[This Transcript is Unedited]






September 15, 2006

Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington , DC 20001

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax , Virginia 22030
(703) 352-0091


P R O C E E D I N G S [9:10 a.m.]

Agenda Item: Introductions and Opening Remarks – Mr. Rothstein

MR. ROTHSTEIN: Good morning, my name is Mark Rothstein, I’m the director of
the Institute for Bioethics, Health Policy and Law at the University of
Louisville School of Medicine, and chair of the Subcommittee on Privacy and
Confidentiality of the National Committee on Vital and Health Statistics. The
NCVHS is the statutory federal advisory committee to the Department and the
Secretary of HHS on matters of health information privacy.

I want to welcome you on behalf of the subcommittee and its staff to the
second day of hearings that we’re holding on possibly extending the coverage of
HIPAA or some HIPAA like rule to currently non-covered entities. And yesterday
we heard from the life insurance and related insurance industries and today’s
two panels are employment and schools, and we may in the future look at other
applications of the privacy rule.

As we customarily do we will begin with introductions by subcommittee,
staff, witnesses, and guests, and subcommittee members should disclose any
conflicts of interest, others need not do so, and I will begin by noting that I
have no conflicts of interest. I’ll ask Dr. Tang to go next.

DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the
subcommittee, no conflicts.

MR. REYNOLDS: Harry Reynolds, Blue Cross and Blue Shield of North Carolina,
member of the committee and no conflicts.

MS. HORLICK: Gail Horlick, CDC Atlanta, staff to the subcommittee.

MS. BERNSTEIN: Maya Bernstein, I work in the Office of the Assistant
Secretary for Planning and Evaluation, I’m the lead staff to the subcommittee.

MR. HOUSTON: John Houston, University of Pittsburgh Medical Center, member
of the committee, no conflicts.

(Introductions around room.)

MR. ROTHSTEIN: Welcome to all of you and I also want to extend a welcome to
those who are listening to our hearing on the internet.

Invited witnesses for both of our panels this morning have been asked to
limit their remarks to 20 minutes and after both witnesses on each panel have
testified we’ll have I think ample time for questions and answers which is
always I think the more interesting part of the program. Witnesses may submit
additional written testimony within two weeks if they want to Marietta Squire
or to Maya Bernstein. I would ask that witnesses and guests please turn off
their cell phones if they have them or other electronic devices that could
interrupt the hearings.

Let me backtrack a little bit and put into context if I can the purpose of
this hearing. In our June 22nd letter to the Secretary dealing with
a privacy and confidentiality issues in the Nationwide Health Information
Network one of our recommendations, R-12, reads as follows, HHS should work
with other federal agencies and the Congress to ensure that privacy and
confidentiality rules apply to all individuals and entities that create,
compile, store, transmit, or use personal health information in any form and in
any setting including employers, insurers, financial institutions, commercial
data providers, application service providers and schools.

And the purpose of this is to try to reassure individuals that information
that they disclose to a non-covered entity will not be redisclosed without
their consent and so that comparable provisions will apply to all holders and
users of personal health information.

In advance of the hearings and to focus our discussion the subcommittee
distributed to each of the witnesses a list of three questions which we look
forward to hearing the views of the witnesses on these three questions. And for
the benefit of those listening in on the internet let me just briefly mention
what those three questions are.

Number one, what federal and state laws currently regulate the privacy,
confidentiality and security of individually identifiable health information
used by your organization or those you represent?

Second, if HIPAA were extended or some comparable legislation were enacted
to regulate your use of health information what affect do you think the law
would have on your operations?

And third, if instead of receiving all of an individual’s health records
pursuant to an authorization you received only those relevant to your needs how
would this affect your operations?

Now the first panel this morning dealing with employers, have you arranged
between the two of you the order you want to go in? Okay, not having done so
we’ll go by the order we have on the schedule with Ms. Sharara going first,
yesterday’s witnesses had a clearer idea of the order they wanted to go in and
it wasn’t ours so I just wanted to make sure I wasn’t offending your sense of

So please, welcome, and we’re anxious to hear your testimony.

Agenda Item: Panel II – Employers – Ms. Sharara

MS. SHARARA: Thank you, good morning. My name is Norma Sharara and as I
mentioned I am a lawyer in private practice in the Washington, D.C., law firm
of Luse Gorman Pomerenk & Schick but I am appearing today on behalf of the
Society for Human Resource Management, SHRM. SHRM is the world’s largest
associated devoted to human resource management representing more than 210,000
individual members. The society’s mission is to serve the needs of HR
professionals by providing the most essential and comprehensive resources
available. As an influential voice the Society’s mission is also to advance the
human resource profession to ensure that HR is recognized as an essential
partner in developing and executing organizational strategy. SHRM was founded
in 1948, we currently have more than 550 affiliated chapters within the United
States and members in more than 100 countries. So when we’re here speaking with
the subcommittee today we feel that we have the best interests of our
membership which is a very broad cross section of human resources professionals
in mind and speaking on behalf of how employers view health care privacy.

HR departments are involved in very critical and personal decisions that
employees make about health coverage, retirement, and other benefits. In
providing information, guidance and materials to employees on these issues
human resources understands the importance of maintaining the confidentiality
of employee’s employment and medical information, this is not a new area to
professional human resource career developed individuals. SHRM is pleased to
have the opportunity to explain how employers use medical records in the
employment context and offer suggestions on how best to protect the
confidentiality of medical records of employees and health plan participants.

My comments today will focus on three areas, the use of health information
in the workplace, concerns about the expansion of mandated rules regarding
health information and privacy in the workplace, and protecting the
confidentiality of personal information in the workplace.

One of the questions that the committee asked us to answer has to deal with
use of medical records. As you probably know, everyone here being gainfully
employed, you filled out your own human resources forms, you’ve met with your
own human resources department, you know what it is like to be hired, maybe to
be fired, and to transition to a new job. You know all of the paperwork that’s
involved in the employer/employee relationship.

Medical records come into the hands of employers in a variety of ways. In
designing health care plans human resource professionals depend on access to
health information in order to figure out the features and the level of
benefits that they ought to be offering their particular workforce. For example
in setting annual out of pocket limits the employer needs access to aggregate
health care claims experience based on its own workforce’s information. In
addition an HR professional in many instances will need similar cumulative
health data to obtain premium bids for health insurance coverage or to set
health insurance premium rates.

Employers use health information to determine eligibility for non-health
benefit programs such as disability, workers compensation, wellness benefits,
and employee assistance plans. We also are responsible for tracking compliance
with substance abuse treatment. In these health benefit programs employee
health information often must be shared with others involved in those programs
in order to allow the employer to design, manage and tailor their health
benefit plans more appropriately to meet the needs of their employee
population, also to improve health benefits effectiveness and quality and to
manage the costs of these programs.

Keep in mind it is a voluntary system, employers are not legally required
to offer health care and if too much regulation or too much emphasis is put on
compliance with laws that get in the way of operating a business the owner of
the business might make a business decision not to offer health care.

Employers are subject to a variety of laws currently, I’ll summarize them
briefly. The Family Medical Leave Act allows employees to take up to 12 weeks
of unpaid leave for their own serious health condition or for that of a spouse
or family member. The employer must collect relevant medical information on the
nature of the serious health condition. An employer may require a doctor’s
written certification before an employee can take FMLA leave for the employee’s
own serious health condition or that of a spouse, child or parent. For example
most employers who provide employees who request leave under FMLA with the
certification of the health care provider form that must be completed by a
physician or health care professional in order to determine if the individual
qualifies for the leave. This information although not mandated to be kept
confidential is kept confidential by human resource professionals.

In addition workers compensation laws bring health care issues into play.
Workers compensation insurance statutes establish a process through which
employees who are injured or contract a work related illness on a company’s
premises or performing duties within the scope of employment are covered from
medical costs in any related disability. Medical information is necessary to
file a claim and is used to determine whether or not an injury is work related.

The Americans with Disabilities Act is another federal law where medical
records may be used to help determine if an employee has a
“impairment” that substantially limits one or more major life
activities, or has a record of a substantial limiting impairment. Moreover
medical information is often an integral part of determining a reasonable
accommodation for disabled employees. Since employers are required to determine
whether or not an employee or an applicant has a disability covered within the
meaning of the Americans with Disabilities Act the individual’s medical
information is often required. HR professionals and employers would face an
insurmountable challenge in making proper decisions without that information.

Occupational health and safety, which Jim is going to talk about later, is
another area that employers must collect information about, medical

SHRM is concerned about expanding the federal mandate for health insurance
privacy. Currently at least a dozen different federal laws impose recordkeeping
and retention requirements on employers. We’ve named the Americans with
Disabilities Act, the Family Medical Leave Act, workers compensation, and of
course HIPAA. Each law has its own retention period and its own recordkeeping
requirements and its own and different levels of protection. Employers
routinely maintain a personnel file for each individual containing those
records relating to employment, your application for the job, your resume, your
transcript, your job description, hiring, promotion, transfer, a layoff,
firing, performance evaluations, educational records, those are all in your
human resources file, go back to your office and check, it is.

There’s a separate file, the separate file your employer maintains for you
has your medical information, it’s not mixed in with your job review, it’s not
mixed in with other things. HR professionals routinely maintain separate
confidential files for information, the EEOC records are kept separate,
immigration forms are kept separate, invitations to self identify a disability
or veteran status, safety training records under OSHA, and other rules that
apply to federal government contractors who do work with the Department of
Defense. HR is charged with keeping confidential all of this information and
they do.

In addition every state has its own set of rules, in addition to workers
compensation, varying from state to state, different levels of statutory rights
of individuals to have access to medical information, restrictions on
disclosure of information by the record holder. Most states lack a
comprehensive medical privacy law but have statutory privacy protections that
apply to certain entities or certain conditions. HR routinely handles all this,
it’s what we do and we think we’re good at it.

The administrative burden, however, including oversight, reporting,
disclosure, tracking, legal and staff training, and expense, of compliance with
all of these numerous federal and state laws that govern employer’s use of
health information can be overwhelming for employers, especially small
employers which as many studies show that is the growing sector of the economy.

Employers are in the process of complying with HIPAA security but it’s a
very time consuming and costly effort. According to SHRM’s 2006/2007 workplace
forecast one of the most important HR trends is the impact of the workplace’s
growing complexity of legal compliance, so the increased burden of legal
compliance is the number one issue that our members have identified as
something that needs to be addressed.

SHRM concurs that safeguarding employee health information in the workplace
is a high priority, frankly I don’t think that employers are abusing the
information that they get, they’re hardly making it available on the street
corners and they’re not talking about it at the water cooler. HR professionals
know how to keep information confidential.

SHRM and its members have serious concerns about any proposal that would
mandate new requirements for employers regarding the privacy of health
information. SHRM recognizes that health information should not be disclosed
for unlawful reasons such as a decision to hire where a candidate is otherwise
qualified to perform the essential functions of the job, or to terminate
employment because of a perceived or actual disability. Unlawful disclosures of
protected information should be punished appropriately. SHRM believes that the
current law adequately protects the privacy of employee health information.
SHRM members already are subject to the numerous laws regarding privacy and

In addition as a matter of best practices human resource professionals have
adopted policies and procedures designed to safeguard individual health
information within the sphere of their own workforce. Even prior to HIPAA
privacy rules employers had taken numerous steps to safeguard employee health

In conclusion SHRM believes that a voluntary common sense approach built on
best practices and current law represents the most appropriate approach to the
issues surrounding protecting the confidentiality of health information in the
workplace. Current federal medical record privacy law does not apply to all
employers or even to all holders of personally identifiable information,
expanding current federal medical records law to all employers is one way to
create uniformity, expanding the coverage of existing rules however is likely
to result in additional recordkeeping burdens on employers without improving

If expansion in this area is deemed necessary, whether it is an expansion
of the number of entities covered, or an expansion of the number of rules, SHRM
respectfully suggests that the following issues be taken into account.

First, employers already operate under numerous federal and state laws,
lack of harmonization of these requirements can lead to confusion and
unintentional errors coupled with significant penalties.

Second, in addition to various federal laws states law have specifically
addressed privacy of medical records. While many of the state laws track HIPAA
employers are nevertheless obligated to conduct a thorough review of all
applicable law to ensure that they are in compliance. To avoid the expense and
possibility of error state laws on medical record privacy should be preempted
as part of any expanded federal privacy regime.

Third, any expanded federal regulations should be carefully targeted to
address existing harm. SHRM agrees wholeheartedly that harm done through
illegal disclosure of medical information should be punished. SHRM has serious
reservations however about provisions designed to control the flow of
information in the workplace. Employers and HR departments assist employees
with many work/life balance issues, health care billing disputes, any number of
things on a day to day basis that may result in the employee’s disclosure of
health information. It’s critical that the mere possession of information be
separated from the use of the information for discriminatory or other illegal
purposes. Best practices and model protocols based on existing procedure and
current law should be encouraged to protect information coupled with
appropriate punishment for intentional acts.

I’d like to thank the committee for this opportunity to appear before you
today and SHRM looks forward to continuing to work with you on this issue. I’d
be pleased to answer any questions.

