, the health insurance plans I would say have two primary vehicles for identifying if minimum necessary of an employee or other member of the workforce felt there was a breach and that would be either their compliance hotline or through their data breach reporting process. Now, I can tell you that when I talked with the privacy officers in preparing for today, that did not come up. I do think that in terms of the Office for Civil Rights if there was more information about what they are seeing in terms of their compliance activities and reviews if it – perhaps it is minimum necessary that is resulting in a breach. I think it is better for the agency to give us some more information about that. I have not heard that that has been an issue. I think if it does arise within the health insurance plan environment, it is being addressed through one or more of those channels.
MS. KLOSS: Can I just tack on one clarification, Marilyn, and then we will go to you, Barbara? You did seem to suggest that one of the areas where some policy clarification or standardization might be helpful is with regard to how the new claims attachment is interpreted. Am I correct in making that link?
MS. LUKE: You are correct. I do not know that I would say standardization. All of the transactions have standard data elements, but that is the challenge with the claims attachment. It is hard to standardize what is going to be needed based on that individual’s medical situation. We are certainly open to additional conversations about that, doing additional research and thought. I just do not that standardization —
MS. KLOSS: I will not use that word, but it is an area where some perhaps early clarification could be helpful as that new rule gets rolled out.
DR. SUAREZ: Maybe helpful – the way the attachment standard works really as opposed to how the claim itself works where the claim has an implementation guide that defines the data elements required. You must send it every time you send a claim. Then there are some situational elements where the situation specifies that you need this data element. The attachment standard is a bucket that contains all sorts of possible content. Clinical data level content, medical nodes, surgical nodes, lab results, images, all sorts of possible clinical content. It comes to the decision of the entity requesting it which parts are needed for which instances.
MS. KLOSS: It is the same as the standard request for information except that it is attached.
DR. SUAREZ: The standard itself is an open bucket for – generally speaking. There are some specific elements required on every attachment, but mostly elements related to identification and information. But really the attachment is a vehicle to send different types of clinical data from the electronic health record based on different needs for processing a transaction. I think that type of flexibility was needed in the standard to allow the vehicle to transfer electronically the message.
MS. LUKE: Could I add just one point? When the transactions were first proposed, I always thought of them sort of like a recipe. You had a transaction and you had certain things that you had to include, certain things that you could include. From a technology and technical perspective, you certainly had the implementation guides and there were some additional information. But it is easier than the claims attachment standard. What we saw with the Affordable Care Act was the development and adoption of a lot of operating rules. I think the business partners are going to be the entities that really are going to have to deal with those transactions. I think the standard setting organizations, but probably the operating rule author is going to be the best entity to give us some additional help on that.
DR. EVANS: Thank you. I really enjoyed both of your presentations. I am sure the checklist or methods that you systematically go through were informed by the standards and implementation specs in 164.514. Something I would love any insight you could give to us and it can be just general insights if you do not want to talk about a specific organization is who makes that decision of whether it is reasonable to rely on a requesting party’s representation that what they are asking for is the minimum necessary. What process goes through? Who does this? Who makes these decisions? What checks are in there? Ultimately, in HIPAA, the covered entity that is making a disclosure is permitted to, but not required to make disclosures in an age when flows of data are so critical to the learning heath care system in public health. What is the protection against discretion that would limit flows unnecessarily? There is very little chance of minimum necessary resulting in a breach if your reliance was reasonable. How does all this get sorted out? I realize that that is such an open-ended question. If you could just take some piece of it and speak to it.
MS. MARTIN: I can speak to this specifically from the health information management professional. In most health care facilities whether it is a physician practice plan or a hospital, there is someone who is getting those requests from the third party payers. In our facility, we call them HIM specialists. They function as release of information officers or practitioners. They are the ones that are receiving their requests on an ongoing basis.
One of the things that we work very hard on in our organization is centralizing the request from third parties. We prefer for those things to come through one particular department where the expertise lies rather than it being released from every clinician throughout the health care facility.
We do work very hard to train all of our employees within the facility about minimum necessary, but the experience that you gain working with it every day is really important.
As I mentioned in my presentation, there are lots of phone calls that go back and forth to parties who have requested information to try to validate what their request really is. Those staff is typically trained via their manager and via either computer-based learning or direct one-on-one training. For critical areas like health information management who have access to all of the PHI to perform their duty especially a release specialist, they would receive several hours of training. In our particular facility, privacy is a part of the enterprise information management division, which encompasses health information management. I think that makes it a little bit easier. In other organizations, it may not be. I am not sure if the training would be exactly the same.
MS. LUKE: Barbara, I am always impressed by people who can remember the exact section number of regulations. I never can. My hat is off to you on that one.
I think what you have asked is a very big question. The guidance that has been issued to date talks about routine disclosures and things that can be standardized and those that are considered more non-routine. I think it is very challenging particularly in the electronic environment as opposed to perhaps the historic paper systems when making the minimum necessary determination. We have always supported the reasonable reliance concept because then that allows the covered entity to rely on the person making the request. But as you correctly pointed out, that does not mean the entity is compelled to disclose what the other party wants. That can certainly be very difficult.
The example that I can think where that has come up has to do with perhaps state requests for data and data feeds that they feel they are required by law to receive that perhaps the covered entity fields that cannot disclose perhaps not HIPAA specific. It could be because of Part 2 regulations. It could be because of specific state rules about substance abuse or mental health information. I know there are some tension points there and there are ongoing dialogues that happen between the requester and the covered entity or the business associate.
It is a big question. I hope I have answered it. But I do think it is an excellent point in terms of our thoughts for this hearing.
DR. EVANS: May I ask one quick follow up? When a request is declined for whatever reason on the basis that the analyst of the covered entity feel like it is more than the minimum necessary, is there any process that the requester can go through to appeal that or is that decision final when it is made? What happens during a denial of data access on simple minimum necessary terms?
MS. MARTIN: Typically if there is a case where we are concerned about the level of information that is requested, which is when those follow-up phone calls begin. There is a bit of a negotiation in that process I would say. Oftentimes they are able to resolve it through the release of information staff area or their manager, but sometimes those requests are elevated to the privacy officer or even the privacy committee. It depends on the level of the request.
When you are getting a request that seem to be research oriented, but possibly not research oriented, is it really connected to billing? Those things will tend to get funneled up to the privacy officer and the audit staff to evaluate it and to determine whether we should release it. There is a process for that.
MS. LUKE: I agree with that and I think that the process that has been described is probably accurate for most organizations. I guess in terms of the legal system if someone did not get the information that they felt they were entitled to, there could be legal action although I do not have any specific case or scenario to point to. If you could like, we can certainly go back and see if we have additional information on that point. But I would expect that if the dispute really could not be resolved, that is probably how it would end up progressing.
MS. GOSS: Can I ask a follow up specific to that? How do you see accounting of disclosure forthcoming – fitting into her question?
MS. LUKE: In terms of the accounting for disclosure requirements, we have had very little requests from consumers for that. We think that if consumers start to request the accounting for disclosure, to date it has been very small. If there is a dispute – let’s say that someone – I guess your question is someone requested an accounting and does not feel it is complete enough.
MS. GOSS: It is more about is there an aspect related to what we have been waiting for clarification on that related to this kind of perspective. Do we need guidance? Is there another opportunity or recommendation related to accounting of disclosures with people’s rights? I think it is a larger part of the educational issue. I realized I jumped in. Back to you, Linda.
MS. LUKE: I guess the point that I would add and certainly ask for your perspective on this is in terms of minimum necessary, if it is the individual requesting their own information, the minimum necessary rule would not apply to that. I guess I am not really seeing a problem with the accounting for disclosures. I do not know if you have a different perspective on that.
MS. MARTIN: From our perspective, accounting of disclosure – sometimes you will have patients that will request because they believe that you have released more than the minimum necessary. But what we find most frequently is they are really concerned about a particular person or persons and often it does not become an accounting of disclosure. It becomes more of a privacy investigation.
DR. RIPPEN: Again, I appreciate the remarks and the insights. I guess I have a question in the world that we are living right now and what it might bode for the future as it relates to – if you think about the health care system and the clinicians, there are clinical guidelines. If you think about it from a national level, we are telling all practitioners what the best practice is to actually implement things and also to report quality and metrics around them.
If you think about then the question of information to make a decision about a claim, it is usually around a diagnosis. It is around really a procedure, which then is actually tied then hopefully to the guidelines that a clinician has and an EHR might have to support decision support. And that might also be then tied to the consumer being able to understand what is covered or not. Let’s say a broken leg. There are standards. I need a crutch. I need a cast. Probably an ED visit. X-rays. That kind of thing. You can tie all those pieces together in a standardized way potentially that actually allows for transparency all the way through. You may have an insurance that may not cover the crutches, but might cover other things. But again, a standardized way of providing information for the consumer is then consistent all the way through.
Again, it is kind of something building on what Walter said as far as is there a standardized way to think about some of these buckets and that it would not be an answer for everything. Again, I think it has less to do with anti-trust and negotiation, but rather what is a minimum necessary around certain things that make sense so that you do not have to figure out what you should do. We have these technologies. I am not saying now, which is why I said future. They could actually send in the request. Here is the information that you would need to know for a broken leg.
What are your thoughts about using some model like that for at least a certain component to maybe guide minimum necessary?
MS. MARTIN: The use of clinical guidelines to specific clinical categories. I suppose that could work in some cases. Maybe in the case that you described. I think it would be very complex. Possibly a service line approach. I think it would be pretty complicated.
DR. RIPPEN: It is just an interesting concept because we say all these things are complicated, but then we define them so specifically in one sector. It is an interesting thing.
MS. LUKE: If I could respond to that. I have two thoughts about it. One is we do provide a lot of information for consumers about their benefits and coverage and who is covered. There have been a lot of innovations made in terms of providing that through a website that the health insurance plan sponsored where you can actually go online and see what the benefits are.
I am intrigued by your question because I think a lot of that might implicate ICD-10 and how that implementation progresses. I do not know that there would be a consistent way to address every potential medical situation particularly since ICD-10 has now expanded the use of the codes in that context. But I would mention that should someone not receive coverage for something they felt was a benefit, there is an appeal process for that. And through that process, the individual and/or their provider whoever is part of that activity, the appeal or the grievance, would get the basis for the denial and an explanation of the guideline that was used. I guess to your point, they would get it if the benefit was not paid or if the service was denied.
DR. RIPPEN: I know that if I am going to say for a broken leg, I know what is covered or not if I am an insurance company. There is consistent data that would revolve around it. There are nuances. If I had osteoporosis, were there any secondary conditions? That kind of thing.
I am just trying to figure out how to – if we already have clinical decision support, there is already an infrastructure potentially to leverage as it relates to information to be shared or not to be shared that might actually encompass minimum necessary. Again, I am just asking because everything is complicated. We know that, but we are addressing it at least from the clinical perspective. I guess I am just postulating.
MS. LUKE: I am someone who likes to get into the weeds on a lot of these issues. I am certainly happy to keep thinking about that and finding a solution. I like to really come up with some practical implementation strategies if we could.
DR. RIPPEN: And then that is standardized in theory.
MS. LUKE: I think what probably happens today and any of the committee members can correct me if I am wrong is that it is done on the back end in terms of looking at the providers and utilization and effectiveness and particularly in accountable care organizations, I think we will start to see a lot of that.
MS. BURKE-BEBEE: I have two questions. The first one is about a definition for minimum necessary. Melissa, when you were talking to us, I think you were referring to this. It might be in your testimony. What I was wondering is do we need one definition that is solid and standard with some variance when it comes to a clinician versus third party versus a researcher or do we need separate definitions.
MS. MARTIN: That is a great question. Again, we look at it specifically in two categories: how we handle it within the organization and how we handle it outside of the organization. My first recommendation might be that you have something that pertains to requesters outside the organization versus how you manage minimum necessary within the organization. I know it is a little bit vague, but clear objective criteria possibly quantified with scenarios of some sort I think would be very helpful.
PARTICIPANT: We have had that concept in standards in general whether it is done internally the same as external. That is a common concept.
PARTICIPANT: From our vantage point, that how we look at it in the health care setting. They are managed from two different perspectives, maybe from the same area, but managed from two different perspectives.
MS. LUKE: Susie, I think my concern is if we had multiple variations of the same term that actually might cause more confusion and a variety of interpretations. If you ask me for my recommendation today, I would stick with one definition and keep the flexibility for each covered entity to apply as they see fit.
MS. BURKE-BEBEE: My second question is about where the rubber hits the road. We heard this morning from the legal side about sequestration or segmentation. What I would like to know if you have any experience in unintended consequences. As a clinician myself, knowing about trying to take a history and physical from a patient and 45 minutes I have to do that and 25 minutes of that is spent on medications and if in fact there is some part of that information that I am trying to glean that is segmented, I do not know what I do not know. There can be real bad consequences from that. Do you have any experience in that?
MS. LUKE: Because you are talking in the clinical setting, our members would be affected if they were working within an integrated delivery system or an accountable care organization or perhaps something like that. We have discussed segmentation of electronic records in the past. Our view has been although things keep changing and new technology emerges, but our view has been we think that there could be perhaps medical outcomes and people might be placed at risk if a provider is making decisions without having the complete record. It is almost like you are making a decision based on half of the information that you really need as a health care practitioner. Like I said, unless the health insurance plan had one of those integrated delivery systems or an integrated network with providers, it is probably more in the clinical setting.
MS. MARTIN: From the hospital perspective or the health care perspective, I would say that segmentation from the clinical providers is not something that we necessarily advocate for. In my particular organization, we do not separate information from health care providers, meaning the physicians and other clinical staff that are outlined in the role-based access policy.
I can see where segmentation could work in other areas within the hospital. Certain departments who only need access to certain things. Also some of the more sophisticated electronic health records have some means to do that based on the third-party requesters. I think if we had those outlined scenarios which we should understand that even though we do not have them in the standards and regulations, we have them within our organizations. And then we identify what is the standard amount of information or the type of information that we provide to that particular requester. We build reports to make sure that when it is released that they only get that. Within that, we do not always have the ability to take out or identify easily that sensitive information or other things that should not go. Someone does still have to review that.
I guess the best example would be certain insurances or certain attorneys. We know what they ask for and we have an agreed upon standard that they request so therefore they get that each time they request. If they want something above and beyond that then they let us know and we alter that.
MS. BURKE-BEBEE: Just to follow up, I think this morning, I think it was Mark Rothstein that made mention or answered a question about how segmentation would be decided upon and who has the ultimate responsibility and can make the final decision. I believe if I interpreted it right, it was the provider versus the consumer. When you talk about segmentation, as you just did, it sounded like it was from a hospital perspective as opposed to a patient requesting certain segmentations and the provider overriding that in a practical sense.
MS. MARTIN: There are multiple forms of requesters. Much of the third-party requesters that we speak to are going to be attorneys, insurance companies, research companies, things of that nature. That is managed a little more in a controlled fashion through the health information management and the privacy group. The physicians for their purposes – what they give to their patients when they are treating the patients, they may sequester certain things at that point. They do have the ability to give information to the patients if they choose to do that. I think it has to be outlined by the individual requester. That is why I appreciate the idea of scenarios.
MS. LUKE: Susie, could I add two points? One, HIPAA does allow for individuals to make requests for a restriction of their information and covered entities are accustomed to dealing with that. But again, I do not think it comes up very frequently.
I also would say in terms of segmentation of electronic records, it is probably something that can be considered in the context of the Federal Part 2 Substance Use Disorder Regulations, the confidentiality rules there, and then the state requirements around mental health, HIV status, all of that probably also gets implicated in terms of what data can and should be segmented. But from the consumer perspective, I think consumers cannot always anticipate what their medical needs might be in the future. We would be concerned about patient safety events should a provider not have information and a consumer was in a situation where that could have affected their health outcome.
MS. KLOSS: If you will permit me, subcommittee members, I would like to ask a couple of questions and then we will go to Barbara and then we will go to Walter. We heard a couple of very specific recommendations from the first panel and I would like your thoughts on those. One of them is related to passing along, if you will, the minimum necessary obligations to business associates that the point being made that the health plan or the provider or the covered entities have that burden, but we do not impose that burden through the BA requirement on business associates. Is there some opportunity to strength that chain?
And then the second, we had a specific recommendation that the hundred or so people who handle a medical claim to get it paid do not need the patient’s name. We could adopt a least identifiable process and still achieve that purpose. I would like to hear what your thoughts are on both of those specific suggestions for tightening the current processes.
MS. MARTIN: I would certainly suggest that there is opportunity for strengthening that relationship with the business associates. We, of course, all should be having business associate agreements signed with folks, but once the information has passed along to them, what they do with it can be quite detrimental to your organization at a later date. There have been many things published about that. Many incidents that have occurred. I would definitely support the idea of strengthening that.
In reference to not having a patient’s name for processing the information, I would have concerns about that. I believe that it is difficult enough with patient matching and medical record numbers at this point in time and having multiple identifiers is extremely important. I would not necessarily be in favor of a unique number and not allowing staff to have access to a patient name.
I do support the idea of limiting other information such as Social Security numbers for obvious reasons. I think that is very important, but it is a struggle from a patient safety perspective now to track our patients and make sure that the doctors —
MS. KLOSS: This is for billing. The specific recommendation was with regard to the revenue cycle change.
MS. MARTIN: I am not sure if I have a response to that right now. I would still tend to lean on the side of they should have access. I think it is the same scenario. Obviously, it does not have to do with the patients’ safety, but it certainly has to do with getting that information to the right place.
MS. LUKE: I have to apologize. I am not recalling the recommendation about the business associates. My sense of that would be that as the covered entity engages the business associate, they are setting up what that associate should have access to in terms of the information within their contract within the parameters of what function they are performing. To say that that information would go to the business associate, but then somehow there would be an additional restriction on use or disclosure – certainly beyond releasing it to another entity or a subcontractor or implicating some of the other HIPAA provisions, I guess I am having a hard time understanding how the minimum necessary would be tightened in that context.
With respect to the individual’s name, HIPAA required a patient identifier many years ago. Every year we wait to see if there would be activity and I actually thought this year was going to be the year we were going to have a lot of movement on patient identifier. Maybe next year. We would certainly support that. We would be very happy to be active in that space and contribute to that activity.
DR. EVANS: I would like to focus on the research and public health request for information for a moment. It seems we are shifting a methodological environment where not all of the research in public health studies we do are testing those specific preformed hypothesis. We are doing more and more hypothesis, looking for associations. The concept of minimum necessary seems very rooted in this notion that there is a specific hypothesis you are testing and you know what data a priori you need to do it. Are the members in your organizations concerned about an uptick of this any and all, everybody you have type of request in situations where the would-be user is looking for rare associations or doing hypothesis-free testing? Can you or have you thought in your checklist when is it the minimum necessary to ask for everything? Is there a type of research where you are either trying to eliminate selection bias or doing hypothesis free where the minimum necessary data set is everything? How would you cope with that in your checklist?
MS. MARTIN: We have a very active IRB at WVU in general. We work very closely with them with the privacy committee of the hospital. In that perspective, even though some of these do not go through IRB, it might be just beginning investigations. We typically collaborate on that. And oftentimes they do get any and all records because in that particular situation, they do not know what they do not know. As we work through those processes then we document those and we try to outline. When these types of requests come in the future, this is the amount of information that we normally provide. Typically, they will work through the school of medicine and the IRB and circle back to the hospital and let us know if there are certain key items that they do not have that they would like to have.
MS. LUKE: Barbara, what I think typically happens is if an entity was requesting that kind of information from a health insurance plan, they would prefer to release it in a de-identified format. While I cannot point to a specific example, my instincts tell me that if the company suspected that an individual would be at risk for being identified for a specific disease or a condition, they probably would not participate in the research if they felt that that was that vulnerability.
That has been one thing I think that in the research area, there is a variety of interpretations and the fear that perhaps there would be either identification in that scenario or matching a data set that might be de-identified with other public sources and other data sets even if it is in the contract that that should not be done and then that happens and then somebody is vulnerable because of that. That is how I think that would play out.
MS. MARTIN: Just as a follow up, a lot of academic facilities have clinical trials research institutes. What we are seeing as an ongoing trend is the institute having a copy of the hospital’s database and their records in a de-identified fashion. However, that does not mean that they are able to release that information at any interval. There is still a process where it is reviewed and embedded between the hospital and the university before the information is released. But that has become essential from an academic perspective for them to be able to have the ability to search the information for certain purposes. But it is managed very tightly between the health care facility and the school and the internal review board.
MS. LUKE: If I could just go back to the public health request, even if they are required by law or if an oversight agency feels they are entitled to certain information because they are a public health entity, there still would be someone at the health insurance plan who would look at that and if there was a question or perhaps an objective that perhaps they were not entitled to receive certain information, I think there would be a dialogue about that.
DR. SUAREZ: Linda, you took a few of my – I wanted to review some of the comments made earlier. But one you did not mention was one recommendation that we already received basically from one of the earlier presenters and that is extend the applicability of minimum necessary to treatment. Right now, of course treatment is exempted from having to follow minimum necessary. I want to get your perspective on whether that is an advisable recommendation. I will let you answer that. If there is time, I have just one other comment.
MS. KLOSS: I had not because I thought that Helga’s question started to take us in that direction.
MS. MARTIN: Just speaking for myself in particular and the HIM profession, we have never necessarily been an advocate of minimum necessary applying to treatment. We felt like that was really a potential patient safety issue. Not from our perspective.
MS. LUKE: I would agree with that, Walter. I think it goes back to my earlier comment about the patient safety issues. I think the consumers are probably in the best position to weigh in on that, but I do think that before consumers are consulted. They are not able to anticipate their clinical means. They are not able to know what a provider would want to look at or how one data point might influence the actual diagnosis or treatment outcome. I do not think it would be advisable.
DR. SUAREZ: The other part of this and it has been mentioned a few times, but I wanted to get your perspective on it. Susie talked about segmentation – I do not know how many of you know, but there is already a national standard called Data Segmentation for Privacy, DS4P, developed by HL7, the same body that developed the standard for communicating electronic health records data for treatment and for referrals and all the things that the national standards are being adopted in meaningful use. Actually, meaningful use mentions data segmentation and privacy. We have a technical standard to attempt to do that.
Marilyn, you mentioned. We only really have one national federal law that points to the need to do that, which is 42 CFR Part 2. We have some laws at the state level that define certain data of a medical record to be “more sensitive”. That is the question that I want to ask you. What are your perspectives about the use and the concept of sensitive health information? Some people have argued and even earlier maybe that sensitive health information is – on the one hand, one argument was it is a very critical aspect of what we do and there should be something more well defined. On the other hand, we also heard testimony saying that the most dangerous or one of the most dangerous things to happen because sensitive health information is contextual. It is personal. It is individual. Even the same individual two days later can think differently about what sensitive really is.
What is your sense of the concept of sensitive health information?
MS. MARTIN: There is some truth in some of the comments this morning. What is sensitive to me may not be sensitive to you. However, I believe we have to stand somewhere when it comes to certain levels of information. I believe that we would support further clarifying it. But I think it does leave it wide open to having a list that is extremely long and very difficult to manage. We currently do focus very closely on sensitive information and assure that we have all the appropriate authorizations from the patient before that information is provided.
DR. SUAREZ: Do you use your own definition or do you use – definition what is sensitive —
MS. MARTIN: For many years, we have identified certain things as sensitive such as sexual abuse, HIV. Some things can be considered sensitive to certain staff and they bring that to their managers to review and evaluate that as well. There is a fair amount of subjectivity in the process. I would certainly support the idea of further clarification around that. But I do agree that something that is sensitive to me may not be too sensitive to another person and vice versa.
MS. LUKE: Walter, I have been doing compliance work also throughout my career. My answer to you is if a federal or state law regulation required a certain standard of segmentation, we would comply. We would implement that. That being said, we have called for review of the Part 2 confidentiality requirements and statutes. One of our specific provisions asked for SAMHSA to encourage Congress to convene public hearings and work with the NCVHS to get input from individuals in public and private entities before the statutory changes would take effect. We think that there is some need modernize and think more broadly in terms of those data segmentation situations. I think there is more work to be done in that area.
But for as it stands today, if it is on the books and someone has to follow a certain process or limit access to information, plans would comply.
MS. LOVE: It is a little controversial, but I think by default the claim is becoming over the years a minimum necessary data set for broad research and views. But how do you see – the claim is not enough now as we go into risk adjustment and population health. You will see more linkages with the electronic record for clinical data elements to blend with the claim. How do you see minimum necessary playing out in the new era of linked data sets? I think we alluded to it earlier. Is it a one-off request? Will we evolve so there is more standard request? I am just trying to think how that will play out because linkage of the data will happen and is happening because claim only providers a certain baseline of information.