MR. ROTHSTEIN: Thank you very much for that testimony, you’ve raised a
number of questions for us I’m sure that we’d like to probe with you at the
end. But we’re going to defer that for just a minute and hear from Dr. Tacci,

Agenda Item: Panel II – Employers – Dr. Tacci

DR. TACCI: Panel members, good morning, my comments have been submitted in
written form. My name is Jim Tacci, I wear several professional hats, I’m an
assistant professor and residency program director at the Department of
Community and Preventive Medicine at the University of Rochester Medical
Center. I’m also a site medical director for one of upstate New York’s largest
manufacturing facilities and perhaps most applicable to these proceedings I’m
an attorney and co-author of a HIPAA compliance manual that was published back
in 2003 when HIPAA was on everyone’s absolute front burners —

MR. ROTHSTEIN: It’s still on some of us.

DR. TACCI: Among other activities I serve as the co-chair for the American
College of Occupational and Environment Medicine’s Committee on Ethics and the
co-chair for their Health, Law and Policy Section. And I’m here today
representing ACOEM and on behalf of ACOEM and its members thank you for this
opportunity to provide comments on the possible expansion of protections
afforded by the HIPAA privacy rules. My comments will in large part be
restatements of prior ACOEM positions which promote the protection of
individual’s health care information, seek to limit the inappropriate use or
disclosure of such information, reiterate the logical role of physicians as
gatekeepers of that information, and seek to minimize any undue influence that
is sometimes placed upon physicians to inappropriately disclose health

At times I may intersperse personal or anecdotal experiences in this regard
but I’ll always try to make a distinction when I’m speaking on my own behalf or
speaking on ACOEM’s behalf.

By way of background as many of you may know ACOEM represents approximately
6,000 physicians and is the world’s largest and preeminent organization of
physicians specializing in the practice of preventing, assessing, and treating
occupational health problems. Occupational and environmental medicine seeks not
only to prevent and manage occupational and environmental injury, illness and
disability but also to promote and health and productivity of workers, their
families and communities.

As I think you also know occupational medicine physicians not only interact
with patients, their families, other health care providers and health insurance
carriers but also in somewhat uniquely tend to routinely interact with
employers including CEOs, general counsel, human resource personnel, plant
managers, etc., as well as other health and safety professionals including
industrial hygienists, safety engineers, ergonomists, etc., workers
compensation, disability carriers. Our members provide clinical or consultative
services in a wide variety of practice situations including clinical services,
medical surveillance, fitness for duty examinations, pre-placement
examinations, independent medical evaluations, disease and disability
management, analysis of aggregated clinical data, health promotion and wellness
programs, occupational illness prevention programs, and employee assistance
programs. These activities are performed in the context of myriad federal and
state health and safety regulations many of which have already been noted. I
will probably list them in the context of my comments but I will forego the
detailed descriptions of them since you’ve already heard that testimony this

Now these activities and programs can result in the prevention, early
diagnosis and treatment of disease and encourage employees and their families
to practice healthier lifestyles. If medical information gathered from such
programs is not kept private participants in these programs may be in greater
jeopardy and may be at greater risk for not participating fully in them.
Protecting confidentiality and privacy is imperative to preserving patient
trust and employee trust in the workplace.

ACOEM has a longstanding record of advocacy in support of the preservation
of the privacy of medical records, particularly employee medical records. This
has for many years been a fundamental tenet of ACOEM’s Code of Ethical Conduct.
Since 1994 ACOEM has called upon Congress to ensure the privacy of employee
medical records. On several occasions since 2001 it has been ACOEM’s privilege
to provide this committee and other committees of the Department of Health and
Human Services with suggestions as to how the long awaited HIPAA privacy rules
might be improved to better protect individual’s health information or to
better equip our physicians to safeguard that information. And as previously
noted we appreciate that opportunity to do so again today.

As was noted by our subcommittee chair today we’ve been asked to address
three distinct but related questions dealing with the possible expansion of the
protections afforded under the HIPAA privacy rules.

First, what federal and state laws currently regulate the privacy,
confidentiality and security of individually identifiable health information
used by your organization or those you represent?

Two, if HIPAA were extended or some comparable legislation was enacted to
regulate your use of health information what effect do you think the law would
have on your operations?

And then third, if instead of receiving all of an individual’s health
records pursuant to an authorization you received only those relevant to your
needs how would this affect your operations?

These questions will addressed in the context of either our member
physicians, their employers, or perhaps both. For each where applicable I’ll
try to point out potential advantages, potential disadvantages, and possible
unforeseen or unintended consequences of those changes.

In terms of question number one, what federal and state laws currently
regulate the privacy and confidentiality and security of your organizations
members or those they represent personal and protected health information,
those have been again nicely described but just in summary, on a federal level
many but certainly not all of our physician members and/or their employers,
based on their activities and the type of transactions in which they are
engaged, are considered covered entities under the HIPAA privacy rules and/or
security rules, and are therefore governed by the HIPAA privacy rules.

In addition and apart from HIPAA nearly all of our physician members and/or
their employers operate within a regulatory framework that requires and governs
the use and exchange of individually identifiable health information including
but not limited to the Occupational Safety and Health Act, or OSHA, the
Americans with Disability Act, the Family and Medical Leave Act, the Mine
Safety and Health Act, etc. In addition occupational medicine physicians and
their employers have obligations under other federal standards such as those
issued by the Department of Transportation as with commercial driver’s license,
the Department of Energy as with nuclear operators, and the Environmental
Protection Agency just to name a few.

Again, I’ll forego detailed discussion on any of those at this time.

On the state level as has been noted our member physicians are generally
bound by rules of professional conduct typically with oversight by their state
medical licensure boards, state health departments, or state education
departments. Also on the state levels our member physicians and their employers
typically operate under rules governing exchange of medical information and/or
mandatory reporting that are promulgated by state health departments, state
insurance agencies and state workers compensation boards, again just to name a
few. In addition the labor and employment laws of a state may also typically
contain rules governing the handling of employee medical information.

The examples that I listed here were meant merely to provide a sense of the
myriad federal and state laws or agency rules that typically speak to the
handling of individually identifiable health information in the context of
occupational medicine, and under which our member physicians and/or their
employers typically operate. As noted this is not intended to be an exhaustive
list but perhaps just a representative or example list.

Question number two was if HIPAA were extended or some comparable
legislation were enacted to regulate your use of health information what effect
do you think the law would have on your operations. As noted in the response to
question number one many, indeed more likely the vast majority of ACOEM’s
physician members are considered covered entities under the HIPAA privacy
rules. Similarly many of it not most of their employers may be considered at
least in part for example the so called hybrid entity covered under the HIPAA
privacy rules as well. As with any regulatory compliance it would entail an
expenditure of time and energy on the parts of the newly covered entities for
any expansion of the HIPAA privacy rules to put their operations into
compliance. Cost estimates for this may be modeled based on the past experience
of the health industry, presumably the cost of compliance per covered entity
would be less at this time then it was for initial compliance with the HIPAA
privacy rules because for many currently covered entities and/or their
compliance consultants the steepest part of the HIPAA learning curve has come
and passed and people are familiar with the rules, regulations and the nuances
therein along with various forms of interpretative guidance and frequently
asked question and answers, etc., that have been issued since the
implementation of the privacy rules. It should be noted however that while
there should be some efficiencies derived from past experience in the context
of extension of the coverage of the current rules thereby reducing the per unit
cost of compliance if you will, or per covered entity cost of compliance, the
overall cost to industry for compliance would likely be substantial due to the
fact that the number of individuals or business entities requiring compliance
plans could depending on the scope of the proposed expansion be many fold
higher than the number originally covered under the HIPAA privacy rules. Also
it would stand to reason, although not specifically substantiated by my
comments or my written remarks with precise mathematical modeling, that the
more closely any new or expanded rules matched the original privacy rules in
content and form the greater the cost savings would be gleaned through prior
health care industry experience, conversely the less that any new or expanded
set of rules resembled the current rules the greater the learning curve for the
implementation of that new set of rules and therefore the increased sort of per
unit cost of compliance.

Institution of the original HIPAA privacy rules carried with them the
promise of ultimate cost savings due to efficiencies and uniformity in
information technology, billing codes, medical records, etc., some derived from
the privacy rules, some derived from the security rules, and those cost savings
were to offset and be realized over the first ten years or so of implementation
of the new rules. The speed and the magnitude of the realization of these cost
savings has been a matter of some debate which is beyond the scope of my
comments today. However it is reasonable to assume that since these cost
savings were purported to be derived from enhanced efficiencies in the
transaction of health care business that said savings might be of a lesser
magnitude for physicians or employers who are not regularly engaged in the
delivery of health care or for newly covered entities who are not regularly
engaged in the delivery of health care unless of course there were some
parallel efficiencies that could be derived related to their regularly
transacted business.

Perhaps the greatest negative impacts of the operations of ACOEM member
physicians and/or their employers who are not currently or wholly covered by
the HIPAA privacy rules are the above referenced compliance costs and logistics
of implementation. However there are several potential positive aspects and
implications as well, they include but are not necessarily limited to enhanced
privacy protection for people’s health information, an expanded scope of said
coverage or protections which has long been advocated by the American College
of Occupational and Environmental Medicine beyond that which was provided
merely by the business associate construct under the HIPAA privacy rules, and
an enhanced awareness by those who are not currently covered entities of the
special status and therefore requisite special handling of medical records and
protected health information.

Of course as previously noted physicians are held to rules and ethical
professional conduct that are not necessarily shared across professional
disciplines and as was the case with the HIPAA privacy rules not necessarily
shared with everyone holding covered entity status. It would be hoped that any
expansion or extension of the definition of covered entity under the existing
rules or creation of new rules that expanded the scope of those covered under
some sort of medical privacy rules would also carry with it an expansion of the
legal responsibility for compliance with the privacy rules, much of which
currently rests inordinately with physicians and/or health care providers and
that expansion of the legal responsibility would apply to all of the newly
covered entities which in turn might help drive development of enhanced rules
of ethical and professional conduct in the information handling for those
disciplines as well.

One potential pitfall of course would be a false sense of security that
could come from an expansion of the coverage of the privacy rules that is not
in turn accompanied by enhanced professional standards in records handling by
non-physicians and non-health care providers. This risk could be significantly
mitigated by strong adherence to the so-called minimum necessary standard
discussed in my response to the question number three below.

Question number three read if instead of receiving all of an individual’s
health care records pursuant to an authorization you received only those
relevant to your needs how would this affect your operations. It has long been
the position of ACOEM, pre-dating the advent of the HIPAA privacy rules, that
communicates related to employee medical conditions should always be limited to
the so-called minimum necessary standard.

Indeed ACOEM’s longstanding and consistent positions can be accurately
summarized as advocating for the following, stronger adherence to principles of
the minimum necessary standard, a two-way responsibility as previously alluded
to on the part of both the requestor and the supplier of health records, and
not merely the supplier, in restriction the scope of communications to only the
minimum necessary, and finally more clearly defined, perhaps through standard
protocols developed by the Department of Health and Human Services, parameters
of what the definition of minimum necessary is for use by occupational
physicians in implementing the minimum necessary standard with respect to work
related personal health information.

ACOEM does appreciate and applauds the efforts of the Department in
furthering adherence to the minimum necessary standard as the gold standard for
communication of employee health information.

To be sure adherence to a minimum necessary standard is much more labor
intense, particularly during the initial implementation phase, than merely
transmitting an entire medical record upon authorization. However the benefits
of adhering to a minimum necessary standard are multi-fold and truly create a
win-win-win scenario for employers, employees, and occupational health
physicians. First and foremost, the risk of unnecessary or inappropriate health
information about an employee being communicated becomes significantly reduced.

Second, as a benefit to employers, the less medical information they
possess about employees the less exposure the employer will have to
accusations, true or false, of having made adverse employment decisions based
on an employee’s health status.

And finally, with allowance for some requisite variation, of course, based
on the context of the information quests, workers compensation versus ADA
versus FMLA versus OSHA, etc., the more universal and standardized the approach
to adherence to a minimum necessary standard for exchange of employee health
information the less likely it is that physicians will be put under pressure
from employers, insurers, third party administrators, etc., to go beyond this
minimum necessary standard in their role as gatekeeper of the employee medical

That concludes my prepared comments but in closing on behalf of ACOEM and
its members I thank you once again for the opportunity for participating in
this hearing and as always ACOEM is happy to assist in the development of the
sound policy to protect employee medical records.

MR. ROTHSTEIN: Thank you, Dr. Tacci, that was very interesting testimony
that I now there are several lines of questions that I would like to follow-up
on but I’m going to first recognize my colleague Mr. Houston and then Dr. Tang
and Mr. Reynolds, and then I’ll go last.

MR. HOUSTON: Thank you. I just wanted to clarify just one thing in my
understanding, a lot of different statutes were identified and I know that
Norma, your comments, see if I can find it specifically, I know you were
talking about FMLA and I know that again there were a number of other ones so
I’ll just use that as an example, you spoke to the, you had a discussion about
FMLA and you sort of insinuated that FMLA had provisions in it which required
the confidentiality of information. Is it fair to assume all the different
statutes that have been cited here today all have provisions in them that
expressly require the receiving entity to keep confidential information that it
acquires through the process of abiding by those laws?

MS. SHARARA: Unfortunately that’s not the case. HIPAA was the first time
that we had a statute that specifically included mandated privacy requirements.
FMLA and ADA and the other laws that we spoke about imply that that information
should be confidential and private but there’s not a matrix necessarily that
shows you exactly how to comply.

MR. HOUSTON: So therefore you could conclude them that there is under these
statutes a right to have access to the information, or need to have access to
the information for purposes of complying with the statute but there’s nothing
other then an implied obligation to keep the information confidential.

MS. SHARARA: That’s right.

MR. HOUSTON: Okay, I just wanted to make sure I was clear on those things,
throwing a lot of statutes out there and I just wanted to make sure I didn’t
miss something. Thank you.

MR. ROTHSTEIN: And in fact, John, the case law holds that FMLA requests are
considered to be an exception to the ADA’s requirement that information has to
be maintained in separate files and in separate form and HR people normally
don’t get to see health information, get to see requests for leave filed under
the FMLA, so your point is well taken.

MR. HOUSTON: I do find it interesting that there’s all these rights to get
at information but there isn’t a corresponding obligation set forth in a
statute and I think it’s an interesting hole.

MR. ROTHSTEIN: Thank you for that question.

DR. TACCI: In fact in several regulations both on the federal and state
level the obligation to maintain confidential the information might be limited
to an implied obligation because the lines of communications may be delineated
for the process of communication but they’re silent on anything else so the
greatest strength of any obligation for confidentiality is just the absence of
any specific language to the contrary.

MS. SHARARA: And that goes for recordkeeping, forming a record, record
retention policies, etc.

MR. HOUSTON: Not to ask the obvious, do you think there is value in
expressly providing confidentiality protections for the data, the information
that is being conveyed under these various statutes you referenced?

MS. SHARARA: Privacy is a good thing, John, but imposing penalties for
doing something slightly different —

MR. HOUSTON: Well not even necessarily imposing penalties as much as at
least expressly stating that there is a confidentiality obligation, I don’t
know how far it goes so I don’t want to assume that either but I guess you have
to have a penalty if there’s going to be a statutory obligation.

MS. SHARARA: It would not be a bad idea to say which is obvious that this
should be kept private, my concern though is the rules and regulations that
would be promulgated underneath that general obvious statement would create
additional burdens for employers.

MR. ROTHSTEIN: Thank you. Dr. Tang.

DR. TANG: I appreciate the testimony because it was very illuminating. You
probably have one of the few sectors that have maintained even more separate on
a given individual than we do.

So I have a two part question, one is in health care you probably know that
we have about five percent of our hospitals, ten percent of our docs have full
electronic health record systems. Are you better off or worse off then we are
in terms of recordkeeping on employees?

MS. SHARARA: Well, it really depends, SHRM represents all size of
employers, obviously the larger employers who have resources have intranet
capabilities and electronic records are de rigueur. Small employers, Joe’s
Plumbing, probably doesn’t. So SHRM speaks with a voice of 210,000 members
nationwide, it’s hard to make a generalization.

One thing though I would like to comment on is SHRM has sent a letter to
the members of the House of Representatives in support of a pending bill, HR
4157, which is the Health Information Technology Promotion Act. There
essentially the idea is to accelerate the process of shifting the health care
system from a paper based format to a secure electronic format by developing
standards for transmission and storage of health information. Electronic health
information record system would help the human resources profession with their

DR. TANG: So the number of records, so the FMLA and the ADA, workers comp
and the employment records, for example, in the larger organizations they
potentially could be all electronic?


DR. TANG: Okay, and then now one of the security provisions we have, which
is a good thing, is that there be roll based access, so you can imagine that
especially to try to keep the firewall going, an employer that the person, the
receptionist at the front desk would be able to know that yeah, Norma is
employed here, have no idea whether you’ve ever had an FMLA, etc., etc. Is that
standard or is it codified anywhere?

MS. SHARARA: It is standard best practices but it’s not codified.

DR. TANG: So I guess the final question or suggestion, in an ideal world,
and I’m very sympathetic to the burdens side of it, first of all it sounds like
occupational health is more or less covered by HIPAA as a practice so it’s more
on the employer/HR side. If you had uniform rule, like in a sense we do because
HIPAA sort of covers all of this stuff, if we could give without, and take
away, any duplicate or conflicting and you had to live with the privacy as John
was alluding to and the security thing that we just mentioned, things that
support the privacy policies, would that be a better world? And I understand
that’s ideal because it would have to preempt some of your existing laws but
from a health record kind of —

MS. SHARARA: I think that would be a definite plus for the industry. As I
mentioned in my testimony the health care system right now that employers
provide health care is entirely optional and often driven by the tax benefits.
If burdens become too complicated, if penalties become too onerous, employers
don’t have to offer health care and we’d hate to see that happen. So I think a
uniform system that takes the patchwork we have now, consolidates it into one
system, here’s the gold standard for privacy rules, that would help employers
feel more comfortable about doing the right thing for their employees.

DR. TANG: It seems like you have implicit rules that many of your employers
would follow anyway, codifying it wouldn’t change their practice, it could only
make things clearer.

DR. TACCI: Can I just add one point of clarification? I think it would be
too much of a generalization to just assume that occupational medicine is
covered by the HIPAA privacy rules, in fact a significant percentage of our
members do not fit squarely into covered entity status under HIPAA and in fact
that’s where some of the greatest tensions perhaps are derived because they
help form our code of ethics and there are state licensing rules, etc., they’re
held to a certain level of activity and behavior yet they’re not technically
covered entities under the HIPAA privacy rules.

DR. TANG: Would you mind elaborating on that just for my edification?

DR. TACCI: For instance as a corporate physician I can be employed by a
company, see employees every day for their health care needs, so I’m a
practicing physicians yet I don’t engage in any of the transactions under the
HIPAA privacy rules that would make me rise to the level of a covered entity
status. That’s one easy example. Another one might be someone in private
practice who may see people under workers compensation scenarios, may see folks
under general practice medicine scenarios, and then may be receiving requests
for information for the same person from health insurance carriers, workers
comp carriers, perhaps third party insurers for accidents, etc., and it’s
sometimes for those members confuses the records handling because they’re
wearing several different hats and they’re wondering if that particular
information exchange is governed under HIPAA or not.

DR. TANG: Is there a ruling on that? Who knows the answer to that question?

MS. MCANDREW: It would depend on, I mean generally if it’s just a general
physician’s office and that physician is covered by, is a covered entity under
HIPAA then all of the records regardless of whether or not an electronic
transaction is engaged in with respect to that particular patient or treatment
event would become HIPAA covered. That being said there are disclosure
permissions for that information to flow in a workers comp kind of scenario as
necessary to carry out that workers comp obligations on the part of the

DR. TANG: I mean that was very helpful and thanks for your clarification,
so probably the last question I asked Norma might apply to you then with the
caveat you suggested, so to the extent that it really is just the HIPAA, the
same provisions of HIPAA that you’ve already started to understand and train
on, if that were to apply to your function as a provider in the setting despite
the fact that you don’t do transactions, would that make sense?

DR. TACCI: Yeah, I’ll take the liberty of answering both that question as
well as the part about the electronic records that was asked. For both I would
say that like any new set of rules that need to be complied with or new sets of
technologies there’s a very steep learning curve. In occupational medicine
circles just like health care circles in general the steepness of that learning
curve tends to be more onerous for the smaller providers then it is for the
larger entities. Once obtained however I think that uniformity presents
tremendous transactional efficiencies and once everybody is brought up to the
same whether it’s electronic page or a set of rules, gold standards in terms of
record handling, I think that there are tremendous efficiencies and that was in
fact taking off my ACOEM hat and putting on my attorney hat, our sort of
somewhat conservative advice to clients as the HIPAA privacy rules were being
implemented was that perhaps the safest and best thing for you to do since
these are largely your practices anyway is to govern yourself under these most
protective rules, do it now and you can spend much less time later on trying to
figure out am I a covered entity, am I not a covered entity.

MR. ROTHSTEIN: Mr. Reynolds.

MR. REYNOLDS: Thank both of you. I want to take apart a word that both of
you used because maybe you didn’t parse it as far as I would like it and that
was employer. Both of you talked, actually mentioned the word employer a number
of times. Under HIPAA there is employer and then there’s the employer’s health
plan. Norma you mentioned the HR departments but nobody ever said the
employer’s health plan area which is kind of the coveted place in HIPAA where
this stuff was supposed to reside in an employer’s environment to be protected
and dealt with, that’s the firewall, that’s the firewall from the hiring and
firing, that’s the other thing where this data is kept. I’m not familiar with
how these other laws parse employers which HIPAA kind of put a wall in there.
So if you could help me understand whether or not these other laws actually
separate sections of an employer ands ay they can have this and it can’t go to
the CEOs and it can’t go to others who would decide, because again, I think one
other thing, as you move down to the smaller employers the risk of somebody
having an issue as you mentioned, Norma, can drive them clear out of supplying
health insurance but it can also create that opportunity for aberrant behavior
based on the fact that it could jeopardize their company in other ways, that’s
the reality of health care these days. So if you could help with me that then I
think I would feel much better about what I think I did or didn’t hear.

MS. SHARARA: Now Harry raises a very good point, HIPAA does create a
firewall between the group health plan that the employer sponsors and when the
source of health care information is coming from the plan that is subject to
HIPAA. But if the employee walks in to the HR department and says my kid just
broke their arm that information is coming from a source that’s not the health
plan. And so the collection of medical information comes to the HR department
through different channels, when it comes from the health plan clearly it is
subject to the HIPAA privacy rules, when the employee walks in and tells you
something that’s not. And the difference there is that the HR function keeps
both types of information regardless of source confidential in its own way, the
HIPAA rubric provides particular guidelines, the best practices where HR
governs the information that you get from your individual employee coming in
and telling you something.

MR. REYNOLDS: Disclosures are fine, I’m well aware of those, if somebody
comes in and tells you all bets are off, they’re the ones that gave it up.

MS. SHARARA: Exactly. So one area that I think what you’re asking about is
how would an additional privacy rule expand HIPAA from just the source of the
information being the plan to the source of information being something else.
Is that what you’re asking?

MR. REYNOLDS: No, I’m just making sure that when you say the word employer
you are clearly considering that that firewall exists.

MS. SHARARA: Oh yes.

MR. REYNOLDS: Okay, but again, having heard both of you testify and never
say group health plan it just struck me as I just wanted to make sure I

MS. SHARARA: Oftentimes what happens with self insured plans in particular
when you are figuring out how much to charge as a premium, when you’re doing
experience rating on getting quotes for your insurance policy, again if you’re
a small employer and they say here’s on an aggregate basis your claims
experience and you’ve got one outlier out here, it’s a cancer claim, and you’ve
got six people who work for you, you kind of know who that is I mean even
though they don’t identify it specifically. So yes, there are reasons when you
have to get information under the HIPAA rules for health plan operation and
experience and cost.

MR. REYNOLDS: But what about these other laws, do they, they don’t
differentiate —

DR. TACCI: They do not and in fact I would argue that there’s several
firewalls in employment settings. Certainly in all of my comments the term
employer referred to the employer proper and not the group health plan that the
employer might sponsor and indeed that’s what typically drove the sort of
hybrid covered entity concept where the employer is a widget manufacturer and
that’s what they do, that’s what their 99 percent of their operations are
geared towards, but one percent of their operations is geared towards
administration of a health plan and that is walled off and treated, operates as
a covered entity but the firewall is there.

Interestingly as I’m sure all of you know, as they were rolled out the
HIPAA privacy rules allowed for the same person in the covered entity part, the
group health plan, to have several other functions within the HR department but
they have to sort of keep an internal firewall in their brain in terms of not
impacting any other employment related decisions or insurance rated decisions
or benefit decisions.

Speaking to the other point though from the occupational medicine
perspective there are several firewalls in place and we hold out all the time,
again and also going to the minimum necessary standard, is that when the
occupational medicine department or your occupational medicine physician makes
a determination truly the information that will pass over to HR or to anyone
else in the company, it could be a supervisor, it could be a production
manager, etc., has to be distilled down to that minimum necessary that needs to
be communicated to that person for that purpose.

So if we’re doing a new hire physical examination or a return to work
examination or a fitness for duty examination basically the information that we
should be communicating is yes or no, this person is physically capable of
performing these job duties based on the essential job functions, yes or no
they can do it with a reasonable accommodation, yes or no they need some
measure of restrictions and this is the date and the duration that we
anticipate that they can do it and truly the information communicated should
stop at only those things that are directly related to the person’s ability to
do their job. So the firewall not only exists with the benefits plan but with
the occupational medicine department or a consultant.

MR. REYNOLDS: Mark, one other quick follow-up. So as you —

MS. BERNSTEIN: You say should, when you say there’s a firewall you said it
should be separate but as I understand your previous testimony there isn’t
really, I mean if you’re not a covered entity, some of you are not covered
entities, you’re not transacting claims and so forth and so HIPAA isn’t
covering that, HIPAA isn’t causing a firewall in that case that you just
described. What is requiring that separation? Is it just your ethical
responsibility or is there some other legal or regulatory requirement that
would require that disclosure not to happen?