MS. LUKE: I just have two thoughts off the top of my head. It depends on who is doing the linking. If it is a HIPAA entity, they will follow the HIPAA parameters. If it is a non-HIPAA entity, yes, there can be benefits to that linkage. Perhaps that linkage should not be performed if it is a non-HIPAA entity. We will pause on that and leave that for some thought.
In terms of the new delivery systems, I think it is going to depend on the individual environment. If you are an accountable care organization, what linkages you are doing and analysis you are doing of data is going to be very different than if you are working in a company that provides simply supplemental products that really are defined by dental, vision, et cetera. I think it is going to depend on each individual delivery system.
We have seen a lot of changes and a lot of new emerging situations. I am going to say it is going to continue to evolve.
MS. KLOSS: Our sincere thanks for your preparation for your delivery and for your great handling of Q&A. As I said to the first panel, we consider you part of this deliberative body now. If we need to come back and ask more questions, I hope we can do so. Thank you.
MS. LUKE: Thank you for saying that.
Agenda Item: Panel III: Minimum Necessary: Challenges and Opportunities
MS. KLOSS: Welcome back. We will move to Panel III. Let me just get advice from Rebecca. We do not need to redo our whole introductions. Thank you. We have the next hour and a half to pursue minimum necessary challenges and opportunities. We will take as much as that time as we need to pursue that and then at the conclusion, we will call for public comments and then the Subcommittee will begin to pull together what we have learned today.
I want to welcome our first expert witness, Alan Nessman, attorney for the American Psychological Association who will present testimony on behalf of APA.
MR. NESSMAN: Good afternoon everyone. I am Alan Nessman, senior special council in the Legal and Regulatory Affairs Office of the American Psychological Association Practice Organization. We want to thank the Subcommittee for soliciting our views on this important privacy rule issue and for looking into this issue and digging in deeply. Recognizing that everyone here is recovering from lunch, I am going to try to keep my oral comments a little simpler, more focused. I am not going to use up a lot of time I think, but we will have a lot of time for discussion.
Our office has been working on the privacy rule since 2002. We have been working longer than that on the issues of psychologists being asked by insurance and manage care companies to produce patient information.
Our main minimum necessary challenge in the last two years has been records requests by insurers who are conducting annual risk adjustment audits mandated by the Affordable Care Act. The problem is psychologists are asked to produce an entire mental health record. In some cases, these psychologists keep a record that combines the basic clinical information with sensitive details from therapy that are unnecessary to the audit’s purpose.
We have worked collaboratively with certain insurers to develop a solution to this minimum necessary problem and that is letting the psychologist extract the relevant clinical information from the record. You have heard a lot about minimum necessary problems. We think this is an example of how the minimum necessary rule can be applied effectively to balance competing interests. We ask the Subcommittee to recommend guidance adopting this approach for this scenario.
To understand this very specific application of minimum necessary, let me give you a little background on risk adjustment audits and combined records. The risk adjusted audits, which the Affordable Care Act requires insurers to conduct annually, are affecting a large number of our numbers and creating a lot of confusion and concern. The risk adjustment program is overseen by a different part of HHS. It is designed to level the playing field between health plans with very healthy, inexpensive populations and plans with very unhealthy populations that are very expensive to care for. The ultimate goal is laudable to stabilize premiums and keep plans with unhealthy populations viable and affordable. Because of that laudable goal, we are recommending to our members that they comply with these audits, provided that they can comply with minimum necessary and comply with state mental health confidentiality laws.
The risk adjustment audits essentially serve as a spot check on whether the plans are accurately reporting the health status of their members. Millions of dollars are going to flow as a result of these risk adjustment audits and the idea is just to make sure that that flow of large sums of money is based on accurate information.
We have dealt with audits by insurers for many years, but these risk adjustment audits pose a unique minimum necessary concern because of their narrow focus. They are really just focused on the health status of the subscriber as it relates to the likely cost of care. It is really not just focused on the patient or the psychologist. It is really just focused on what is the overall health of the population.
Let me give you a little background on combined mental health records. In mental health, psychotherapy is the clearest privacy protection that psychologists and other mental health professionals can use. But this is an example of what was talked about this morning about the complexity of HIPAA. Despite our guidance, many of our psychologists find them confusing to use. Others just find it difficult to keep two sets of records at the same time. Many of these psychologists keep what we have come to call a combined record. It is one that mixes the details of therapy with basic clinical information. Let me give you an extreme example. Say a psychologist is asked to produce their entire record in response to one of these audits. They have a 30-page record that has extensive detail about what the patient said in therapy, their deepest secrets and fears, the psychologist’s musings about potential diagnoses and stuff like that and mixed in with that are the relevant clinical details that the auditor is really looking for. This raises obvious concerns about minimum necessary.
We first encountered this issue two years ago when Anthem Blue Cross Blue Shield, one of the nation’s largest insurers, began a dry run of these risk adjustment audits a year before they were really required to do them. If this issue was new to us, it was new to them. We decided to try to work collaboratively with them to try and find a solution to this problem. What we proposed and what they accepted was allowing psychologists with these combined records to extract the key clinical information from that lengthy record and provide that to the auditor. We rely primarily on the privacy rules exclusions from the psychotherapy notes definition. An example of that kind of basic information, which we think is appropriate for these kind of audits, are modalities and frequencies of treatment, summary of the following diagnosis, functional status, treatment plan, symptoms, prognosis, progress to date, and things like that. This is the kind of information that really is appropriate for one of these risk adjustment audits.
After Anthem agreed to this solution and we applauded them for that, Blue Cross Blue Shield of Minnesota was the next company that we encountered and they also agreed to the solution. What we told our members after that was this solution seems to work. Try this if you have risk adjustment audit. Let us know if you have any problems. So far, we have not heard of any companies pushing back on this.
We think this solution allows psychologists and insurers to comply with the minimum necessary standard while giving insurers the basic information that they need to conduct these required and laudable audits under the ACA. It also saves the insurance companies or at least their auditors the trouble of digging through that 30-page record, spending a lot of time trying to find the nuggets of information that they really need.
We recommend that this solution be adopted as the standard for minimum necessary for the situation. It may seem like a very narrow situation, but because these audits are being conducted annually and will be conducted annually, it affects a large number of providers, not just mental health, but in other areas. The real concern though is with mental health providers. Thank you.
MS. KLOSS: Thank you. Rita Bowen, wearing a couple of hats.
MS. BOWEN: Thank you very much, Linda. I have been in the health information industry for 40 years. I have sat in the side of director of HIM processing information and releasing information. I currently represent an organization that as a provider for people to outsource and release information to and I serve as their privacy officer. I am very honored to be representing AHIOS today. AHIOS is the Association for Health Information Outsourcing Services. They were established in 1996 for the ethical use of and dissemination of information in working with organizations. We appreciate the opportunity to provide this testimony and share what we are seeing in the industry as issues regarding minimum necessary and where we could solicit your help in revising this.
Alan, I do appreciate your comments on the HEDIS reviews because I know you were focusing to the minimum necessary for your specific domain, but it really does in my opinion apply to all because they are looking for one specific thing. It should be focused to that.
One of the areas that we are seeing – I have the testimony that you have been provided and broken down into areas. The area that is presenting the largest that we are seeing in the industry right now is really focused to workman’s comp. They will ask often for any and all information related to a specific injury or to an area. Not all states have specific rules that require how you would respond. Trying to limit that information is sometimes very discerning. Unless you understand the full body of the record that you are dealing with and understanding not only the anatomy and physiology and how to link that information together. We are seeing that as an issue where often more information may be released than is required unless you have the right skill set in dealing with that.
The second area that is causing an industry challenge is really the electronic medical records in general. Many do not have the capability to limit unnecessary information from a print subset. If you want to limit information, the best you can do is redacting the record and redacting in itself causes problems. That is an issue that I would like to bring to your attention.
Also, an area of concern is that request letters are often used to narrow the information that is really needed. The authorization may be very broad. I have heard the conversations this morning focusing on the fact that the authorization is the word to go by. But many times that is assigned early on and it is very expansive whereas when they do get into what they need, they can narrow that down into the request letter.
There is basically the security blanket that covers the fact that if you are meeting the authorization, you have not had an issue. You are not having a breach because that discussion you had this morning as well. I would encourage this group to look at the fact that if it can be narrow through a request letter that that is what should be the letter of focus for the breach consideration.
Also, providers often utilize generic subsets. We heard Melissa talking about this as well is that 50 percent of the facilities through the survey of our members at AHIMA did not even have policies. What we are finding in the vendor relationship is when we go into these facilities, they may not have a specific policy to minimum necessary, but they will have a subset of the records saying this is the minimum necessary that we want you to give. It is really a generic response. It is a generic release without regard to what the request was or for the purpose of that request. Again, there actually could be more information that is being provided or in worse situation not enough information that might be needed for that purpose. That needs to be reviewed as well.
Another area where we are seeing evolving policy direction might be needed is again the EMRs themselves. The set of inoperability standards to ease the process of sharing minimum necessary. Every EMR is different. There should be some level of consistency in that process of how we could process that information consistently and for sharing.
The other area that we feel that there should be an identification of areas where outreach and education and technical assistance could be provided is actually the focus for the higher skill set or specialization required for staff who are actually releasing this highly-sensitive information and the knowledge of that worker. As I mentioned earlier, they really need to have the medical anatomy and physiology background, understanding the request of the information that is being made and where that content is in the record. We are advocating that the staff that are performing that process of that should undergo some kind of testing whether it is an internal evaluation mode or through AHIOS, we have a certification exam. I believe AHIMA is also looking at a subspecialty exam as well.
Also, I would like to bring attention to something that has been discussed earlier already and that is the unique patient identifier. That would be very helpful in linking the information within multiple health care systems and settings. So many organizations have taken their ambulatory or maybe their clinic settings and then their inpatient records and their blending, but they still have two subsets and/or worse they have blended that information without a true vetting of identification of that patient. There is a lot of error in looking up the patient information in the identity of their enterprise master patient index. Having a unique patient identifier would be helpful in the process of releasing that information.
Another area that has been discussed and focused on earlier today by Mark was data segmentation. I want belabor that, but I do bring it to your attention that data segmentation holds a lot of ability to segment that information, which may be sensitive and again identification of the sensitive information is needed because what is sensitive to one may not be sensitive to another. But you need to be able to have data segmentation to support the granularity of the choice and respect of the patient of how they want to segment that information as we move forward. That is missing very often from some of the systems or it has not been employed appropriately. That is one of the information governance concepts is so important as people are advocating for their EMR and getting them established appropriately.
The other area of concern is the source of all information or the data providence. For information that is coming into the health record should be identified. It needs to be identified appropriately so you know where it is coming from and so that there is validity for the reliability, quality, and the relevance of the data that is being submitted.
And then another area for clarification that has recently come to light in our industry is with the clarification of the patient directed access for a patient representative. With attorneys being able to have that right to have that appointed to them, not getting into the chart structure because that is for another day, but the question I ask and that our industry ask is will minimum necessary now apply to such patient directed third party request. It does not as it currently stands. But in the past, it has where it gave the patient the rights to release that information and it gave them the right to revoke certain things. You want to give some consideration if that should be considered now without broadening of that process.
Areas of outreach and education and technical assistance that we would like you to consider is education again to the requester population on the specifications of information types and ranges of how they should ask for information. Again, that comes in play often when people say I want any and all information. They do not know that they know what they are asking for when they ask for any and all information. It is almost a cry to say disallowing their request to be even responded to. I know we can make the calls to question that process, but it becomes a very tedious process when you are dealing with voluminous amount of request.
You want to also educate the community on the benefit of working with staff or vendors that provide this information that have the highly specialization to do this job correctly. Again, I bring the data segmentation up. As we have said earlier, identifying the sensitive information is important to know how you will be able to segment that from that release population as you are moving forward, not so much in the care process. I am not even thinking in those terms. I am thinking in the general request for release of who needs to have their hand on that information. Really as we have involved consumer education and consumer engagement, there is more information in the health record now than ever before. That is the area where I would like you to review for new and emerging technology developments.
According to the 2016 HIMSS Connected Health Survey, the consumer-oriented technology is converging around various platforms. It showed that half of the hospital respondents used three or more connected health technologies. The top three technologies include patient portals and that was at 58 percent. If patient portals are being used for patients to engage and enter their information, there has to be discussion through the IG process as to what is actually going to be entered into the record and/or what are the expectations of the clinician and of the patients for that information.
Apps for patient education and engagement were at 48 percent and remote patient monitoring at 37 percent. If there is remote patient monitoring at 37 percent, what is flowing into that information and what should be segmented if it is not to flow out to a certain payer or to an HIE or who else might be getting that information.