DR. TACCI: Typically that would come from, when HIPAA is not governing it
would come from other sources, examples would be our own, ACOEM’s code of
ethics which tells us what we should and should not share in that regard, state
licensing, and physician professional practice standards, various federal or
state labor and employment regulations but those vary obviously state to state.
So there are other either voluntary such as codes of ethics or mandatory such
as licensing and professional oversight provisions that would dictate that
communication. That is a prime example of why sort of a uniform gold standard
would be very beneficial I think and I think that it’s beneficial to as I
stated in my comments both our member physicians and also their employers who
are in turn the employers of the folks whose medical records we’re talking
about because that helps eliminate A, any undue pressure on the physician, B,
any incorrect or inappropriate sharing of information, and lastly, from the
employer’s standpoint it helps minimize any likelihood that they could be
accused of making adverse employment decisions based on information, based on
health information, etc.

MR. REYNOLDS: So basically since our focus as we’ve reviewed this and
really did it under the guise of the new electronic world that is approaching
quickly with EHRs and PHRs and every other HR you can come up with, we’re
really, at least I think we’re really just talking about making sure that if
you touch it, you see it, you have it, you protect it, and so a lot along your
lines, Jim, of what you had to say and which basically back, wouldn’t
necessarily add any more significant burden on employers unless they were
passing it around electronically and we all have somewhat of an uncertain
feeling to the depth of business, the whole business associate thing. So that’s
where we’re trying to head and I haven’t necessarily heard or seen anything
from either of you that says that’s an overly burdensome direction.

MS. SHARARA: I think it would be wonderful to clean up the current
patchwork that we have now of all the different requirements, of all the
different laws, the FMLA, the ADA, they’re wonderful laws for helping the
workplace environment but the burdens that we see as human resource
professionals currently is that there isn’t a standard set and we do the best
we can on best practices, state law, federal law, etc., etc. If there were to
be one uniform rule that would certainly make life easier. In a world where
every high school kid has an iPod and knows how to download ring tones, I mean
even for the small employers electronic technology is affordable and available
and it is something that would make good sense.

DR. TACCI: My two disclaimers in that regard is first of all I’m here today
speaking on behalf of ACOEM not Delphi which is my occupational medicine
employer. Second is that I’m not an IT guy so I’m not really tech savvy, I know
how to turn on an iPod but I don’t know what makes it tick. We have over the
course of this past year been rolling out a new electronic health record format
for our company and this speaks to the notion of keyed access and appropriate
access to records and we’re rolling it out literally this year, it certainly as
with any technology had growing pains but it does underscore the facility and
the ease of use once it is in place to have a single source record base and
then your access to that record, I as the plant physician obviously have
relatively unfettered access to the medical records, our safety personnel will
have access to safety specific information, perhaps clearances for safety
sensitive job titles, etc., but they don’t have access to the medical record,
other folks on a very specific need to know basis, return to work dates for our
HR folks, restrictions for our HR folks who are supervisors, but again, no
access to the actual clinical medical data.

So in a perfect world when you can have that sort of rolled out uniformly
and have the access keyed towards exactly what type of access folks should have
it helps eliminate a lot of these concerns in terms of what should be
photocopied and sent over, what needs to be redacted.

MR. ROTHSTEIN: I have a few questions that I want to see if I can get some
closure on some of the things that have already been discussed and one
important one that Harry just brought up of course is within employers there’s
this sort of bifurcation where the benefits information is covered and the
other information is not covered. And I assume it’s your position that the
non-covered area, which has health information, is currently now protected by
the ethical principles, professional codes and whatever of the HR or whoever is
handling that, and I gather that it’s your testimony that the level of
protection of even the non-covered stuff is basically the same as the covered
stuff which is subject to HIPAA, in other words the confidentiality controls
that apply to the covered material currently through other means now apply to
the non-covered material. Is that your testimony?

MS. SHARARA: That’s right, essentially in practice when you wake up in the
morning and come to work and have your cup of coffee and you sit down in the HR
office you think about all the things you need to get through during the day
and if you can come up with a uniform way of doing things then even though it’s
not required for the things that aren’t covered, if it works then it’s often
adopted defacto —

MR. ROTHSTEIN: So that if HIPAA or some HIPAA like regulation applied to
both worlds that would not be too much of a burden as long as we took into
account your suggestions of the need for harmonization, preemption analysis,
and so forth.

MS. SHARARA: Yes, harmony is a good thing.

MR. ROTHSTEIN: Well, that’s one of our guiding principles.

The second question, even though you represent here SHRM there’s a bigger
world out there of smaller entities without professional HR people and even
though I will assume or concede that your members are doing everything great
there are lots of non-members where the boss’s secretary keeps the health
records. Do you think that life would be better for employee privacy and
uniformity in a sense, harmonization, if the same requirements that you go by
would be applied to all employers who use health information?

MS. SHARARA: In a perfect world I believe that is true but I think what
would happen is if there was a significant bite attached to the bark then
employers may think twice about offering health care, if they’re a small
employer it’s a big ticket item —

MR. ROTHSTEIN: Well it wouldn’t necessarily be benefits stuff, it could be
workers comp claims, it could be the results of pre-placement examinations done
by some contract physician and so forth.

MS. SHARARA: I think it’s a good idea to have a uniform system that
everyone can point to one set of rules that’s workable and live under.

MR. ROTHSTEIN: Okay, thank you. I want to go back to the ACOEM issue that
you talked about before and as you discussed ACOEM members basically fall into
two camps, the ones who work in house and the ones who work as contractors or
independent and they see a few patients or whatever —

DR. TACCI: We have a governmental and an academic camp too —

MR. ROTHSTEIN: Right, and only one of these camps is now generally covered
by HIPAA, sort of the private practice group as opposed to the ones who are
working in house —

DR. TACCI: I would hesitate to make that generalization also because there
are folks, even the in house folks if they’re providing primary care and doing
billing to the health insurers, so there will be exceptions —

MR. ROTHSTEIN: There are a few exceptions. My question then is would life
be easier and from a privacy standpoint arguably better if the same privacy and
confidentiality rules that HIPAA mandates on the covered entity physicians
would be applied sort of across the board to all physicians who deal with
employee health information.

DR. TACCI: Coming back to Norma’s bark and bite thing, I think that perhaps
yes, the uniformity and the simplicity is a good thing, I think if the HIPAA
tail started to wag the rest of the dog that might not be a bad thing as long
as the dog didn’t bite too fiercely. So I think that yeah, having a uniformity
or a gold standard if you will would probably be a good thing in that it would
simplify operations.

Candidly, the distinction, even though there is a distinction, the
distinction made between those of our members who are covered entities versus
those who are not is a bit of an artificial one and as I mentioned before the
more conservative advice that I gave as an attorney to folks or that I have
given as an attorney to folks is that the easier and best practice might just
be even though it’s not technically legally required but would be to follow the
privacy rules whether or not they apply to you because that is the sort of new
gold standard or community standard of handling medical records, so that’s one

Another piece of advice that I gave in terms of implementation of the
privacy rules to those who knew they were covered entities and presumably it
would be the same for those who are currently not but may become covered
entities in the future was that the truth is even though there were some 58 or
so new policies and procedures, etc., that folks were required to have under
the privacy rules the truth was that folks were probably doing 80 or 90 percent
of those things already just because that was what their code of ethics
required them to do or their professional practice required them to do, and
really my job at that time as a compliance consultant if you will was just to
inform them of what the ten or 20 percent of new things were and to make sure
that their 80 or 90 percent of the activities that they were already doing just
as best practice was documented and was raised to the level of regulatory
compliance. So I would guess that for the vast majority of our members they’re
already doing, as was the case with the comments with HR professionals, they
were already or they are already doing the activities that would bring them
into compliance with any new set of rules, it would just be a matter of
documenting and codifying.

MS. SHARARA: Mark, what we’re looking for is a set of short, simple, easy
to follow rules. If I had a dime for every HIPAA privacy notice that I
personally threw away when I went to the pharmacy, when I went to the doctor,
when I went to, and my doctor sends them to me in the mail once a year just to
remind me about what they’re doing, and I’m the professional in the field, I
can’t imagine what my mom and dad and brothers and sisters and cousins and
grandma and grandpa, how many HIPAA privacy notices have they thrown in the
trash bin —

MR. ROTHSTEIN: We’ll be sure to invite you back when we talk about that
issue next year.

I want to focus on the minimum necessary principle that you talked about
and see if we can translate that into the legal requirements, the non-HIPAA
legal requirements. And I was very pleased to see in your testimony about
ACOEM’s commitment to minimum necessary standard. Under the ADA, and both of
you are lawyers so it makes this question easier, section 102-D-4, which
governs medical examinations of current employees says that current, when you
do a medical examination of a current employee it must be limited to either job
related matters or it has to be voluntary on the part of the employee. So the
statute already builds in essentially the minimum necessary standard and I
gather from your testimony that not only is this achievable it’s desirable from
ACOEM’s perspective.

By contrast section 102-D-3 of the ADA applies to medical examinations that
are done after a conditional offer of employment, what the statute refers to as
employment entrance examinations. And this provision is not so restricted and
therefore there’s no requirement that it be “job related” or that it
be minimum necessary and as a result of that individuals can be required to
sign an authorization of unlimited scope, and that’s where I’m going to get to

But my initial question is based on ACOEM’s testimony is it your view that
if those two provisions of the ADA were somehow harmonized so that the 102-D-4
provision saying that it has to be job related and consistent with business
necessity were applied to 102-D-3 as well, the post offer examination, you’d be
perfectly happy with that because that’s basically what you’re suggesting here,
that you shouldn’t get information that you can’t use, don’t need, and so

DR. TACCI: Not having kept the section numbers of the ADA straight in my
head I will say that harmonization of those two provisions would be desirable,
I don’t know that it would necessarily require a limitation in scope of the
information that one would obtain during the course of a post-offer
pre-placement physical. In theory I think that that distinction was an
artificial one too because a post-offer pre-placement physical is actually
keyed towards the essential job duties —

MR. ROTHSTEIN: Ideally but not necessarily.

DR. TACCI: So I think that you could harmonize the two without necessarily
having to limit the scope of the information gleaned during the course of the
post-offer pre-placement exam. So I think that —

MR. ROTHSTEIN: Okay, I’ll come back to that and give you a chance to
follow, I want to ask Ms. Sharara what SHRM’s position would be on that. In
other words would the HR world be willing to or is the HR world in alignment
more or less, I note all your footnotes and asterisks, with the ACOEM view of
minimum necessary should apply wherever possible.


MR. ROTHSTEIN: Okay, that’s very helpful to know that because in the HR
standpoint and from I would say the corporate counsel standpoint why do you
want your company getting HIV status information when you can’t legally use it
and it might lead to a lawsuit if you decide this guy that you hired was just
really not doing a very good job, now he knew that you had this information, so
these sort of lawsuits are brought all the time, if you never had that
information there’s no lawsuit.

MS. SHARARA: Right. You raise a good point, ignorance is often bliss and
sometimes it’s better not to ask the question if you don’t know what the answer
is going to be as they teach you in law school. In the HR world though human
beings being what they are they traipse on in to the HR office, plunk
themselves down and spill their life story including divorces and everything
under the sun. So while it’s a lovely idea to think that we wouldn’t know that
I bet you we already do.

MR. ROTHSTEIN: Okay, so now let me connect the last dots which gets back to
what we are about primarily and that is health privacy in records especially
now in electronic health records. We are exploring, and in our letter of June
22nd invited, recommended that the Secretary explore researching new
computer technology that would somehow filter the information before you got
it, so in other words if you got a release for information it would be limited
to job related stuff. Now we talked to the life insurance people yesterday,
life insurance is a much easier case because you only need to know about 12 or
15 different fields to figure out whether someone’s mortality risk is above
normal. In employment I would argue it’s most difficult because you get so many
different job categories and people do so many different things, how do you
know what to send. So leaving that aside the principle is that if you could
have some sort of computer algorithm where you pressed a button and you got all
the information that you needed to make a decision in terms of history, but you
don’t get the irrelevant stuff, the sensitive stuff, the stuff that people are
worried about disclosing, at least in theory does that sound like something
that you could live with?

DR. TACCI: It does but I would qualify the answer and I’ll go back to your
HIV example, if I’m a medical director for a widget manufacturing company
someone’s HIV status will have nothing to do —

MR. ROTHSTEIN: We’re not talking about surgeons —

DR. TACCI: Making Styrofoam cups let’s say, will have nothing to do with
their ability to help me manufacture Styrofoam cups so as part of their
post-offer pre-placement exam, now they’ve already been offered employment,
there will be no basis to deny them placement on my cup manufacturing machine
based on their HIV status. That said given that their initial physician
examination for better or worse in most setting typically evolves into their
baseline history and physical examination for their company medical record,
there will be a value to me in knowing that in three or six or eight months if
they come to me either in a primary care setting with hey doc, I’ve had X, Y, Z
symptoms, what do you think they are, that will help my medical decision
making, or even if they come to me in a work related injury setting and the
question is whether or not a minor abrasion or a laceration rises to the level
of needing an antibiotic, well, if I know that they’re more prone to infection
so based on immune compromise that will be valuable information for me.

MR. ROTHSTEIN: I think those are very good examples but what I was —

DR. TACCI: But it would never impact their —

MR. ROTHSTEIN: What I was limiting my question to is the narrow
pre-placement question of can Joe Smith do whatever the job requirements are of
a particular job.

DR. TACCI: And that’s why we so strongly adhere to that minimum necessary
standard that says that when I draft a memo or a note to Norma about Joe Smith
whose just undergone his pre-placement examination, all that memo will say is
yes or not he can do the job and these are the restrictions or accommodations
if any that he might need.