We thank you for allowing us to participate in today’s hearing and I will be happy to take questions if there is any from the detail of the presentation that has been provided.
MS. KLOSS: I will start out with a couple of questions. Do your members deal with other requests for information other than the audits? You shared that solution, which is great, but what about the whole environment of request and disclosure?
MR. NESSMAN: There are just a variety of requests for information that our members get. We tend to react to them specifically. The risk adjustment audits are just the most striking example of minimum necessary because in some other audit context, for example, of record keeping audit focusing on the quality of records, you have to look at most of the record other than of course psychotherapy notes to determine that. But these are very specific. That is a problem.
We try to get our members to either keep separate psychotherapy notes, which has been a very effective protection. In a survey of our members in 2009, we found that they were seeing from the companies a very high level of compliance with not requesting psychotherapy notes. But as I mentioned, that is hard to do. Another approach we recommend is keeping a very learn, clinical record that just does not contain a lot of details if the psychologist does not need to work with that. There are a number of disclosures they have to make and then it really just depends on the type of disclosure.
MS. KLOSS: The standard practice then is to keep clinical notes just to the extent that are needed and that that would get released in response to requests with the psychotherapy being kept —
MR. NESSMAN: That is one of the – the two preferred methods we recommend for our members are, one, keep separate psychotherapy notes. If you are the kind of therapist who needs to – for your therapy, it is important to keep those details then keep those in separate psychotherapy notes. Some people are particular. A lot of people are trained more recently. Don’t need that and they can keep a very spare record and just that record is fine. The problem comes up with what we call the combined records where people have not separated out the details, the sensitive information for therapy from the basic clinical information.
MS. KLOSS: You provide then help and guidance as questions arise.
MR. NESSMAN: Correct. I also wanted to echo something that Rita had said. Our members are also finding or we are also finding in looking at electronic health record systems that work for psychologists – some of them allow segmentation and we think that is going to make it much easier to respond to requests and comply with minimum necessary, but some do not. If you do not have that ability to segment the information, we think that the problem is going to be the default will be that the whole electronic health record goes in response to the request or people just go through the labor of trying to extract it. We think that is an important issue for the Subcommittee to be aware of.
MS. GOSS: It seems to me that the intersection of behavioral and physical health is growing and the complexity especially from a primary care perspective, which your comments really struck me as we have an even bigger problem as we see especially like the Medicaid managed care long-term services and supports kind of functions. The community behavioral health integration work. The complexity that the Part 2 rules have with the certification rules. I am curious if either of you have any commentary on data segmentation when it starts to get into this blending of the Part 2 SAMHSA rules with the certification rules at ONC as it relates to the HIPAA privacy rules at ONC, knowing that we are focused on minimum necessary.
MR. NESSMAN: My colleague Stacy Larson, who is on maternity leave, has followed those things better than I have. I will say that that is one things that we try to – just the general issue of integration. Psychologists are trained so much in a lot of the – particularly the older psychologists are trained to keep the patient’s information private. With integration, it is important for them so often to push information out because with people recognizing the mind and body connection, it is important. These record keeping approaches we recommend allow them to have the basic clinical information, which is relevant to and understandable by other health care providers. If they need to keep some of this information private, either do not write it down or put it —
MS. GOSS: — specific mental health clinician’s perspective. I am looking at the primary care hub dynamic here because I think that is where I see more of the rub. I think the mental health field has been very much attuned to this for year. I think that we have had a how do you interpret the data that could be in notes or other aspects of – someone is on a medication, this is the issue from earlier, for Wellbutrin, which can be a psychological drug, but it can also be used for smoking cessation. How do you manage that? How does the landscape of technology rules and policy at the federal level influence this minimum necessary HIPAA aspect?
MS. BOWEN: I am not going to address the policy level because I think that is this committee’s group to discuss that and to help make those recommendations. But what I am seeing at the clinician level, not at the specialty level is that it has not even been thought about the data segmentation.
I know we heard earlier that data segmentation when it comes to that of who made that decision, it would be the provider. But I think there also has to be some discussion with that patient. You mentioned the Wellbutrin that that could be used for smoking or it could be for some other reason. Does the patient know that if that is in their record and then that is released, what kind of judgment maybe associated with that? I do not know that that discussion has taken place with patients. That is my question. You asked a question and I will ask a question. My question would be is I think that needs to take place as a requirement. That will require slowing clinicians down and actually talking to the patient.
DR. SUAREZ: Could you repeat what is it that needs to take place?
MS. BOWEN: Well, the example that Alix mentioned was the Wellbutrin. She said it could be used for nonsmoking or it could have another effect. Does the patient know that they are going to do this and that is being discussed and they are prescribed that? Do they know how that might be received is someone else gets their information and they see that that they may make a judgment that was not a correct judgment about them?
MS. GOSS: I appreciate the consumer’s perspective, but I am really trying to focus on the larger implication from your organization’s perspective and the balancing act that you are trying to do especially from an MRO and I do have some affiliation through David Borden as being one of my former board members, knowing that you are in the hub of health information management.
MS. BOWEN: With our work, MRO’s work as a health information exchange. Then we have to have that guidance as to what needs to be pulled and not. But in the release of information world, we are relying on what is authorized. And if that is not segmented out of that record to be protected, it is not going to be withheld because it is not classified as a sensitive component.
MR. NESSMAN: With psychology, psychologists have long been aware of just these tensions between protecting privacy, but also as care gets more integrated, what information is appropriate to share, what information do medical providers understand. I have heard them say could you please give me just some very basic. Just tell me the top four things I need. I do not need several pages of detail. One of the things we are trying to do is foster collaboration between psychologists and medical professionals to just be able to communicate better. We put on summits on how psychologists can collaborate better with other health care professionals and how they can communicate better and the record keeping is part of that.
DR. MAYS: I am wondering if you can talk a little bit about on behalf of APA or else on behalf of the practice directorate where psychologists are with these issues. Number one, as you try in the integrated care setting, have these two sets of notes and you have to worry about coding and all this other kind of stuff, what are some of the issues that they are struggling with and have you done any surveys or anything to be able to share with us their feeling.
MR. NESSMAN: We have not done surveys, but we field hundreds of HIPAA calls and record keeping calls. Our surveys are just by people calling us and confused. There is just a huge range. We have some people, what I consider our expert-level people, who call up because they are concerned about some little gray area nuance. I tell them you are so far ahead of so many other people. You have the other people who are just – I comply with the privacy rule. Am I good? It is like you heard about the security rule. There is a huge range. We are trying to do a lot of outreach to just educate our members on all these things.
The privacy rule primer, which tries to boil everything down as simply as possible, but we just see a big spectrum of sophistication levels. It tends to be that earlier career psychologists are more attuned to these issues. They also just tend to keep records in a simpler way that raises less of these issues. Does that respond to your —
DR. MAYS: It does, but I want to know specifically about CFR 42 Part 2 of whether or not there is a position where you want it to stay as it is or you want it to change.
MR. NESSMAN: That is an issue, which I know you are very concerned about, which I unfortunately do not deal with.
DR. SUAREZ: Great comments. Thank you so much again for the testimony. I have a question about some of the concepts that you brought up – sensitive health information. We talk about sensitive is in the eye of the beholder. It varies. But similarly with respect to minimum necessary, there is the word necessary, which is in the eye of the beholder. There is the word relevant. You used extracted relevant clinical information from the record. Relevant is also in the eye of the beholder. There is the reasonableness concept behind minimum necessary, which is applying basically the expectation that who requests has a reason for requesting what they are requesting and is thinking about what the minimum amount needed and the same from the side of the entity that is releasing the data.
I am very pleased really to see the development of this proposed solution that identifies a series of elements. I think my question is really about whether this concept – that this is a solution to a specific application of a specific area of health care, psychological notes. If we were to go down that path to identify what is the minimum necessary for different solutions, is that an approach that you think would be reasonable? Would it make sense? There are so many different scenarios. In some ways, trying to define what is the minimum amount of reasonably expected data to achieve a particular purpose for cardiology and pediatrics and this and that and for payment and operations. How would you see the approach that you follow in developing this minimum necessary set of data apply or be extendable to other areas?
MR. NESSMAN: The Subcommittee does not think that handling the 10,000 scenarios that minimum necessary rises in is a reasonable – I am joking. My suggestion on that would be – that is the purpose of talking to the stakeholders. The stakeholders can identify some particular areas. I think that was part of the charge of this was to identify particular areas where further clarification was needed. The risk adjustment audits are becoming very pervasive and they just raise unique minimum necessary issues. My suggestion would be that where a stakeholder has said this is something where we could more guidance. In this area, it seems to be working well right now. If other companies say, no, we are not going to abide by that. We want to see it all. That could be a problem. To that point, I would rely on the stakeholders to identify specific areas. This is a very specific area where I think further guidance would be helpful.
Some of you said earlier, which I had thought about before, and that is just a question of who decides. Because traditionally, you had asked about other requests for information and what we see is the psychologist says this is the minimum necessary information, you, the insurance company – they say no. We think this is the minimum necessary information.
Our reading of the rule is that it is the disclosing party that makes that determination. But that is another area – that is my careful reading of the rule. Most people do not read it that carefully. I think that might be another good area because it is not helpful to have a situation where one size says it is this and the other side says it is that and there is no clear way of resolving it. I think some further guidance on that point would be helpful. Did that answer your question?
MS. BOWEN: I would add from a HEDIS perspective from what I have seen outside of your domain that the request does come with a specific request and it has the attachment of I need the information related to this specific domain. It gives you the criteria. I believe that in many of those areas they are sending that. It then becomes a request of how do you interpret that back to that health record to that EMR.
MS. KLOSS: Are you talking about risk-adjusted audits?
MS. BOWEN: Yes. And looking at the request from an inpatient setting versus a clinician office record. They are organized differently. They are categorized differently. You have to have that exchange with the people who are providing that information so they do not try to just make that assumption that the way we have responded to information from the hospital setting is the way we will respond over on this side because it will be different.
MS. KLOSS: Because of the electronic health record.
MS. BOWEN: I know last year I was talking with some of the health plans. I said my first thought would be to look at your problem list to see if this was even identified as a problem to know where to go look because they want to know the first time the occurrence happened over a time period. They said no. We do not want that because really what we are after is the first time they ordered this information. It was a way of interpreting and how to get them the information they wanted. As you said, the best way to do it is to sit down and have the conversation.
DR. SUAREZ: Can I ask one follow up? I wanted to ask you. In your comments, you – about data segmentation. I mentioned earlier there is already a national standard for applying the concept of data segmentation to electronic health records. In most contexts, really there are two aspects of this. The internal within an organization kind of the use of data usually is controlled through role based access type of security technology and other context-based access technology. There are all these things now evolving around that.
And then when data is going to be disclosed and there are some concerns about certain data that needs to be segmented or not included in the disclosure, then it comes to that opportunity.
There is no as was mentioned before – there is only a very few number of laws or external regulations that require mandate some level of segmentation. Everything else is really more of a choice or a request from the consumer or the patient. The question is do we need to handle differently the way the type of data that it needs to be segmented and need to be defined. We have state laws that define certain data to be more protected. There are also different laws for different types of data. Data segmentation, the technology has started to offer that type of capability of systems of course with some degree of concern about the challenge or even system performance and system response when I am trying to see a record and the data has to go through all sorts of segmentation routines to see which ones I can see.
But in any case, I am just wondering – let’s assume that we have the technology for data segmentation in place. What kind of laws or regulations are you thinking about? There is data segmentation that any organization can do. But usually it is something that organizations rely upon laws and regulations to define. I am not certain we have any of those or only a very few of those in place. In many cases, there is only one federal law that guides this need for segmentation for certain data 42 CFR Part 2 and then there are state laws that handle data sensitivity and data protection –-
MS. BOWEN: There are several things that come to mind as you went through the scenario. But the first thing is the fact that you are right. There is process in the rules that can happen. But I think there should be a policy rule that is made as to what is defining sensitive information. At least you know that this subset of category of information will always be in that pocket. Right now, it is loosely defined. It is what one group may define is not what the other group defines. That would be very helpful.
The other component of that is that even though the standards are there, I do not see consistency in their application amongst organizations within their EMRs. Whether that is the issue with the EMR or if that is the issue with technology of that organization that have not applied it. I cannot answer that, but I do not see them using the ability. I think that needs to be vetted more. And perhaps if it is an issue with the EMR vendor themselves, that there needs to be some focus and push as to what is expected of them because I have not seen a lot of that. They have been inspected to deliver to anything that they want to deliver basically. Standards have been loose.