MR. ROTHSTEIN: See as I’m sure you know there are two states now,
California and Minnesota, that already have laws that require that all medical
examinations and inquiries no matter what time, which includes pre-placement,
have to be strictly limited to job related criteria. But we have no way of
collecting only that information so that as a routine practice in both of those
states the custodians of health information just send the whole record anyhow
because they can’t comply with it. Ideally at some point in the future we might
be able to comply with laws that mandated that, either state laws or maybe a
federal law where you just press three codes and you get what you need but
that’s down the road. And it’s valuable for us to hear that with all your
reservations and exceptions so noted at least in sort of broad strokes I get
the sense that sort of conceptually you don’t have a problem with that.

MS. SHARARA: No, I think conceptually it’s an excellent idea because it
limits the exposure to the employer’s liability, I see a lot of JDs on people’s
name cards around the table, we live in a litigious society, negligent hiring
cases, if somebody did something wrong and you knew that they had a heart
condition and you let them fly the plane anyway, whatever example you can think
of, some clever plaintiff’s lawyer is going to come back and find fault with
what the employer did somewhere along the way to right a perceived wrong. So
health information if you can give us a standard and we can say hey we followed
the rule, that would be great for employers, I think it’s hard to actually
implement in practice.

MR. ROTHSTEIN: Well I want to thank you all very much, are there other
questions from staff? We appreciate your testimony, its been very helpful to us
and I hope we can possibly call on you in the future to maybe answer questions
or even come back here.

MS. SHARARA: Of course, thank you.

MR. ROTHSTEIN: We’re going to take a 15 minute break and then our next
panel on school health records will begin at 10:45.

— [Brief break.] —

MR. ROTHSTEIN: Good morning, we are set to resume our hearing on the
Privacy and Confidentiality Subcommittee of the National Committee on Vital and
Health Statistics, I want to welcome the members of our third panel to deal
with school health records, and I have your testimony and we will plan to hear
from each of you for about 20 minutes and then we’ll have I’m sure several
questions to ask you. So let’s see what the order was on the list, it’s
alphabetical, unless you, that’s fine, we’ll go in reverse alphabetical order.
Dr. Kiel, please.

Agenda Item: Panel III – Schools – Dr. Kiel

DR. KIEL: Good morning, my name is Joan Kiel and I’m the designated
spokesperson for the American College Health Association regarding the
application of HIPAA and medical record privacy protections to colleges and
universities. In addition of the chairman of University HIPAA Compliance for
Duquesne University in Pittsburgh, Pennsylvania. And lastly I’m the chair of
the American College Health Association HIPAA Committee.

Since its inception in 1920 the American College Health Association has
been dedicated to the health needs of students at colleges and universities
where the vast majority of the students are over the age of 18 and thus are
considered adults. ACHA is the principal leadership organization for the field
of college health and provides services, communications, and advocacy that help
its members to advance the health of their campus communities. ACHA’s
membership has grown from the original 20 institutions of higher education to
more than 930. These member institutions represent the diversity of higher
education, two and four year, public and private, large and small.

Today I’m going to limit my discussion to three topics, first, the use of
medical records in colleges and universities, second, suggestions for how the
potential expansion of protections for medical records might affect colleges
and universities, both positively and negatively, and lastly, recommendations
on the adoption of medical record protections.

Regarding the first issue, colleges and universities are a community of
people. Therefore the student health service functions as a community-based
health care provider practice. The medical records at the student health
service may serve a varied population. Medical records are maintained for
ongoing treatment and evaluation of students, and in some cases family members,
faculty, and staff.

Student health services frequently refers students to specialists in the
community. If a student is a commuter or their health care provider is nearby
the student health service will be in communication with that health care
provider. And these external providers, they simply assume that the student
health services are under HIPAA. When these health car providers request the
medical records for treatment purposes the student must now sign an
authorization for this release. And this is often confusing for the student and
the college health service staff as well as a possible barrier to efficient
communication to the staff to which the student is referred.

Second, medical records are kept on immunizations for state immunization
laws. And when students participate in practicum or internships, especially in
a health care setting, the student medical record is referred to.

Third, faculty often desire information from the medical record. They may
want to verify why a student is not in class and determine if the illness is
chronic or long-term. They may need to know what the ultimate effect will be on
the student’s performance in the class. Now under FERPA regulations student
health services could theoretically release a student medical record to a
faculty member without obtaining the student’s consent. However, FERPA will not
allow release of a student medical record to another health care provider for
treatment purposes without a patient authorization. So thus, considering clinic
records maintained by the student health service education records under FERPA,
instead of medical records under HIPAA, is confusing and unsubstantiated and
must be further analyzed. And I will talk about that in the third part for

Some health services work with their Department of Athletics to provide
pre-screening physicals for athletes and monitor follow-up care. Health
services also provide treatment for faculty and staff for on the job injuries.
And here is where confusion may also arise, if the health service engages in
one of the HIPAA electronic transactions then the employee records are under
HIPAA and the student records are under FERPA, and the confusion arises when
the individual is both a student and an employee. And again I will focus on
that in recommendations.

Regarding the second issue, when we talk about the potential expansion of
protections for medical records, they could have positive or negative effects
for colleges. On the positive side, under HIPAA, people who do not have a need
to know will not be able to access the record, nor have a right to the
information contained herein. The law also protects the student health service
staff as they can simply say the law says you can’t have the record. The
students’ confidentiality is protected and the potential for discrimination is
mitigated. And the health service must respect students’ right to privacy or
they won’t use the health service even in emergency situations, and that
certainly can then cause further harm.

On the negative side, even the cases that have gone to court have not
resolved the HIPAA/FERPA intersection. In Shin v. MIT the case was settled out
of court and thus the court had no occasion to rule on the HIPAA/FERPA issue.
In Allegheny College v. Mahoney the college was found not negligent and the
only mention of the HIPAA/FERPA intersection was that the policies will be
looked at, but that is on a voluntary basis not via a court order. So thus it
is imperative that if the courts cannot settle the HIPAA/FERPA intersection
then the laws need to be rewritten for all to clearly understand because as of
now under HIPAA information is shared for treatment, payment and health care
operations, or if the patient consents. But under FERPA the information can be
shared if the student’s life is in danger and that’s the gray area, so the
question arises as to at what point does one tell another. If that person is
right then they may the student’s life but if they are incorrect this can upset
the student and break their trust so it really is a tough judgment call.

Regarding the management of student health records, many student health
services receive legal opinions regarding compliance with FERPA and HIPAA that
informed them that the student health services must ensure compliance for
student records under FERPA or state law and non-student records would be
governed by HIPAA. So many student health services are now in the unenviable
position of having three different standards with which to adhere to. Student
records that are maintained and accessed solely by the health care provider are
governed by state law. The student records released for any reason including
patient authorization are governed by FERPA. And non-student records, such as
university employees, faculty, non-student spouses, they are governed by HIPAA.
So an option then is for the college health service to discontinue providing
services to non-students, such as the spouses, the summer camps, the visiting
scholars, the athletic interns, J-1 visa scholars, but this option only allows
them to follow FERPA or state law. But it’s not an optimal solution as it
decreases health care access and services to the campus community, not to
mention lost revenue.

Another potential negative aspect concerns accreditation for college health
services. There are many college health services that are accredited by JCAHO
and the Accreditation Association for Ambulatory Health Care. And both of these
organizations are now moving toward HIPAA regulations as part of the general
survey requirements. So will college health services not be accredited because
they are not able to meet the HIPAA requirements if they do not engage in one
of the electronic transactions? And accreditation is important to student
health services as it does indicate a commitment toward excellence in health
care that parents expect for their students attending a college or university.

Regarding the third issue, adopting protections for medical records, we
don’t see them as being easy or burdensome but more so as necessary to ensure
quality care and protect patient privacy. It needs to be reconciled that if
HIPAA is the national privacy standard in health care as it has been deemed
then why are student medical records exempt under HIPAA?

So it is the request of the American College Health Association to
specifically address the implementation issues of HIPAA, FERPA and state laws
in our college and university health centers, and I have two changes that are
recommended. The first is to change the FERPA’s regulation’s definition of
exception to education records, for the exception to education records for
medical records held at institutions of higher education, it needs to be
broadened in scope beyond the patient/provider relationship. The exception
needs to include the records even if they are released outside of the
patient/provider relationship and that change in definition would exempt any
medical record created by a college of university health service from FERPA
thus leaving the institution to comply with the state law if they do not
perform any of the listed HIPAA transactions or solely to comply with HIPAA if
they do submit any of the listed electronic transactions.

The second recommendation is to change the HIPAA regulation’s definition of
protected health information, PHI, to include medical records held by colleges
and universities. The definition of PHI in HIPAA needs to be changed to
eliminate the FERPA exception of medical records held by institutions of higher

These two changes would allow medical records held at institutions of
higher education to be included under HIPAA and would remove their coverage
under FERPA and this would eliminate what we call the dysfunctional
intersection of these two regulations. And we believe that this would meet the
intent of both of the regulations to protect the privacy of medical records
held by colleges and universities and the end result being that any college or
university health service falling under the HIPAA regulations by virtue of the
performing any of the listed electronic transactions would automatically treat
all of the medical records under one privacy standard, HIPAA.

Thank you for the opportunity to present our concerns.

MR. ROTHSTEIN: Thank you very much. We’re going to take a 30 second recess
and then we’ll be back with Dr. Bergren.

We’re back after deciding on our lunch orders, Dr. Bergren, thank you.

Agenda Item: Panel III – Schools – Dr. Bergren

DR. BERGREN: Thank you, good morning Mr. Chairman and members of the
subcommittee. My name is Martha Dewey Bergren, I’m a doctorally prepared nurse
working at the University of Illinois, Chicago, I am a HIPAA/FERPA expert, I’ve
been a consultant to the National Task Force for Confidentiality for School
Health Records, which we did share with the committee a copy of the booklet
that we put out last year. And I’m representing today the American School
Health Association which is a multidisciplinary organization of school
administrators, counselors, health educators, physical educators,
psychologists, school health coordinators, school nurses, school physicians,
and social workers, who oversee health education and health services in schools
and who oversee school health programs at state agencies.

I’m first going to talk about school health records and I’m going to be
talking about those records that are maintained by schools, preschool through
12th grade, that are maintained by school personnel for health and
education services. I’m not going to be talking about school based primary
health care clinics who are almost exclusively run by outside agencies and that
those records are not education records, they are covered by HIPAA and not
covered by FERPA.

So school health records are any personally identifiable student health
records maintained in schools which are covered by the Family Education Rights
and Privacy Act, and that means that FERPA covers all health records in public
schools or any private school that receives federal funds which is most private
schools. So therefore the health record is just one part of the whole health,
whole education record. FERPA was enacted in 1974 prior to the Individuals with
Disabilities Education Act and therefore FERPA does not address health records,
privacy or the sensitivity of health information maintained in schools. IDEA
completely changed the nature of school health from one that addressed
communicable diseases and prevention of communicable diseases to that which
covers also acute care including tracheotomy care, ventilated students,
catheterizations, medications including injectable medication, gastrostomy
feedings, etc., plus many therapies that are administered in schools, physical
therapy, occupational therapy and speech therapy just to name a few.

Student health records are very, very similar to acute care records and
ambulatory records in that they contain complete health histories, a lot of
information about non-students, family members, that’s pertinent to that
child’s education plan. They also frequently contain third party records from
hospitals, primary care providers, consultants, counselors, psychiatric
records, lab records, and genetic testing.

Just to give you an idea of the pervasiveness of acute care that’s provided
in schools, not every state maintains records on schools but Florida does
maintain very good records. They know that they have 100,000 office visits
every day, 80,000 medication doses daily, a million nursing assessments
annually, two million consultations, 180,000 complex medical procedures are
performed annually. I’m sorry?

MR. HOUSTON: What’s a complex medical procedure?

MS. BERGREN: A complex medical procedure would be like a gastrostomy
feeding, ventilator maintenance, suctioning, catheterization, peritoneal
dialysis, I mean pretty heavy care.

And in 1999 the GAO reports that $2.3 billion dollars were spent on school
health services and that doesn’t even include the services that are

Health records are maintained in schools both in electronic and paper form
and I was able to get some definite numbers from several states prior to
today’s testimony and five states were able to give me actual numbers,
Wisconsin, greater than 25 percent of the records are electronic, State of
Washington is 26 percent, Iowa 32, Massachusetts 58 percent and Delaware
requires that school health records be maintained in an electronic form just
this year so therefore it’s 100 percent. And then four other states were able
to give pretty good estimates of over 50 percent of school health records are
maintained in electronic form.

Those records are maintained both on non-networked free standing desktop
computers, networked computers that where the records are maintained on a
schools server with other records. Laptop and PDAs, many school nurses serve
multiple schools and serve well more than the 750 to 1 ratio, the average
school nurse serves about 1700 students.

Health records software that’s developed specifically for health records,
so it’s a product that’s restricted to health record software for the school
health office, usually includes most of the standard security requirements,
individual password protection, authentication, audit capability partitioning
and override protection. However when there’s a health module that’s part of
the school wide enterprise system even the most rudimentary protections do not
exist, in fact many of the home pages of the students’ health records will have
a list of the students’ health conditions.

There’s also a departure from standard privacy and confidentiality in the
paper record practices in schools and this is because many of these practices
pre-date FERPA. What you see on the screen is a book that’s sold at most school
health conferences which is a multi-student daily log, which means student
health records are maintained sequentially as the students come to the health
office on a common record. And we only have statistics for one state and 53
percent of the nurses notes maintained in the state of Iowa are maintained on
this sequential multi-student record which not only violates HIPAA it also
violates FERPA which is the law that covers these students. And I believe that
that ratio, that percentage is accurate, I believe that the national ratio
would range between 40 and 60 percent so I think that that is accurate.

I did speak to some suppliers of this particular book and they do report
that sales are down 30 percent since 2001 because of the increased attention
paid to privacy because of HIPAA, however they do estimate that 4,000 to 5,000
of those books are sold, will be sold this year and many schools produce this
type of record on their own, they print their own copies.

Anther traditional —

MR. ROTHSTEIN: So they violate HIPAA, FERPA, and copyright law —

DR. BERGREN: And I hate to say this on record but also the professional
standards of our profession.

MR. ROTHSTEIN: Just checking.

DR. BERGREN: Another traditional practice in schools is the annual back to
school health concerns list which we do have national on this and that 41
percent of nurses reporting to a national survey distribute a health concerns
list. This is a list of all students in the school who have a health condition
and the list contains the student’s name and the associated health condition,
for instance asthma, seizures, food allergy, etc. So 41 percent of the nurses
provide this list for every student with a health condition and I don’t know
how to interpret that 14 percent provide some information and nine percent
provide a little information, but 33 percent of the nurses reported that they
never distributed a list. This is against best practices, again against FERPA,
etc. —

MS. HORLICK: To who are they provided?

DR. BERGREN: Teachers, bus drivers, administrators, playground aides —

MS. BERNSTEIN: They’re collecting the information from families and
disclosing it to other professionals in the school setting?

DR. BERGREN: Whoever they feel needs to know, that needs to know.

MS. BERNSTEIN: But they’re surveying the families —

DR. BERGREN: This information comes off of the form that’s returned at the
beginning of every year from the families that list the child’s health

DR. TANG: How does it violate FERPA in that case?

DR. BERGREN: It’s a multi-, any record that’s covered by FERPA needs to be
provided to a parent yet should not contain more than one students’ information

DR. TANG: So had they passed out a binder with individual sheets that would
be totally okay.

DR. BERGREN: And actually we recommend that because it’s not from a
practice standpoint it really isn’t sufficient to provide asthma or seizures
without telling a non-health professional how to recognize when a child needs
assistance and then what one should do should the child exhibit those symptoms.
So just by providing a label of a diagnosis really doesn’t give these people
the information they need anyway.

So what I’ll talk about next is what the impact of increasing privacy
protections would be on the maintenance of health records in schools, I’ll talk
about positive effects, negative effects and negligible effects.

First of all definitely it would decrease the confusion of where FERPA ends
and HIPAA begins in schools. Every state is doing something different, a
consortia of school health associations requested two years ago technical
guidance on how to manage the issues where HIPAA and FERPA overlap and we’ve
yet to receive that guidance. The exemption of school health records from the
HIPAA regulations did not take into consideration that FERPA does not address
health records, that common practices in schools are more of a sharing climate
rather then a privacy climate. But it didn’t acknowledge the acute level of
care and the volume of care that’s provided in schools today. Also does not
address electronic maintenance of health records or electronic billing of
school health services and does not acknowledge that many schools are
clearinghouses for multiple districts for health billing, a larger school
district will often handle the billing for several other school districts in
order to save costs, it’s a very common practice. Whenever you use any of the
algorithms on Health and Human Services websites that helps one decide whether
one is a covered entity, it doesn’t apply to people working in schools and just
leads to the additional confusion of whether or not one is covered by FERPA or

An application of HIPAA to school health records would also increase
communication between primary care providers and school health providers
because FERPA has no treatment payment or operation exception, and it would
allow nurses and other health providers in schools who are administering
treatment to have open communication with the prescribing physician and health

Also many HIPAA covered entities, personal physicians, hospitals, are very
hesitant to share information with schools knowing that schools do not provide
HIPAA level privacy to those records and I do think that it would make
providers more comfortable sharing the kind of information that schools need to
provide this level of acute care.

Also it doesn’t acknowledge that schools have always had a traditional role
in public health. FERPA does not have a public health exception so therefore
according to letters of memorandum on the Department of Education website
schools may no longer, well they never should have but as of 2004 when these
memorandums were written schools no longer report communicable diseases, they
are not able to provide personally identifiable information in immunization
reporting to the state department of public health, they cannot provide
personally identifiable surveillance information which in light of a possible
flu pandemic or other type of crises would be significant, and also does not
allow sharing with the CDC for the registry of congenital and chronic diseases
which has always been communicated between schools and the CDC.

FERPA also does not provide privacy training and by covering schools with
HIPAA type privacy regulations would require that schools provide this type of
annual training. When I do seminars to multidisciplinary groups and I ask who
in the room would feel comfortable explaining FERPA in a paragraph only the
superintendents are comfortable, really have a working understanding of FERPA.
And it would lead to changes in traditional practices simply because most
people are not aware of FERPA and what it requires of those that work in
schools. Just simple things like locks on file cabinets, locks on doors, would
be enacted pretty easily and many schools combine the education and health
record into a common cumulative record and this would automatically require a
separation of those two records.

It would require commercial vendors of school enterprise systems to enact
standard privacy and security safeguards for student health records. They’d
also be required to have some rudimentary theft proof prevention and password
protection on school computers and also local school information technology
professionals would need to invest in encryption and password protection, just
basic security and privacy protections.

A privacy office would need to be identified. Right now in schools in
addition to those that provide health care health information can be found
throughout the school, the health office, main office, classrooms, buses,
cafeterias, gyms, the sports fields, warehouses. Within the school health
information moves throughout the school via fax, interoffice mail and emails,
and licensed school health providers have no authority or accountability for
records that are not under their own control. So by naming a privacy officer
you would be able to have that accountability where someone with some authority
would be able to create limits that control the access to student health
records and protect student privacy, they would have the authority to enact
changes in practice and procedures and they would be able to establish some
consequences for breaches, whether they be intention or unintentional, and that
there would also be procedures in place for external sharing of health

Some positive effects would be that when a student is transferred to
another school FERPA does not require parental authorization to release the
student’s health records. A school can transfer all of an education record to a
new school without parental permission and in fact the Individuals with
Disabilities and Education Act actually requires that all records of students
who receive special education must be transferred with or without parent
authorization. Many parents share information with school health care providers
early in the preschool and young child period that later they may not want to
share, for instance genetic testing, parents who don’t know what their child’s
diagnosis is are very open about sharing information when the child is very
young yet later when the child is older they may want to restrict some of the
information that’s shared. So by having HIPAA type protection and requiring
parent authorization to share with another educational agency would be a
positive result.

Negative impacts, one thing that we do need to remember is that schools
have an educational mission, not a health mission, and right now there is a
strain on resources in the educational system due to No Child Left Behind and
continued decreased funding to schools. The costs of the changes would involve
both labor and materials, software, updating, the training would come with some
cost, locating and training a privacy officer, changing all the policies and
procedures that have to do with health records and the attorney and consultant
fees that may go along with that.

Another negative is that presently there are no penalties for, I mean the
penalty for violating FERPA is to withhold federal funds, the possibility of
withholding federal funds, that is a very rare occurrence that schools receive
any penalties for violating FERPA and in fact the Supreme Court decision Doe
vs. Gonzaga found that FERPA does not create any federal rights and that
Congress did not intend FERPA rights to be enforceable, so by having the
greater HIPAA penalties that would create quite a bit of consternation in the
school setting, that they might be subject to those substantial penalties.

Also negative would be possible decreased and delayed communication for
education planning, the type of over zealous concern following HIPAA in that
even information that should have been shared was not shared could also happen
in the school setting. And it would be I think important that the educational
team be considered equivalent to the health care team in acute setting in that
the persons who are responsible for providing the health and safety and the
education of a particular student be taken into consideration, that information
could be shared within that team.

There’s also a negative that if a parental authorization was required when
a student transferred to a new school that it would delay the information
that’s needed to provide care and education in that new setting. It’s not
uncommon at all for children to show up at a school without any notice, without
any records. But it would also not solve all of the problems. Right now schools
and primary providers cannot share immunization information because
immunizations do not fall under the treatment, payment and operations
exception. Schools are also not recognized as public health entities even
though they’ve always been, had a strong role in public health, and that
physical exams also don’t meet the definition of treatment.

There are many commonalities between HIPAA and FERPA so there are areas
where there would be no impact. The annual notice of information practices,
although HIPAA is very prescriptive about what’s required, is required under
FERPA and it also includes the right to inspect records, to request an
amendment, a record access log is required for special education students,
directory information is allowed to be released. It has no pertinence in an
emergency situation, judicial order or subpoenas, research, and federal and
state officials for auditing purposes are all common to both federal laws.

I am not a billing expert but from talking to people that commonly bill for
school health services all of the billing, all of the people that I talked to
so that their billing vendors are already designated as business associates
under HIPAA and are compliant with the privacy, security and transaction rules
so there shouldn’t be a big change should the law change.

I would like to suggest that from ASHA and other school health
organizations that we would prefer that health information maintained in the
school setting be maintained as it would be in any other setting and that also
the role of schools in public health be recognized with any changes in the

Thank you very much, we really appreciate the opportunity to share this
information with the committee.

MR. ROTHSTEIN: Thank you both very much, that was really excellent
testimony and I know the subcommittee members I’m sure have questions, I’ve got
some but first I’ll ask Mr. Houston.

MR. HOUSTON: Thank you very much, I appreciate your testimony, I thought it
was really helpful. I do have a couple questions and I wanted to sort of focus
first off on something that Joan had said, and I guess to clarify because my
understanding of the privacy rule is that unless you declare yourself as a
hybrid entity as soon as you start to, as soon as HIPAA applies because of you
doing some type of billing under an electronic transaction HIPAA applies to
everything that you do. Is that, with that understanding are you saying that a
lot of your member institutions are declaring themselves as hybrid entities and
carving out the FERPA function so that HIPAA doesn’t apply?

DR. KIEL: Some are doing that and some college health services are doing
one of the electronic transactions so that they then would fall under HIPAA,
but yes, what you are saying is correct.

MR. HOUSTON: Okay, then I guess another question that I also have to
Martha’s testimony, one of the earlier issues that we had seen with regards to
HIPAA in schools, and this isn’t necessarily directly related but I think it
sounds like there might be a solution in the works, is one of the problems I
know that some schools that identified was is that it’s very difficult to get
immunization records due to the fact that covered entities would say you’re
not, we’re not entitled to provide them to you absent an authorization and
parents would go through great pains to try to get an authorization and drive
potentially hours to a physician and all of that. Is that still an issue?

DR. BERGREN: It’s still an issue but it’s not as severe as it was the last
time we testified. I think schools have adapted and are getting authorizations
for the immunizations, it definitely slows down the process and it does result
in increased costs in time and effort to get the authorization, faxing to the
physician, etc. I haven’t heard as many stories where the physicians and acute
care providers are requiring parents to physically drive to the acute care
agency. They are still requiring that their own HIPAA form be used even though
most schools are using HIPAA compliant authorizations.

MR. HOUSTON: Assuming that a school becomes a HIPAA covered entity
obviously I guess it would either fall under treatment or health care
operations or something that would allow the disclosure absent an
authorization. Do you see that as being —

DR. BERGREN: Actually what we’ve been told is that immunizations don’t fall
under the treatment payment —

MR. ROTHSTEIN: John, if I can interrupt for a second, based on your
testimony before the subcommittee about two years ago I think we recommended
that the Secretary either interpret the privacy rule or amend the privacy rule
to say that disclosures of immunization records from a primary care provider or
a care provider to a school would constitute a public health disclosure and
therefore there would be no requirement that the parent actually execute an
authorization. So it wouldn’t have to be, it wouldn’t be TPO it would be
considered —

DR. BERGREN: And that’s why we are asking that schools be recognized as
public health, an agent of the public health system.

MR. ROTHSTEIN: See we considered doing that but we didn’t want to do that
because not all schools have nurses and so on, so instead of calling the school
a public health agency we recommended that the disclosure be termed a public
health disclosure.

DR. BERGREN: We can live with that.

MS. BERNSTEIN: So I have our immunization expert and our HIPAA expert over
here, is that actually happening now? That that data is moving in the way that
Mark said that the subcommittee had recommended two years ago? It’s not moving
now that way —

MS. MCANDREW: No, the rule would need to be changed in order to accommodate
that redefinition of, to broaden the definition of public health disclosure to
include immunizations, but it is under consideration by the department.

DR. BERGREN: If I could comment, by calling it a public health disclosure
and by not calling schools public health entities it doesn’t help with the
sharing of information by the school with the state public health departments
and the CDC, which has been a longstanding traditional role in order to monitor
the public health. And that would be whether or not the school employed a nurse
or not by monitoring —

MR. ROTHSTEIN: See but the school is not a covered entity and they could do
that without regard to HIPAA.

DR. BERGREN: They can’t because FERPA does not allow it.


DR. BERGREN: And those memorandums on the Department of Education website
that have come out since the last testimony in 2004 that specifically state
schools may not share information with public health entities without parental
authorization and their definition of an emergency does not include public
health emergency, it would only be an emergency of that particular student.