MR. NESSMAN: I am glad you asked that question because it raises another point I wanted to make. We have done comments to CECHET(?) I believe that was the committee, probably five ago or so. We had recommended at APA that the two particular areas for segmentation would be, one, psychotherapy notes, which I have talked about. You can keep the psychotherapy notes separate from the EHR or in it, but if it is going to be in it, you cannot HIPAA compliance unless that is segmented because you need to have the ability to release those for separate authorization, et cetera.
The other area is test data. That is an area that SAMHSA had had extensive hearings on. We testified and then they were required to consider whether psychological test data should also have the heightened protection the psychotherapy notes have. We tried to contact SAMHSA to find out what happened to that. That was, again, many years. They are required to study it. Apparently, they were not required to come up with a view on it, but that is another area.
Psychological test area is an area where people think I need to see that data, but there are a lot of areas in which non-experts looking at that are going to be misled. The classic example is there is – one psychology test that you probably know which one, asks do you always tell the truth. An honest person will say no. When someone says do I look good in this, you say yes. Taken out of context, some would say you are not very credible. You have admitted that you do not always tell the truth. That is an example of that. An additional recommendation we have is that test data not only be one of the areas segmented, but also be given additional protection because it is the kind of data that nonexperts can run amok with. It is not very helpful. It could be misused.
DR. RIPPEN: I guess for minimum necessary, the big question is then what is it needed for. We talked a little bit about the specific purposes. In the context of risk adjustment, how broad is that and for what purposes? The risk adjustment can be for lots of different things. I would like to get a sense of how specific are the requests and how can the health care system or provider make determinations then on how big is the bread box.
But then also what happens once it is provided? When do you know what the secondary uses of that information might be? Again, it may impact minimum necessary and then anything that might happen afterwards.
MR. NESSMAN: The first part of your question if I am understanding it correctly. These risk adjustment audits are for across all health care because the point is we are looking at a particular patient has a data point. Are they accurately represented? Because they are not specific to mental health, the audits ask for everything. I think part of the problem that we have is that most other health care professionals tend to keep very spare records. And mental health is an area where people break down a lot of details from therapy. That creates that issue. But what we recommended and our proposed solution defines the bread box for that particular purpose.
In terms of the secondary uses, our understanding is that this data is really used to spot check whether the health status of a plan is accurately reported. What we tell our psychologist is unlike a lot of other things where they are really looking at your patient, they are just looking at your patient as a data point. Our understanding is that this data is kept properly, but it is used in a very aggregated way that we do not think is particularly invasive of privacy potentially. But why take that risk if all they need is this much information, which we can easily define?
DR. RIPPEN: When people request that audit, there is a lot of paperwork that actually reinforces that notion of what they can use it for and what they cannot use it for.
MR. NESSMAN: The regulations go on and on.
MS. KLOSS: I have a couple of questions. I am going to go from the bread box to the elephant now. Rita, as you kind of look across the release of information industry from your perspective and assuming that we are not really worried about minimum necessary as it relates to patient access requests. That is clear that the patient can have access. I was going to ask Melissa this too. Of the 85,000 – let me just think. Of 100,000 requests for information process, what percentage of those is from third parties where the request letter or the authorization is expected to be more precise about what is requested?
MS. BOWEN: I would say 50 percent of those requests.
MS. KLOSS: So 100,000 – half may be from patients where or clearly other –
MS. BOWEN: Or it clearly another provider. It is a fax request, whatever. But at least 50 or greater is coming in with a specific request with an authorization and/or a request letter.
MS. KLOSS: If we were to look at that then across the whole industry, I do not know how many requests are dealt with in the industry. I have heard big zeroes. A hundred million certainly I have heard. I do not know that we even know what size the elephant is. You are saying half of those coming into this area where some application of minimum necessary thinking should be applied in making disclosure decisions.
MS. BOWEN: Let me just say. That is request that we are seeing. I believe if you look at the ecosystem from an organization, there is probably many organizations that have requests coming in to their business office daily that is probably not even circulating back over into HIM. I believe I heard that addressed earlier is that often just to get a claim paid, they are sending an entire record where they do not need to do that. That may have been addressed yesterday that will resolve that over a period of time. As you said, we do not how the big the elephant is that we are looking at because we do not see a complete focus of organization that have done 100 percent centralized released information.
DR. SUAREZ: Thinking of using the word segmentation here again. You can break the request. 100,000 requests. Some of them are for providers for treatment purposes. Some of them are for payers for payments. Some are for business associates for operations. Some of them are from public health and other agencies. Some of them are for research. Each of them comes with a potentially different expectation with respect to the need for minimum necessary, the treatment versus everybody else and then a different process in reality. Some of them are frequent and recurring.
I am just trying separating the ones that are like – you count how many requests. I can assure you that just in the administrative world, in the administrative transaction world when you do an eligibility inquiry, you will have to apply minimum necessary. You can add hundreds of millions of transactions a year or a month. I wanted to clarify which part are we looking at in terms of the need for a letter of authorization and all that.
MS. BOWEN: Most requests that we receive in an HIM department that is coming through that centralized authority there that there would be a request letter that says I need this information. It will usually have an authorization attached. It may be a global authorization that they may assign for health benefits or for life insurance benefits. That is when it comes in. It is almost like a net that they are casting.
Now if it is for payment to get the claim paid and you can make the linkage, there is no authorization that is required. You are looking at those perspectives from that linkage there. But we are seeing a tremendous amount of requests that come through with that letter with the authorization that they have authorized someone to receive this information to make some kind of a judgment on their behalf. Sometimes we see it for another clinician even though they do not have to have it. It is just a blanket that has not started that many organizations will say I need to get your information. Will you sign this authorization? We receive no road blocks even though they do not have to do that because a lot of people still have that misunderstanding.
DR. SUAREZ: Do you use the letter of authorization as the basis for deciding the minimum necessary?
MS. BOWEN: The authorization – you must have. The authorization guides what you will and will not do. But the request letter can narrow that authorization. In other words, if that authorization said any and all, but the request letter said I really only need the information related to the CHF study on this date then that is what you would really – you let that narrow. But you can never let the request letter broaden the authorization. The authorization is the golden ticket.
MS. KLOSS: How many should have a letter that is more specific than the blanket any or all? Is it the industry’s norm to go back and do what Melissa told us to make those calls and follow up and clarify what they want? Is the default – this is really my question. Is today’s default sending the whole record?
MS. BOWEN: I believe that you would see a larger percentage taken the default sending the entire record because of the time and effort that it would require. That would be my personal belief.
MS. KLOSS: Because of the lack of specificity.
MS. BOWEN: I know in the industry in which I work and especially at my own organization if we have an incident at MRO where we have released information and it was more than necessary, we notify that provider that we have done that. It is not necessarily a breach because the authorization may have covered it. However, we do notify them that this happened because they may get the complaint. The covered entity is the group that will always be making the call whether they feel like that this is a harm level or if it is going to be. But we feel it is our responsibility to look at that and we are monitoring that as well as educating our staff. Now, I cannot speak to the industry as a whole if that is happening. I can speak to my personal organization, which I should not be doing at this point. That is something that would need to be looked at because there is really no directive of what you have to do there.
DR. SUAREZ: But to follow up on this point, your sense that entities are sending the entire record in many cases.
MS. BOWEN: Many are. I can tell you just from my experience that in a facility where I used to work, the business office was getting those requests and they would say I need the entire record for such and such and they would send the entire record. That did not require minimum necessary, but should it – they did not it. We knew from the remittance advice what was required to get that claim paid. They really only needed this segment of information, but that does not happen today in reality.
DR. SUAREZ: Let me clarify one point or ask if you can clarify one point because there is as you pointed very well, there is the letter of request and then there is the authorization. The authorization might say a more generic access – submit my entire record and then the federal request might say we need this. If the entity submitted the entire record even though there is this more constrained element from the letter, there is a possible issue with respect to compliance with minimum necessary I presume. That could be one of the arguments. Or one could be that I had authorization to submit entire record from the consumer so I did not —
MS. BOWEN: The argument is that we had the authorization; therefore, it is an incident of an inappropriate disclosure. It might have been something that was greater than, but it would not be at a breach kind – or from something that would have to be reported. That becomes a judgment call basically within the ethics of the organization that you are working with as to how they want to do that. Again, it comes down to that from that perspective.
DR. SUAREZ: I am glad that you said the word breach because – I think that is probably the biggest concern that I think we have to try to think of.
MS. KLOSS: When we added the cautionary note about minimum necessary to the claims attachment, certainty what we had in mind was the idea that the default should not be to send the whole record. There should be some thought or policy or guidance with respect to helping organizations feel more comfortable with providing the information to substantiate medical necessity. But not send it all because it speeds up the process or it saves sending more later or all of the other process issues.
DR. SUAREZ: On that point, the standard itself and the expected practice and implementation guidelines and all the things that are part of the recommendations to the secretary with specifically the attachment case scenario, I think a good thing is that before in the paper world someone sent a letter to someone else saying I need a copy of the information in order to process your claim. And then they would send it – paper coming, paper going.
In this case, I think the standard allows for the requester of the attachment, for example, to define through codes, actually LOINC codes, define which are the needed elements of the electronic health record that need to be submitted or received in order to process the claim as an attachment. And then the provider has the ability to use that and say this is what is needed. I can only send that. You can send an entire electronic health record. I doubt that anybody would do it. It is easier to send an entire paper record because you could just photocopy and send it.
An electronic health record – we are talking about massive amounts of data. I think with the standard we are going to have a one step closer to getting to be able to really narrow or limit the amount of health information to the minimum necessary.
MS. KLOSS: If I could press one more step on the elephant, we are down to 50 percent. What subcategories here might cause you to lose sleep? I think we have teased one out. Certainly the sensitive information issue is an area. I just pose this because I think our goal is to do something practical. If there are some areas that could be – where advising guidance could really help a particular weak link in this, perhaps we focus there first and that we do not have to look at this as the whole element.
MS. BOWEN: The weakest link that I see right now in our processing and within the industry is attorney requests because they will often – they want the entire net. They throw it out wide to see what they can vet through.
Also now as I said, since the patient can now designate as a patient represent and that attorney can be designated that patient rep. Although the ruling says that that patient representative is supposed to be acting on behalf of the patient in a care delivery or care delivery system, we are already starting to see attorneys get the patient to sign that off. It is coming to them. It is questionable if they are really making a decision on behalf of their payer or if they are using it for some other purposes. I cannot tell you for sure, but it sure does bring question to your mind. My thought of what I guess in the industry from what we see more of abuse of wanting more than less comes from that population.
DR. SUAREZ: In some ways, attorneys are supposed to be representatives to consumers. It is really the consumer asking for their own data except through their attorneys. An attorney can ask for the entire thing. We are thinking about maybe business associates or maybe other providers. I am just curious about – that is why I was asking the second or third —
MS. BOWEN: I will have to give some thought to that. The attorneys came first to my mind because they are a thorn in my side. Apologies to any attorneys in the room. You will see that that is what happens. You know it is your industry.
The other requests usually come in pretty directed as to what their need is. Even if it is disability, you know it is a disability request. Then you have to come up to what is the minimum necessary. From an industry perspective that would help as guidelines as to what is minimum necessary to meet those guidelines rather than organizations having predesigned subsets of what they – just give them these pages regardless of what the request was. That is what we are seeing as a way of many organizations to meet minimum necessary. They have come up and developed this and then they are saying regardless.
There are some organizations in which I have been associated with as a business associate that when they have a request from another provider asking for that patient’s record, they will say do not give them the entire record because that is too much information. Give them this subset. If that is not enough, they will ask for me. Is that the intent because you want to speed up the process for the care delivery process? You want to give them what they need in the first place, not just a subset and if they need more, they will ask for it. I guess my thoughts tend to lean there as to where the focus needs to be.
MR. NESSMAN: I would additional concern from the mental health perspective. We have not had problems with it recently, but several years ago and these issues tend to be cyclical so it could come back. It is the issue of telephone reviews. You asked about what kind of releases of information psychologists are subject to. It used to be and we have not had as many complaints lately, but you would get the person to call up and say your patient has been in therapy for six months. They are not getting better. And some of those you thought were abusive. If you have a written request, the psychologist can sit down and figure out what is the appropriate information and they have separate psychotherapy notes – clinical records. They just say here it is. Or if it is a very specific request, they could extract the relevant information.
But there were some instances where the reviewer would say what do the patients say in therapy. We would advise members to say you seem to be doing an end run around psychotherapy – protection. You are just saying we will not ask for the psychotherapy now, but just tell us everything that is in them. That has not been a problem lately, but that is a concern. These things sometimes come back and that would be an additional concern. When you are on the phone under pressure particularly some of these people were putting pressure on people, it is more difficult to make a reasoned determination of what is minimally necessary. Some of these reviewers seemed to have this notion that I will just keep asking for everything. Sometimes it often seems like it was a way to discourage people from asking for more care. If a person wants more care, he has to give away his privacy.
MS. KLOSS: Aside from the technology, the outreach and education or guidance and education are I think the bottom line recommendation.
MS. BOWEN: I really think that we are going to see that explosion as we move forward with information coming from devices and patient-generated health information. There needs to be some guidelines as to – if that is received, how it is threaded into that record, how it is protected and what the expectations are. I think it is a loose cannon right now. Some are addressing it and some are not.
MS. KLOSS: Any other questions? Darren Dworkin from Cedars-Sinai was not able to be with us to provide testimony. We had a luxurious amount of time to ask questions. I really appreciate it.
I think maybe because we are a little ahead of schedule, I would like to just for the record acknowledge what the statement from the American Hospital Association that was received because I am not sure everybody has it and it is not terribly long. Would you want me to read it? It is only a page.
On behalf of our nearly 5000-member hospitals, health systems and other health care organizations and our 43,000 individual members of the American Hospital Association appreciate the opportunity to submit this statement about HIPAA minimum necessary standard. The minimum necessary standard mandating that HIPAA-covered entities and business associate make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use disclosure or request. It has been treated as a reasonableness standard, not an absolute standard since its inception. Time and again the Office for Civil Rights of the US Department of Health and Human Services has confirmed that covered entities have substantial discretion with respect to how they implement the minimum necessary standard. This provides continued comfort to hospitals that minimum necessary requirements need not to impede the provision of quality care and services and that hospitals minimum necessary determinations will be judged under a standard of reasonableness. We believe that this approach to the minimum necessary requirements remains vitally important for patient care.
The first conclusion is the current exemption for treatment should be preserved. The AHA supports the preservation of the existing regulatory exception to minimum necessary for treatment. Currently uses and disclosures for treatment are not subject to the minimum necessary standard and it is critical for hospitals that this exemption be maintained.
If uses and disclosures for treatment purposes were subject to a minimum necessary standard, patient care and safety could be jeopardized by a lack of information that does not meet the minimum necessary standard, but is in fact ultimately essentially to a patient receiving proper treatment.
Because hospitals are large entities in which dozens of professionals may work together to treat a single patient, it is very difficult to predict which information will be most useful for which specialist or other professionals to have. Thus the minimum necessary standard would make it impossible for hospitals to use or release limited information without exposing themselves and their patients to the risk of inadequate care.
In particular, emergent care situations require physicians and other professionals to have a patient’s information as quickly as possible. Requiring hospitals to apply the minimum necessary standard here would pose a grave harm to the patient. We strongly urge that treatment activities remain an exemption for the application of minimum necessary standards.
The second major conclusion is consideration of a limited data set before minimum necessary would apply should not be required. HHS should not require covered entities and business associates to first determine whether a limited data set is feasible as the minimum necessary amount of data before the standard itself could apply. Such a requirement for prioritization urged by some advocates in the past would create a tremendous burden for covered entities and business associates through the added work involved in analyzing the limited data set as well as the time and money lost when this step is taken in addition to applying the minimum necessary standard.
Because limited data set, LDS, are not used frequently, it does not make sense to require covered entities and business associates to conduct the analysis as it most often will require unnecessary effort and utilize scarce resources. We urge that the current regulation’s structure of independent application of the two standards be maintained.
Third, increasing data needs relating to patient outcomes and population health activities must be considered in applying minimum necessary. Section 13405B1B of HITECH requires that HHS in developing guidance related to the minimum necessary standards take into account the information necessary to improve patient outcomes and to detect, prevent and manage chronic diseases. The AHA believes that over time the amount of information necessary to accomplish these goals will increase because new models of integrated care require greater access to data. For example, accountable care organizations, quality initiatives, and continuity of care initiatives each will require the reporting in analysis of an increasing amount of data. Therefore, the AHA urges that these broader needs for data be taken into account as any minimum necessary guidance is developed.
The AHA believes that the current HIPAA regulation is by no means without some regulatory impediments, not the subject of this hearing, to the robust use and disclosure of patient PHI necessary to support high-quality care, care coordination, and population health improvement. However, the regulation’s minimum necessary standard remains workable because it continues to be a reasonableness standard with inherent flexibility and its application. Minimum necessary guidance must maintain that approach to ensure that the standard does not hinder the timely delivery of high-quality care, effective care coordination, or robust population health activities.
Any reaction to that? Can we move up the time of public comment or must we stay with the original time?
PARTICIPANT: I would say certainly open it up now, but again at 2:45 just offer it again –
MS. KLOSS: Let’s take the break. We will come back at 2:45 and we will have public comment. Thank you.
MS. KLOSS: We are reconvened and it is time to call for public comment and that include anyone on the phone, anyone in the room. Do we have anyone who wants to give public comment? We are good.
Agenda Item: Subcommittee Discussion: Review Themes, Identify Potential Recommendations and Additional Information Needs
Then we will then move into the committee time. I want the committee to look down at their notepad and just take – I would love it if you would take two minutes of quiet time. If we could just come up on our own with the major themes or one or two major themes that came out of this testimony for you. And then we are just going to write that on the flip chart and then we are going to compare it to the themes that Susie pulled out and that I reviewed with her.
We will just go around until we tap out everybody’s themes and if Debbie could just jot those. And then we will look at what we have. We will mush them together. That way we are not putting words in. Walter, give us one.
DR. SUAREZ: I wanted to make a suggestion or comment before I start or we start. Overall, I think we heard a number of overarching themes and a number of ideas, but then I think we heard a number of specific topics and instances or areas or domains where additional things are needed.
As I was looking, I created my own list of overarching concepts and then my own list of the topics. In some ways, I will give you a few examples like minimum necessary and segmentation, minimum necessary and psychological note or minimum necessary and research. This begins to expand really having a single set or a single two-page document of guidance or minimum necessary becomes a complete set of minimum necessary guidance for different scenarios because I think a lot of people are looking for examples and ways in which – in any case, I just wanted to mention that I think it would be helpful to drill down into some of the different topics and different areas, business associates. We did not talk about ACOs, minimum necessary in the ACO world.
PARTICIPANT: How would you summarize that there are –
DR. SUAREZ: I was just suggesting we might want to create a list of what are some of the overarching principles and comments or concepts for additional guidance and then what are the topics for guidance-specific areas.
PARTICIPANT: Wouldn’t that emerge from – one by one –
DR. SUAREZ: I was suggesting not right now – I am just saying it is going to begin to evolve organically perhaps and all that. I just wanted to say that.
My number one overarching concept is that minimum necessary applicability, practical applicability needs to be further defined through guidance and practical applicability in multiple areas. I think probably the biggest and I actually sent an email to Rachel asking her. Minimum necessary – the number five issue that OCR is facing. What are the main topics within that fifth number of overarching issues? I think she sent me already or she sent as an email already. In any case, I think my number one issue is segmentation. I think we need – part of guidance and we need to help define guidance with respect to handling the segmentation process for minimum necessary to fulfill minimum necessary.
PARTICIPANT: I was going to talk about segmentation.
PARTICIPANT: Flexibility/discretion. That came up repeatedly.
MS. GOSS: Education of the general person and their rights and understanding of how the health care laws and systems work.
MS. KLOSS: Consumer education.
MS. GOSS: Yes. Thank you.
PARTICIPANT: Can you repeat it one more time?
MS. GOSS: Consumer education.
MS. KLOSS: Their rights.
MS. GOSS: It is not just their rights. There is a lot of misunderstanding about what HIPAA provides and what it does not provide for. I am just giving you one on my list. I have not gotten to the attorneys yet.
DR. PHILLIPS: I heard some conflict about it. I heard that there is a need for some technical solutions as well as policy solutions.
DR. RIPPEN: I know it is kind of redundant, but I think one of the core messages throughout is that minimum necessary is a critical concept.
MS. KLOSS: I wrote down targeted guidance.
MR. CORNELIUS: Segmentation.
DR. EVANS: I am hearing over compliance applying minimum necessary in situations where the regulation does not require it. I would like to understand that phenomenon more and it can impede data access.
DR. SUAREZ: I think I missed it.
DR. EVANS: Is minimum necessary a minimum threshold or should it be a minimum and maximum optimal regulation concept?
DR. SUAREZ: Additional ones. I think minimum necessary in emergency situations, public health related emergency situations or community emergency situations. I think the events of this past week really heightened the question about that point.
PARTICIPANT: So break the glass kind of thought?
DR. SUAREZ: No, it is not break the glass. It is really education of providers and guidance to providers about how minimum necessary relates to emergency situations as in an event like what happened in Orlando or a public health event.
PARTICIPANT: Was that minimum necessary or was that just access and disclosure?
MS. HINES: In my mind, that is what Alix was saying, which is that people do not understand HIPAA. They just say I cannot disclose that. They do not even understand HIPAA.
DR. SUAREZ: I want to make a distinction. There is a big difference between consumers and providers. Consumer’s understanding of minimum necessary is one area, a very important one. I have been trying to make the connection between how myself as a consumer would think about minimum necessary. We heard examples of how consumers come to providers from at least about complaining why did you disclose this. It was supposed to be not necessary to disclose that or something. There is that consumer education. And then there is the provider understanding how minimum necessary applies in many different situations. That is what I am talking about. Minimum providers.
PARTICIPANT: We need both kinds of education.
PARTICIPANT: Did you get Alix’s comment?
MS. GOSS: I think she is capturing that it is both. It is multiple audience level of education.
DR. MAYS: Defining what sensitive information is and having some sense of guidance about it.
PARTICIPANT: Its relevance given ACA and the current environment.
MS. GOSS: If I could modify those last two and adding because you were sort of where I was going, but I have a little bit more nuance to it. From the current environment, it is that future innovation keeping pace aspect. Is that what you are getting at?
PARTICIPANT: Current environment and future –
MS. GOSS: That is good for me to clarify. And the other one – you said about defining what sensitive data is. I think that the definition is important, but it cannot just be at a federal level. It has to actually resolve some of the state-level variance and implication or definitions and then how that translates to certified electronic health record functionality. I think there is an interplay there. It is not only that we need to define it is one, but I would add to that and say and how does it impact state laws and technology products.
DR. MAYS: Can I ask a question? I want to make I understand. If it is defined on a federal level, is it not then implemented at a state level?
MS. GOSS: States can be more stringent. That is the problem. We do not call it sensitive data in Pennsylvania. We called it the super three because we had between other federal laws and state laws, we were more stringent in HIV, mental health, and substance use disorders.
MS. KLOSS: And then of course if you are a health system that crosses states.
DR. PHILLIPS: Two of the issues that I heard a couple of times and I apologize if they have been mentioned. I just did not catch it. One of them was the idea of applying minimum necessary to treatment. And the other was something Mark brought up way at the beginning that was mentioned a little bit later was the idea of replacing patient identifiers with linkable numbers so that folks in billing areas and other areas could not identify those patients, but still needed information to work from.
DR. RIPPEN: I guess I will just add for balances. I know everyone is concerned about over compliance, but I think that it is clear that there is a lot of under compliance. I think the challenge of everyone sending entire EHR records, no one is going to actually report themselves for did you need this all when it is a lot more difficult to capture. I just wanted to have a balance there.
MS. KLOSS: The concept of standard of reasonableness, which I think has already been said because flexibility came up earlier. I think it is okay, Debbie. I do not think you need to add it. It is number two.
MR. CORNELIUS: I would add resolving disagreements relating to standardization of implementation.
DR. EVANS: I would like just to put on the table as a subset of the sensitive data how do we reconcile the dialogue we are having about sensitive data with the guidance OCR gave on February 6 in that final rule that sensitivity of data is too subjective for a regulator to define it. This issue has ongoing vitality and yet the agency has made statements that how do we reconcile at all. It was in the preamble to the access rule on February 6, 2014. There was a lot of dialogue. There is this ongoing desire for sensitive data to be defined, but it is really almost too slippery and subjective to allow a regulatory standard to be set. It is a general discussion. We can pull it down and just see how it fits. I just think we have a reconciliation of different statements we need to do for such a long thing, but just how do we reconcile everything into a consistent framework.