MS. BERNSTEIN: It affects the health and safety of that particular student
and not the general population.

DR. BERGREN: That’s correct.

MS. HORLICK: Actually I would disagree because on the Department of
Education website there are some letters that I could refer you to where they
have defined a public health emergency, that exception under FERPA, and it’s
not limited to the child. There are two separate letters, one they talk about
sort of anthrax, the other one came up with the recent mumps epidemic, outbreak
in the Midwest, and it basically says it’s a definable imminent threat and they
can rely on public health.

DR. BERGREN: Okay, thank you for that.

MS. HORLICK: Again, it’s not the routine disclosure of immunizations, it’s

DR. BERGREN: And then the routine reporting of chronic diseases.

MS. BERNSTEIN: So this is also just on that particular point, I’m recalling
I came across since I’ve been here in the last year a half a situation where
CDC wanted to conduct a study of for example the prevalence of autism in
schools, am I talking out of school if I talk about that? It’s a research
study, but that we’re having trouble getting access to the information because
FERPA, because autism is something that’s often diagnosed in a school setting
rather then in a health care, a more traditional health care setting, so CDC
wants to be able to get access to that information but they’re having trouble
with the FERPA —

MS. HORLICK: They had access, there was an MOU for five years that where
CDC was an authorized agent of the Department of Education and they were able
to access the information that way, that MOU expired in December of 2005 and
has not been renewed.

MR. HOUSTON: Two other questions and they’re sort of related. Back to one
of the things, recommendations that Joan made, obviously you seem to be in
favor of carving out of FERPA medical records, medical information, and that
make HIPAA applicable to the educational setting as it relates to medical
information. Martha, I think you sort of stopped short of ever saying that and
I was wondering whether you shared that sentiment.

DR. BERGREN: The sentiment of most school health organizations including
ASHA is that health information should be protected in schools the way it is in
other settings.

MR. HOUSTON: But I’m going to drill down on that point for a second, so
you’re saying that HIPAA should apply or that something equivalent to but not
necessarily having all of the rigors of HIPAA should —

DR. BERGREN: I think, and I’m going to give you my opinion as a
representative of the organization but I don’t know what the organization’s
opinion would be —

MR. HOUSTON: You can supplement your testimony —

DR. BERGREN: I do think it’s important to recognize in schools that the
team isn’t the same as it would be in a hospital, the team is a combination of
health and education professionals. I do think it’s important that many of the
students with serious health problems have educators who need to know what the
health implications of their illness is. So if a new regulation took into
consideration the differences in the setting and recognized a team as the team
of individuals that care for that student most health professionals that work
in schools believe that HIPAA type privacy and protection is necessary.

MR. HOUSTON: I think that’s a great nuance and I guess it’s one we have to
make sure we’re mindful of.

And I had just one final question as it relates, you had discussed things
that would fall under, appear to fall under the HIPAA security rule and we
really have been talking about the privacy rule. If HIPAA would apply are you
saying that the security rule should apply also or are we really still just
primarily talking about the privacy rule in this discussion today?

DR. KIEL: This again as Martha said before would be my opinion but given
what people have talked about at ACHA yes but with the security rule having the
required and the addressable standards it could be made more amendable to the
smaller colleges, the two versus the four year, the academic medical center
colleges, so I think it would be fine, I think it should all apply.

DR. BERGREN: I absolutely believe security should apply in a school
setting, I think it’s one of the, it’s where FERPA does not provide any type of
guidance and common practices are not to provide a very secure environment,
especially because the number of students in a school setting as opposed to a
primary care setting, you’re talking about a population of students where many
students, I believe that the trend is going to continue towards electronic
records. I’ve worked in schools, I’ve been a school nurse, I saw a student come
into a library and within ten seconds was into the mainframe, students have a
great deal of time on their hands and therefore I believe that health records
maintained in schools should definitely have the same level of security that
they would be maintained in in any other setting.

MR. HOUSTON: I have no other questions.

DR. KIEL: Schools and colleges and universities are moving more toward
electronic medical records and they would need technical security under the
HIPAA security rule.


DR. TANG: This may be redundant but because it’s been such an illuminating
testimony to me, I really appreciate the testimony, the education and your
recommendations. So sometimes by drawing contrasts you can get clarity so the
last panel on employers basically told us that there’s a lot of regulations
that cover their line of business and maintaining the records of their
employees and that either implicitly, which is mostly the case, or explicitly,
there are things they do to protect the confidentiality of their employees’
health information yet with some caveats if there could be uniform regulations
they felt that actually would help codify and make streamlined their operation.

In contrast I think what I heard is that we have not only no regulations
but explicit exclusion of a regulation, HIPAA, because of FERPA, and that FERPA
explicitly does not protect, does not offer any guidance in the protection of
health information and that common practice again in contrast to what we heard
in the previous panel is that actually the practices are not at all consistent
with what one would expect for careful use, storage and protection of health
information of individual students in your case so that you are not only asking
for or perhaps begging for HIPAA to be applied both the policies and the way to
implement those policies, i.e., the security rule, so that you can properly
store and use and protect health information for your constituents which are

Did I get that right?

DR. KIEL: No, you are correct Dr. Tang, it does then fall to state law,
medical record state law, and then depending on who the health service is
treating, so if they are treating the spouse of a student that then could fall
under HIPAA, so some of the categories are covered but you’re absolutely right,
we do want one that will say this is what you must follow because in following
state laws students who are coming from other states, what law are you
ascribing to, they’re going to college in one state, their primary care
provider might be in another state, so more confusion there. So yes, you are

DR. BERGREN: Can I respond to that? What I wanted to say is that FERPA was
designed to protect student and family privacy, that was the initial intent of
FERPA back in 1974. It does not cover health records specifically but that any
student’s education record of which the health record is a part of is supposed
to be maintained with privacy considered. However FERPA does not have any
specific prescriptions, it has no direction, it doesn’t give any guidelines and
in addition to that no training is required so many practices in schools today
violate FERPA because no one is familiar with the law.

DR. TANG: Okay, the follow-up question was going to be what do you think
the motivation, and that’s speculative, motivation was for excluding FERPA from
HIPAA? And presumably it was because they thought it was already covered. Are
you then saying that actually FERPA is adequate provided people would be
trained on provisions of FERPA?

DR. KIEL: I think you said the key word, FERPA is not prescriptive as HIPAA

DR. TANG: So although you could interpret FERPA to protect all information
including health you think that one, we would require, it would be beneficial
to be prescriptive and to even prescribe the training associated like HIPAA

DR. BERGREN: Yes, I don’t think FERPA is adequate and I think because it
was designed for records that were not as sensitive as school health records
are today, it was designed for a very benign record that might have IQ testing
in it and in fact in most schools IQ testing, standardized test scores, and
whether or not a child qualifies for federal lunch program is considered more
sensitive than health information.

DR. TANG: And then what would be the motivation for the MOU that ended up
excluding schools from public health disclosures? Just to help understand that.

MS. HORLICK: I’m sorry, I didn’t get your question.

DR. TANG: She said that schools could act as a public health agent up until
whatever it was, 2004 when the MOU came out prohibiting that.

MS. HORLICK: It wasn’t a comprehensive, anything that we’ve been talking
about disclosures as a public health entity was a specific MOU relating to
access to, it was actually autism data and it was specifically addressing
certain data for a certain period of time.

DR. TANG: So how did that go to immunization?

DR. BERGREN: There was a different letter of memorandum that said that
schools can’t release personally identifiable immunization information to the
state public health departments.

MS. HORLICK: State health departments have made various inquiries, can we
do this, and the Department of Education every time you ask you get the
guidance but they have spelled out what’s not permissible and also what is
permissible like the health and safety exception.

DR. BERGREN: We didn’t expect health records in schools to be exempt from
HIPAA, all the drafts of the regulations up until the final draft, until the
final regulation, included school health records. We were actually undergoing
training within the professional organizations to prepare for HIPAA and then
when the final regulations came out we were blindsided. I don’t know why school
health records were excepted.

MS. BERNSTEIN: Let me ask a little bit, was it your, I guess your
prediction at the time before it came out that you would be covered both by
HIPAA and by FERPA —

DR. BERGREN: Prediction, no, we believed we would be covered by HIPAA.

MS. BERNSTEIN: And no longer covered by FERPA? My question is really if you
were in fact to be covered by both laws at the same time and you had to comply
with both of them, for example there are some federal entities that are covered
entities under HIPAA, CMS, the Indian Health Service, the Veterans
Administration, Department of Veterans Affairs and so forth, they’re also
covered by for example the Federal Privacy Act and they have to comply with
both of those laws simultaneously. Would it be possible or were there, I guess
I’m asking what would the significant conflicts be if you were covered both by
FERPA and by HIPAA simultaneously, if that exemption didn’t exist to the law?

DR. BERGREN: Well obviously there’s some disclosure exemptions in the two
laws that are different so one would need to determine which of those
disclosures could be made without authorization and probably what would happen
is that you would get authorization for any disclosure that could be covered
under both laws.

MS. BERNSTEIN: So you were saying that treatment payment, operations, are
not covered under FERPA but since they are under HIPAA you’d still have to get
an authorization for example.

DR. BERGREN: I don’t know, I don’t even know how we would approach it, we
were prepared to.

MR. ROTHSTEIN: Well I have a couple of questions. First of all you have to
bear with the members of the subcommittee, it’s not the usual case where people
testifying before us are asking us how can we possibly be covered by HIPAA, so
it’s sort of an adjustment for us.

But I did want to follow-up on both of your points relative to this, I
think I hear what you’re saying but I want to know who you’re speaking for, in
other words if we had college administrators would they agree with what you’re
saying, if we had school principles and school boards would they agree with
what you’re suggesting. Is this the view of the educational world or is it more
narrowly the view of the school health, college health world? Maybe you don’t
know, can you help us with that?

DR. KIEL: I believe that it is the view of the entire college or university
and the reason being when there is this as the American College Health
Association calls it, this dysfunctional intersection with HIPAA and FERPA,
what does it lead to, more questions, more unanswered questions that then go to
administration versus if we had one standard that was very prescriptive there
wouldn’t be that need to have this confusion that could potentially lead to
lawsuits, lost time, do we say something, do we not if a student’s life is in
danger, so I think it would make people’s lives easier.

MR. ROTHSTEIN: So a university counsel, college administrators would agree
with you on that?

DR. KIEL: I would say so. Of course we would have to look at the cost —

MR. ROTHSTEIN: What about for schools?

DR. BERGREN: I can’t really say, I would say that most educators don’t see
this as an issue, they’re not socialized in a health care setting as you’re
educated as a health care professional to value privacy, the entire
confidentiality understanding as a health professional that you only share
information with those that are providing treatment, that’s not a concept that
most educators are oriented to. So I would think that in administrators, and I
did review the school board’s testimony in preparation of today, that they are
content for the most part with FERPA but would like some direction on then how
does one work with this with the intersection with HIPAA. However for
professional health care providers who have a code of ethics and standards that
require confidentiality and whose socialization is that this information should
be held very privately, they’re in a very difficult position in schools where
information is shared sometimes in a way that they’re not comfortable with.

I also come from the perspective of the consumer, I have children who have
been in schools and I want their information protected. So I’m providing
testimony from associations, specifically the American School Health
Association who’s predominantly an association of health professionals, school
health professionals, who understand the importance of privacy in any setting.

MR. ROTHSTEIN: Paul, you wanted to follow-up on this or had —

DR. TANG: Did you hear the panel before this by any chance?

DR. KIEL: Part of it, yes.

DR. TANG: So there was someone representing the occupational and employee
health association and he also used to do consulting for HIPAA, and his advice
to his organization and people in his profession was even though HIPAA does not
apply to them because they don’t do the transactions it’s conceivable that it
would apply at some time and actually it’s going to be cheaper for you, cheaper
in the broad sense of just go figure out how to implement these principles and
if it came then you would actually be a long way there. Again, it applies
directly to your comments, as health professionals that’s sort of you wont to
do this and would it make any sense, especially in your profession, well
actually both of yours, to start advocating for that position within the
association because change is hard in terms of how long it would take yet
you’re saying that you actually have somewhat of a crisis, there’s stuff that
either is shared or there are things that are happening in current day standard
practice that are not comfortable and in your minds not right for the students,
your constituents, and should your profession start looking towards just
adopting the principles that you had anticipated in fact as a way, as an
interim step before any other kinds of actions could take place.

DR. KIEL: That would be amenable and the American College Health
Association, we have looked at FERPA from the point then it’s from 1974 and I’m
sure that Martha, I am not a clinician so I’m sure Martha can comment on this,
student health services based on what we have discussed as an organization are
seeing students on college campuses, residing in the residence hall with many,
many diagnoses that were simply not seen 32 years ago and that is becoming a
very, very big issue, and that is why we are looking for HIPAA to address some
of these, even not only diagnoses but the number of students who are on
prescription medications and need to have that medication monitoring.

DR. BERGREN: One of the issues is that health care professionals are the
minority in an educational setting, we’re considered support staff, we rarely
have any type of line authority, there’s rarely a health professional at the
level of even assistant superintendent where you would have any kind of power
to make that type of change and that’s why the possibility of a privacy officer
in a school setting would be ideal. And that originally when we testified two
years ago we had hoped that FERPA would start to address some of the practical
situations in schools and take into account the pervasiveness of health care
that occurs in the school setting and that has not occurred. So the invitation
today to talk about well what would happen if HIPAA was to cover schools, then
that was an attractive possibility for those who really value privacy in the
school setting.