DR. SUAREZ: I think my biggest – is minimum necessary and breach.
DR. MAYS: This came up, the issue about cybersecurity for HIPAA. I think cybersecurity right now is a big deal. Who and what and how it is dealt with I think we definitely should pay attention to.
MS. LOVE: It really applies to my earlier one with relevance. Minimum necessary does not lend itself to data mining or big data. It is kind of redundant to my other one, but more specific.
MS. GOSS: Minimum data does not lend itself to big data mining is what she said. I would add the definition of a covered entity was brought it. It was a dynamic that noncovered entity does not have to comply. We know that there are certain –
PARTICIPANT: I thought HIPAA defined covered entity pretty well so redefine it.
MS. GOSS: We need to expand it. But that is actually part of our recommendation to the Review Committee letter from February 29.
MS. KLOSS: Anything else?
DR. PHILLIPS: To Denise’s point, the whole conversation we had on Tuesday with the folks here from NHAMCS. They are probably getting entire EHRs – for millions of people. They are opening up – participating in NHAMCS as an alternative for meaningful use requirements.
PARTICIPANT: I could not believe they were not getting push back. I saw there and –
DR. PHILLIPS: We are at that point where you have this rich opportunity to learn so much more about the health system and health care generally. We have to be careful we do not shut that down.
DR. SUAREZ: When you say NCHS —
DR. PHILLIPS: Right now, they are largely getting CCDs because they are touching the systems that can produce those. When they branch out to a broader swath of health care, those docs will not be able to produce CCDs. They will want to dump their entire EHR because I am seeing that happen right now.
DR. SUAREZ: You are not talking about the surveys?
DR. PHILLIPS: I am talking about the surveys right now has an option to grow in leaps and bounds and the kind of data they are able to collect and analyze.
PARTICIPANT: Because the survey actually – they go in and they actually —
DR. PHILLIPS: I am just using that as an example, Walter, because other groups are going to – they are not going to be able to do what Kaiser is doing. They are going to want to give them their entire EHR into PHI data. I am not saying that is right. I am just saying that we are at a point where those kinds of big data analytics have capacity and we want to make sure meaningful use does not shut that down, but enables it in a safer way.
MS. BURKE-BEBEE: Can I say something? That is my project and you are right on target. Our intent is to keep it narrow, which is why we picked the CCD and we have the implementation guide. There is a lot of growth that we have to see and develop, but you are right. You get the technology and you can make it explode. That is not the intent, but that can happen. We are heading in the direction of not extraction or abstraction, but actually having direct contact, signing up with the organizations to respond to surveys through the CCD.
DR. SUAREZ: That is part of meaningful use.
MS. BURKE-BEBEE: Exactly, which is why we also got that perspective then to stage three.
DR. SUAREZ: But it is a sample, not the entire universe of the entire population of the US. I just want to clarify because NCHS is not collecting the 320 million –
MS. BURKE-BEBEE: Hundreds of thousands, but not millions.
MS. HINES: I guess I will go narrow again. With regards to – and I know it is probably under the segmentation, but there was the question of, for example, providing some guidance for HIEs with regards to minimum necessary and that takes more continuity of care records or documents as an option.
MS. KLOSS: I had the minimum necessary and cost management. The any and all concept drives up cost. Melissa mentioned that.
MS. GOSS: Melinda, can I just ask you about the cost thing because I know Melissa mentioned it, but I also heard Mark made a comment and I am not sure if you are including this or not around where is the tradeoff. Is the cost worth the effort for the limited bang for the buck to patient outcomes and safety that we would have?
PARTICIPANT: There was a cost to privacy.
MS. KLOSS: But that was the cost for restriction, for treatment. I think they were different contexts. Melissa’s point was that – I talked to her about this later. She has 11 FTEs doing this job in her university hospital and clarifying minimum necessary could reduce the labor cost.
DR. EVANS: I would like us to ponder when is the current application of minimum necessary inappropriate and the case in which it comes up is an example would be public health uses. Having covered entities decide they cannot give that. For a congressionally authorized public health use is letting a private entity override the will of Congress and that is a separation of powers issue and it is inappropriate. I think the agency needs to clarify that the structure of putting the onus on the covered entity to be the gatekeeper has led to some extremely legally inappropriate outcomes most notably in public health uses. I cannot seem to give a brief thing. When is it inappropriate is the bullet point because there are times when it is.
DR. RIPPEN: Can I just add a nuance to that? It is actually relating to directly to that one as far as the balance. In the past, we have actually had challenges like for example abortions and things like that or I guess police access to and the health care system sometimes actually becomes the advocate. I think that in discussing that, I think it is the balance. That is all.
DR. EVANS: I think we should take a balanced look at it and its contextual appropriateness and in some context this is or more less appropriate.
DR. SUAREZ: I do not think we have minimum necessary and business associates as one specific.
DR. MAYS: Patient education at the point of signing privacy notices. You have to sign to say you understand this and you really don’t.
MS. LOVE: This is probably redundant in a different way, but I Heard the term operating rules as a means for administrative simplification, but maybe that is overlapping.
DR. SUAREZ: That is more specific to attachments.
MS. LOVE: It was brought up as some guidance.
PARTICIPANT: I do not know that they used the word operating rules.
DR. SUAREZ: They were referring to operating rules from health plans and AHIP. It was – of the attachments because the problems with attachments of course are the risk of having a lot of data. But it is operating rules under HIPAA.
MS. LOVE: So then I would translate that to administrative simplification, which is some of the things that came up earlier.
PARTICIPANT: What is the point? The operating rule?
MS. LOVE: We are not doing one-off reviews all of the time. I think it is covered —
MS. GOSS: Is it implementation consistency guidance that we are looking for is another way to put it?
MS. LOVE: So you are not having a person sitting in a health system making a one-off determination that might differ the next week.
MS. GOSS: Somebody earlier said something about the reasonableness. I had something related to that so I am not sure if I am going to duplicate or not. Before you write anything, let me clarify with whoever said it. I think there is a different between the small, the medium, and the big organization aspect. I was not sure if that is what that person was getting at. Did you say it?
MS. KLOSS: I did, but I did it in the context of the way minimum necessary was designed and written was to be not a prescriptive standard, but a standard of reasonableness. Your point is different. Is there a one size fits all?
MS. GOSS: Scalability.
DR. PHILLIPS: I liked how Mark started off the day too. At the end of the day, I want to understand what is the patient’s experience going to be. Is it still signing a meaningless piece of paper that they have no idea how it will affect – how their data get used? And the person having them sign it has no idea what it actually means. Does any change of minimum necessary lead to a different experience at that point?
PARTICIPANT: Like my Apple agreement when I download something. I have no idea what I am agreeing to.
DR. RIPPEN: I would add to that because it ties in with the education component. That is transparency. Guess what? These are going to be ones that get shared. You can like it or not like it. Maybe even think about what you say because that is going to be the reality. At least there is transparency about it.
I think then with regards to one that I would like us to consider as we think through the challenges and all these different themes is technology is changing. A lot of these things are manual to some degree. They may have operating directions. We have this interoperability timeline and we have all these IT – at least from reporting quality improvement and all the rest of the stuff. We should consider how that might play with maybe advances and technology to support the streamlining of these processes of minimum necessary and think about it in that term. If we have 11 people trying to figure out how to get the data and link it and send it, shouldn’t we think about it also in terms of functional requirements of systems? I just want to throw that in there too.
MS. KLOSS: I had just one more and that was I liked Bob Gellman’s advice to us of thinking short term and long term. I think that does take in the technology and the other – ideally, down the road if the patient had more say about how their information were being accessed and used as that ramps up, these decisions —
MS. GOSS: Am I hearing you say that we need a roadmap?
MS. KLOSS: No, but I did hear a lot that tease up the subcommittee’s next work effort. The privacy stuff going forward. Where that left me thinking was maybe what we focus on now are the short-term issues. Then we tee up a lot of these issues that will roll right into the future of privacy discussion and roadmap discussion.
DR. EVANS: I would like to see some thought about how the concept should be administered. This gets to the point earlier about continued relevance. Is it meaningful to apply this before the data use or can we only know if the minimum necessary data were requested after the data use to see? Have people requested more data than they needed and some is now leftover? Can it be applied at the point in time that the regulation is currently applying it? I would put that under we need to take a look at whether the current administration of the concept as outlined in the regulation still works. It may.
MS. KLOSS: We may be able to describe the limitations of the current view. Do we have any others?
DR. SUAREZ: One that I think is a very overarching one is the definition of minimum necessary and defining somewhat I could for lack of a better word guiding principles, guiding concepts. Maybe not principles, but concepts.
MS. GOSS: Are you adding to the – because I think we already had the definition. Are you looking at another aspect? Remember, Denise said it. Maybe it was Vickie who said it.
MS. KLOSS: We will clean up duplicates.
DR. SUAREZ: This is about defining reasonableness, defining necessary, defining relevant, all those terms that were used to describe minimum necessary. The definition of minimum necessary and then the guiding principles or concepts.
DR. MAYS: I guess the theme is how special is mental health. It is the issue of should it be treated as all other things or do we always have to go back and make sure that there are points at which it needs to be carved out differently.
MS. KLOSS: How special is mental health?
PARTICIPANT: If you do not have it, you will know how special it is.
MS. LOVE: I feel like we are throwing solutions out, but I am not sure I know how to define the root problem. I think some clarity on the problem would help too as we sort through this.
PARTICIPANT: Do you need us to elaborate more?
MS. LOVE: As we put a report or recommendations together, understanding really the root. We have a lot of problems, but are we really trying to fix? What is the root cause? And then I think that will help at least some of these great solutions.
DR. SUAREZ: If I may say on this point, I think the input from OCR about a description of the areas that this particular – like I said, this is the fifth largest issue that they deal with. If they can describe within the fifth largest issue, what are the top five or the top ten problems? What is it that people or whoever is raising it whether it is an investigation that brought it up or whether it is a consumer that brought it up or whether it is a provider?
PARTICIPANT: And that would drive in – because you do not want to fix something that is not broken.
MS. KLOSS: I do not think we are going to get a lot of clarity from that. Devon is going to go back and take a look and give us it. But her impression is that the complaints are coming from individuals who suddenly realize how much of their information somebody else has. I do not think that is going to tell us.
PARTICIPANT: Some of these solutions would not solve –
MS. KLOSS: The consumer education may, but no. I think we still have the original question that they pose to us is to understand the challenges and potential areas of clarification in light of new and evolving practices. I think that is why we are doing this.
MS. GOSS: I think we had something about guidance, but I was not clear. To me, guidance is usually a much more formal process from the feds. There were a lot of comments about the FAQs, which can also be viewed as guidance, but I wanted to make the distinction that there is the need for really clear – there needs to be a way to help the industry get their arms around or be consistent with interpretations of things in the FAQ tool. I think it is a really important thing because we have – we get a bunch of people in the room like 30 people. You might get 40 different opinions. What we need to do is get down to constraining the interpretations.
DR. EVANS: It would be helpful if OCR could have more transparency in its enforcement procedures. You can go on their website to the enforcement page and see what the various sources of complaints are. In some, they post the corrective action plans they agreed. There is kind of a black hole here I perceive where they have not put much information up about what does a violation look like and what do they do when they detect one to fix it. It may be that just some better reporting procedures for these types of violations could really help the community understand how to comply.
MS. KLOSS: Do you have any others?
DR. EVANS: I have some, but they could be subsumed as subparts of other ones. I call it quits. I will fold right now if we want to move on.
DR. SUAREZ: There was a specific reference to worker’s compensation that I think would be helpful to consider. I would just say minimum necessary and worker’s comp. Within that, there is worker’s comp and property and casualty and other non-covered entity types. It is sort of there, but I think it is special worker’s comp.
PARTICIPANT: Minimum necessary does not apply, but I think it should.
MR. CORNELIUS: There was something along those lines about the cost of this, producing full volumes of records that were being very delicately danced around that those institutions are absorbing. That needs to be fleshed out.
PARTICIPANT: I did put cost.
MS. KLOSS: Walter, anything else?
DR. MAYS: I have two left. I cannot compete with Walter, but I have two left. One of the things that came up was this issue about selling data. I think the question of privacy and the selling of data is probably something we should think about. I know it got said. We were going to talk about it a bit tomorrow, but I think it still should be up there.
MS. LOVE: There is a nuance just from – if it is states, sometimes they do charge for the cost of actually doing the work. Sometimes people call it selling. It is becoming a state – requirement.
DR. SUAREZ: I mentioned ACOs and I think it is important to consider minimum necessary under the new delivery reform structure like ACOs and others. Call it minimum necessary and ACOs.
DR. MAYS: My last one is less of a suggestion and more of something to offer and that is I am a little concerned about thinking out the technology issue. I would be happy to ask our work group to look at especially where those recommendations were given to us about technology to ask the work group their thoughts about it if that will be helpful.
MS. KLOSS: Walter, anything else?
DR. MAYS: An examination of the trends and technology and how they may impact some of the recommendations that were made in that area. I was going to ask the work group if they would think about it for you.
MS. KLOSS: Anything else?
DR. SUAREZ: The one part I was very surprised – reported numbers from the survey that AHIMA provided where only 30 percent did not know if they had a minimum necessary defined internally, 50 percent – we know these numbers show the backup even internal definition of a policy. I would bring it up as a minimum necessary organizational policy and procedure and helping define that, provide guidance around that. I think maybe every organization should have – define internal policy – since this is such a —
MS. KLOSS: Susie, do you want to put up our shorter list? I think what we will want to start doing then is summarizing these into more overarching themes and clustering together and then deciding. Thank you all for listening carefully. As we start trying to summarize into some overarching themes, I would like to everybody weigh in what their gut says about whether we have enough from today’s testimony and study to move forward or if there are some big holes. We came up with ten. Maybe these can either be further collapsed. I do think that is the work of the next week or two is to group what your 40 has said into some clusters. As Susie listened all day, her first one was that we need to step back and develop a working definition. I think that has come up in several ways in what you have reported.
Guidance. I take people’s comment to heart that we probably need to look at guidance along a continuum from more formal guidance to the FAQs. Maybe in thinking about this, we do not see this. Let me throw something out and just react to it. I do not see coming out of what we heard today recommending regulatory change. Does everybody agree with that or are we just still going to mull that over?
PARTICIPANT: The question was more than if we expand who should be following it. In that case, it could.
MS. KLOSS: That is true. If the definition of covered entity – you would not rule that out yet.
DR. SUAREZ: It would be helpful not to preempt or preclude. There are a number of recommendations that could result in some suggested data.
MS. KLOSS: That is premature.
PARTICIPANT: I think OCR is open to that.
MS. KLOSS: We have some range of guidance from FAQs to regulation with points in between and some of these topics may drop into different buckets.
We heard some special case areas and a number of those came out that there are some targeted special circumstance areas that may need special guidance: mental health, sensitive information, business associates, and worker’s comp. We had quite a long list that may be targeted out for some special either further study or some special attention.
DR. SUAREZ: May I say one quick thing? Within that, there was a very important mention by Bob and Mark and others of law enforcement and national security and these concepts that are becoming more and more. Big issues around access to health information, access to information about an individual. That is 1 of the 12 exempted areas including public health and others. I think guidance around that, not just for the industry, but for those requesting it, which is law enforcement. I think Bob mentioned it very clearly. Law enforcement – and do not understand it. There is some consideration around – but they have their police and their investigative and their need to access information and rather quickly. I think it is important to help the industry to understand it and certainly law enforcement to understand it.
MS. KLOSS: Susie captured the whole range of better use of technology from EHR functionality, HIE, workflow, interoperability. We talked about technology in the context of minimum necessary. There are a number of areas where that came out again.
DR. MAYS: I am going to suggest that if you want the work group to do something, you send us an email and then we will send it out. There are some really specific people that I can ask to comment on it.
MS. KLOSS: Data segmentation. Susie identified that as a major and recurring theme. We captured that. The patient centric. I guess that is a couple of different things. Who controls it? I guess I would probably reframe that to better reflect Barbara’s concept of who makes the determination.
DR. SUAREZ: I think it is important to mention or to discuss minimum necessary and consumers. I think consumers have different roles and relationships to minimum necessary. Certainly one of them is the consumer requesting some restriction and then if the provider agrees – the consumer – but then the actual consumer asking for the data. Minimum necessary does not apply to it. I think we had some points where it sounded like there was some confusion about the consumer asking for it and minimum necessary or how consumers use minimum necessary or think like that. I think it is worth discussing minimum necessary and consumer with the different perspectives.
MS. BURKE-BEBEE: I was thinking when I put that number six together about the data segmentation, which was the one above it. It blended to me the consumer as a patient wanting to have certain information segmented and how that would be – by minimum necessary and then who is making that decision. At the end of the day, what I heard is that it was best left with the provider to decrease unintended consequences. It is bigger. It can be convoluted, but that was the sense that I had.
PARTICIPANT: But I think we might want to break that out.
MS. BURKE-BEBEE: I was not going to do anything with these, but to have 40 and these and then come together.
PARTICIPANT: We will bring these together.
DR. SUAREZ: The point here at least that I see with respect to your comment, Susie, of the patient. Right now for good or for bad, the consumer for the most part only has a right to request a restriction. That is the right they have. They do not necessarily have a direct right to restrict. Maybe there could be one or two instances. I am legally not sure yet. The HIPAA provision is that the consumer has the right to request that certain data be restricted. The provider can accept or can say no, we do not think it is appropriate. It is a very different level. I think under 42 CFR Part 2 there is a specific law that says you cannot disclose the data unless you obtain the consumer’s consent. But I think it is important to distinguish because we are not in a country where consumers have the right to restrict. They have the right to request a restriction.
PARTICIPANT: They have a right to know about their record, which I also heard. When they know, they may want change and whether they have the right to that change at this time.
DR. SUAREZ: No, that is a request for an amendment that you are saying.
PARTICIPANT: I understand.
MS. KLOSS: Increase in education outreach, engagement. We have captured that. Minimum burden and costs. Minimize the burden and cost. We have captured that. The downstream uses of data. I do not think we are going to solve the – we are not going to address the big data issue in here, but setting policy that takes into account and does not do anything to impede valuable downstream uses.
Your comments on weakest links.
PARTICIPANT: I just added those to capture them. That was my interpretation of what I heard.
MS. KLOSS: Is that other’s interpretation that the authorization – that there is casual use of authorizations. If not abuse, it certainly is casual.
PARTICIPANT: If there is an authorization – if data are released pursuant to an authorization, the regulation says minimum necessary does not apply.
MS. BOWEN: What we are seeing is that often the patient will sign that authorization in the early days of the discussion of what are the needs and then as it moves forward, they find out what they truly need. That will be defined in the request letter. Right now, sometimes there is an authorization and there is a request letter. My organization’s philosophy is that you use the two in tandem and that the request letter can further narrow what has to be released or should be released. It could never broaden it, but it could definitely narrow it. Some are not taking that stance. They are just looking at the auth. It says any and all and they are sending it out. And that to me is an abuse.
DR. EVANS: I have some concerns about an organization even with benevolent intent overriding a patient’s authorization and saying you did not really mean to authorize what you said. I think the proper procedures should be looked at and might include going back to the patient and asking do you want to stand by your authorization. I hate to override a signed authorization even with benevolent intent without pausing for a moment.
MS. BOWEN: I think there is only one area where it has been over extended.
DR. EVANS: It sounds like an issue well worth looking at, but I just do not know where the ethics of it lie without further thought.
PARTICIPANT: And then the second one you wrote.
MS. BURKE-BEBEE: Just pre-directed requests. The example given was disability. That is when we give more information than we should.
MS. BOWEN: I am actually saying just the opposite. I am thinking that the request for disability – there is no requirement of minimum necessary. However, I am saying that perhaps we have an area for improvement if it is applied and it is considered to be applied there. It is more directed as to what the true need is so they can receive the correct information rather than just a generic abstract.
MS. BURKE-BEBEE: I thought one of the themes and the concept that I was trying to gather here was something that you said about giving incremental information. Why not give it accurately?
MS. BOWEN: Exactly. If you knew exactly what was being requested through that request rather than saying any and all information related to a specific issue. Not all people who are responding to that request might be able to discern that information. That was the concern. If it is going to be stated that way then you have to raise the level of education and of the person who is applying the knowledge to actually abstract that information out to pull it forward. That adds to the cost.
MS. BURKE-BEBEE: We hear the problem of giving it all, but this is more the opposite of giving it just – we are trying to get the sweet spot. Not giving too little. Not giving too much.
PARTICIPANT: You want to give the right amount of information to resolve the issue.
PARTICIPANT: To allow for the disability to –
PARTICIPANT: You called that predirected? Was that the term? Maybe I misunderstood that.
MS. BOWEN: I think what I was referencing is that many organizations that we are associated with, we are seeing them say instead of giving the entire record, they are giving us a predirective to say this is the abstract of the record you should provide. There is a listing of an abstract to say just give them this information. If that is not sufficient then there will be a second request.
PARTICIPANT: That is for disability.
MS. BOWEN: Yes. And we are seeing that also directed by some covered entities for continued patient care because they are saying they do not want the entire record to be sent. We will send them these components. That is a real concern.
PARTICIPANT: That gets to Barbara’s point.
MS. BOWEN: As a business associate, we follow the covered entity’s direction on that. Otherwise if there is no such direction for continued patient care, they get what they ask. If they want the entire chart, they get it.
PARTICIPANT: That is the over compliance.
PARTICIPANT: I think that goes to the segmentation discussion.
DR. SUAREZ: I am just trying to understand. Susie, you created this list. This is different than the 45 things. At some point, we are going to merge all of them — I just want to make sure that we are not considering this the overarching themes.
MS. KLOSS: No, we do not want to lose any of the detail.
DR. SUAREZ: There is some duplication here and then there are some additional valuable things.
MS. KLOSS: I think where we proceed next then is to clean this up and organize what you have articulated, review once again the testimony received, and put together an outline that then we work on as a subcommittee and see what we really want to address in a letter now or use this short-term/longer-term framework. Does that make sense? I see us quietly working behind the scenes and teeing up for you a document that has this in a draft outline and then separated by short-term/longer-term. And then that is all up for grabs and discussion.
At this point, this making sausage has to be taken offline to start writing. I think we are rapidly getting to that point.
MS. JACKSON: Quick question. Just as you did not have one of your speakers that you wanted to hear from, the question is often when you are compiling things, you start wondering where your gaps were, who didn’t you hear from. Is there going to be a way to get any further input?
MS. KLOSS: One of the individuals that were to provide testimony did not come and does not seem to be intending to submit written. I think we just —
DR. SUAREZ: I was going to ask one thing about that. I want to make sure we at least consider any elements that we did not hear about from others – including pharmacy, labs, and other groups that might be important to hear from. We could request informal input from them via some mechanism that at least allows us to hear about that and then we can discuss it in an open committee.
MS. KLOSS: Any group come to mind?
MR. CORNELIUS: It would be if we are getting this other input we would treat it the same, but they are providing input into this hopper that we are vetting against what we are doing as opposed to sending this out to other people.
MS. KLOSS: I asked that question informally of Devon McGraw. I said is there anybody that should have been here today that wasn’t here today. Were there any perspectives that she thought we should have heard from that we didn’t? She said she thinks we are right on track. We should feel comfortable proceeding. But we may just decide that we really need to drill down more on, for example, the technology vendors. We had invited the EHR vendor association to provide testimony, but it was too late in the game for them to help us. We may go back to some groups on our own if we do not feel confident that we know enough to craft the recommendation at the level we are going to craft it. We are not going to get into technology specifications.
MS. GOSS: As we have done with other letters, we will post it and then hopefully ask for comments by a specified period of time so that we can process those before we would actually advance something to the full committee.
MS. KLOSS: How are you all feeling? Have we done what we can do for the good of the cause today? I was just going to say that is why you got the doodle polls from Geneva. In fact, the first call is set for I believe the week after next. Week of June 27. Do we have a set time for that first call yet? At any rate, if you responded to that series because we really wanted to get all of our calls set up for between now and –
PARTICIPANT: It looked like about ten people responded.
MS. KLOSS: We were looking at a total of four calls between now and early September.
MS. HINES: And our plan, Linda, that I heard that I think was articulated yesterday was that once the calls are set, we will send out the dates and times to the Full Committee so that anyone who is available for any of the calls is welcome to call in. We will send them straight to the agenda of both hearings so that they can read up once all the testimony is linked up so that they have in one place all the privacy related information and can plug in as they are able.
MS. KLOSS: Alix is an honorary member. You can jump in as time permits. That would be terrific.
MS. GOSS: I would definitely be monitoring this – happy to review drafts as well and acknowledge your very skillful management of keeping us on track today. Thank you.
MS. KLOSS: I think we are burned out. I think we have reached the point of diminishing returns. We are adjourned.
(Whereupon, at 4:04 p.m., the meeting adjourned.)