MR. HOUSTON: I just wanted to follow-up regarding Paul’s comment, I think
it sounds like part of the tension is that there’s a conflict between FERPA and
HIPAA and if you try to apply one over top of the other without trying to,
what’s the word, harmonize them, you would have a real problem, so you just
can’t, it sounds like voluntary compliance with HIPAA would really be
frustrated by the fact that there sounds like there’s some incompatibility
there. Is that the case?

DR. TANG: One sounds quite permissive and the other you’re asking for is
more prescriptive, how could the prescriptive be —

MR. ROTHSTEIN: There are situations like the release of medical records
that you could do under HIPAA from one provider to another you can’t do under
FERPA, so there would, in a sense if you just lumped them both together that’s
sort of the worst of both worlds.

DR. BERGREN: Well the other thing is that FERPA is not permissive, it’s
just not prescriptive, it says be good people and if you’re not —

DR. TANG: Maybe I should have used the word tolerant.

DR. BERGREN: Okay, it’s just not very specific, it’s very vague.

DR. TANG: That’s why I had trouble figuring how prescriptive, voluntary
prescriptive behavior would be overruled by the tolerant provisions but I can
see the specifics —

MR. ROTHSTEIN: Dan, Dan Rode had a comment.

MR. RODE: I do but you may want to finish your discussion first.

MR. ROTHSTEIN: I have one more question. There’s a sentence in here, in
your testimony, Dr. Kiel, that just sort of jumped up at me, on page two it
says under FERPA regulations student health services could theoretically
release a student medical record to a faculty member without obtaining the
student’s consent. In a practical sense does that happen?

DR. KIEL: I know not at my institution but I can’t really answer for
others. I can tell you that as the compliance officer for my university I have
been pestered by faculty members for the record because they wanted to know why
the student is out, so yes, it certainly could.

DR. BERGREN: In the school setting frequently the records are not locked,
they’re open to anyone in the building that might need it for a particular
purpose, and also FERPA doesn’t cover oral sharing of data. So yes, teachers
and other types of professionals very often do access school health records.

MR. ROTHSTEIN: At the university level there’s a lot of health information
in places that are not defined as student health services, for example in
admissions applications student often indicate well the reason I haven’t been
in school for the last two years is because I whatever, had a certain illness,
now how is that protected and who gets access to that information? Can any
faculty member go into the admissions file and read a student’s personal
statement, etc.? I think it’s a very important issue, I think it’s one that
needs to be sort of tightened up but I would suggest that it’s not just the
health service that might be the problem, maybe that’s even a minor part of the
problem, is just that health information in all sorts of contexts are not being
protected at the college and university level. Maya?

MS. BERNSTEIN: Sort of on the same issue I wanted to ask you to talk a
little bit about, Dr. Bergren was saying that there’s this team approach in a
school where you’ve got minor children who have a series of adults who are
managing their care and their education and so forth as a team and we didn’t
talk too much but obviously in the college and university setting where the
students are adults, that that same kind of team approach, it’s not quite the
same, that is there’s not, even though you have the sort of collegial
atmosphere and goal of promoting education in general, can you talk a little
bit about how that environment differs from, because the students are adults?

DR. KIEL: In the college health setting the health services truly functions
as a physician practice, in fact that is one of our, it would function as a
community health practice so the health services really sticks to that need to
know and minimum necessary even if they are not under HIPAA, they don’t want
the information out because who knows where it goes to, it goes to a faculty
member, they then talk to an advisor, so it is in a sense all over and that is
one of the issues that at my university we have about 10,000 students, well
that health service is larger then many physician practices in terms of
patients but yet we are not under HIPAA and a smaller practice is, so
absolutely. The woman who was sitting in this chair with the employers, she
said something else very similar, many times a student will simply come in to
an advisor, the admissions office, and spill everything, a teacher, a
professor, so it is very, very difficult.

MS. HORLICK: I wanted to ask for some clarification, I think early in your
remarks, Dr. Bergren, you said that you weren’t going to address school based
health clinics and I just wanted to, its never really been clear to me, I
understand that FERPA applies to any institution that receives funds from a
program from the Department of Education, at least I think that’s correct, so
what I’d like to understand is these school based health clinics, not really so
much looking at the universities now but at a school, is that a clinic that is
totally funded by public health and they just set it up, how many clinics are
we talking about?

DR. BERGREN: I can’t really speak to the numbers, I do know where I’m
working in the City of Chicago definitely new school based health clinics are
opening every year and they are usually funded with either health care dollars
or community dollars, or philanthropic dollars. They’re run by corporations
that are not educational entities and they’re, even if they’re housed inside
the school they’re completely separate from school health operations.

MS. HORLICK: It can be physically inside the school but not —

DR. BERGREN: I know that occasionally the school based health clinics will
hire a school nurse that does the traditional school nursing function but that
would, then you’re into a hybrid situation where those records would be
maintained separately.

MS. HORLICK: What I’m thinking of just for example is let’s say now there
are a lot of recommendations now for new vaccines for adolescents, so if public
health would set up a clinic on a school and whether or not there was consent
and so forth, but if that was not, I mean that information would not be covered
by FERPA, am I correct in assuming that?

DR. BERGREN: That’s correct, should another acute or public health entity
come into a school building and simply use the facility for a function in their
province then that would be covered by HIPAA, it would be covered by their
operations. Now if schools hired an outside agency, and this actually happens,
they frequently will contract with the local public health department to come
in and conduct hearing and vision screen, then they’re a contractor of the
school and those records are covered by FERPA. However those are difficult
issues and many people in schools don’t read this entire book and understand
where the line begins and ends and we’ve just given our best recommendations as
to how we think some things should be handled also but I’m confident that the
answers that I just gave you are correct.

MS. HORLICK: That’s consistent with what I thought but it’s never been
really clear to me, people are always looking for an understanding.

MR. ROTHSTEIN: Dan, you had a comment or a question?

MR. RODE: I have a comment, my comment is for me personally as the father
and as a guardian of four children, two of these children are autistic, one
child has behavioral health problems, one has a speech therapy problem, and my
own children over the time in life had various problems. If this subject does
not get recognized by this subcommittee, and we’ve had testimony, a couple of
years ago I remember very vividly the testimony, I’m not sure it’s going to get
a hearing anywhere else. And I hope that even though trying to look at how we
deal with HIPAA and FERPA is not an easy task I think it needs to at least be
highlighted and brought to the attention of those folks who can begin to deal
with this.

As was testified, between my children and the children I now have
guardianship of, health care in schools has increased significantly and there
is the need for teams and there is the need for various people to be involved
in the system but there’s also a desperate need for the privacy that HIPAA
provides. And I’ve had enough experience with HIPAA to feel comfortable in
making that recommendation but I also think that if you all can’t move this
forward, maybe as a stand alone compared to the other topics that you’re
discussing, it’s not going to be heard because of all the reasons that have
been explained that the schools have to face, it’s not the top issue in the
schools but it sure is for those of us who are parents of chronically ill
children and children who need this extra assistance and whose life and
reputation is going to depend sometimes on the privacy but sometimes just in
making sure their records are in the right place.

Thank you.

MR. ROTHSTEIN: Thank you, Dan.

MR. HOUSTON: FERPA is out of Department of Education, correct? So I guess
the one rub on all of this, and I agree with Dan, is that you have to deal with
two agencies now. Is this on the radar screen of the Department of Education?
Do you know whether something has been brought up as an issue to them or would
this be coming in, would they be coming in blind to this if somebody from HHS
said there’s an issue?

DR. BERGREN: They were actually here two years ago.

MR. ROTHSTEIN: Yes, they testified before us, the FERPA people from
Department of Education —

MR. HOUSTON: Why don’t I remember that? I was there, I was probably there
for the meeting, I don’t remember it now.

DR. BERGREN: They are getting a lot of requests for clarity, some of them
they respond with the letters on the website and others you get no response.

DR. TANG: So is the easier regulatory route to add to FERPA versus extend
HIPAA? At a distance it sounds like that’s something easier if they were
sympathetic and would accept advice.

DR. KIEL: Or removing the FERPA exemption from HIPAA because HIPAA is the
more prescriptive.

DR. TANG: I was just asking your opinion on which one is harder to do.

DR. BERGREN: I think it’s priorities —

DR. TANG: So FERPA would be the keep it in one agency.

DR. BERGREN: I think the issue is priorities and the priority of the
Department of Education in no way is health care privacy and the priority right
now is No Child Left Behind which has definitely overwhelmed at the national,
state and local levels, that is the number one consideration in schools, I mean
this is not on the radar and for us to request changes in FERPA as health, the
minority employees in a school setting, I don’t believe will occur, I mean
we’ve asked for that and it’s not a priority to them, therefore I believe that
because schools really are agencies that provide health care that from my
perspective it would be better to have it covered by HIPAA.

MR. ROTHSTEIN: Thank you very much for that testimony, both of you, and
it’s on our agenda, it’s really never left our agenda but we’ve had other
things as well, but I do want to thank you and it you have further comments you
want to submit we’re happy to receive them and we hope we can contact you later
if we need more information.

On our schedule now is subcommittee discussion time up to 1:00 and before
that we will have a brief recess until 12:15 and then we’ll have a subcommittee
discussion until 1:00.

[Brief break.]

Agenda Item: Subcommittee Discussion

MR. ROTHSTEIN: We’re now ready to resume our subcommittee discussion
following our three panels of hearings over the last two days and the first
question is now what? I mean seriously, there are various ways that we can
proceed, we can decide that we want to take on this non-covered entity issue in
kind of a global way and get testimony from the financial institutions and
other non-covered entities and find out what their views are. We did have
trouble getting lots of people to come here and talk to us —

MS. BERNSTEIN: Well, there were others that we were going to try to get and
I sort of think, I was of mixed mind, when I first started doing this I thought
we need three or four witnesses on every panel but it turns out the last time
when we had just two I thought, we had time to talk and the discussion was more
lively and okay so I really would have liked to have got a union representative
for the employer panel and as the discussion in the last panel I’m thinking
well maybe I should have gotten the person from the Department of Education to
come back, they had appeared once before but maybe our witnesses would have
been inhibited if the regulator was sitting there, it’s enough that Susan is
sitting there, or the rest of us from the department are sitting here, to have
your regulator of which we’re all members of the department, whether or not
they actually know what your particular job is —

MR. ROTHSTEIN: The other way that we can do that, what I’m saying is going
forward we can either sort of stack all these issues up or break them apart and
I’ll be interested in your views. Paul?

DR. TANG: I like the direction we’re going in terms of your stacking them
together or break them up. I think the theme, and we talked about the theme
before but I think with the passage of time it actually just becomes both more
important and more urgent and that theme is, I’d rather call it uniformity then
the non-covered entity, but the uniformity in protection of information
wherever it resides and whoever has access to it as well as the use of that
information. So we heard today a lot of the exchange of information,
information passing to various parties, the other side we’ve touched on again,
secondary use, but it’s almost as if I think we should consider both sides of
it but the same solution, i.e., uniform protection, is a direction we seem to
be headed towards and understanding the implications to the various groups I
think is very helpful. So I found these three panels we’ve heard from today,
these past two days, very helpful.

MR. ROTHSTEIN: So who else is on your list as to who else you would want to
hear from?

DR. TANG: You already said you scheduled researchers for the next panel,
you just mentioned —

MR. ROTHSTEIN: No, no, not researchers, we’ll talk about that —

DR. TANG: So you mentioned financial and I think there’s a different
complexion to financial then whenever you heard from them before because of for
example HSAs and 835s, so their role, the intermediaries, health savings
account and all of a sudden you’re going to be, 835 as Harry was explaining to
me this morning is a HIPAA form, it attaches with the remittance that goes
through banks, so banks are not just processing your credit card purchases,
they are credit card purchase “with the accompanying reason for that
transaction” —

MS. MCANDREW: It’s the explanation of the billing. It’s not the claims
attachment, it’s an explanation of what each financial transaction, what’s all
bundled into that financial transaction and the codes.

MR. RODE: It actually is the remittance, 835 is a two part transaction, it
includes the money itself and it includes, in some situations it includes the
remittance itself, in some banks it goes right through the bank, they strip off
the money, it just keeps on going to the health care entity. In other banks
they actually store the whole thing depending on what the agreement is between
the entity that’s receiving the payment and the bank that’s essentially serving
as their lockbox. And we’ve been working since about 1996 at least with
Medicare under just an agreement with Medicare to do that but we’ve never
addressed it full blown, it’s just kind of something that’s sitting there.

DR. TANG: So in other words the world has changed just in two years and I
think we need to, I mean certainly HHS came on the scene within the past two
years but the dimension and the scope of the risk in our work I think has

MR. RODE: Within the last six months there have been seven banks that have
taken over health care entity activities and the question is is the activity
one of those that’s covered under HIPAA or isn’t it, and I think to some extent
you’re looking at both.

MS. BERNSTEIN: So we did actually start originally by thinking about having
a financial institutions panel of some sort and that didn’t work out, basically
the answers I got back, and I wasn’t focusing on this issue because I wasn’t
aware of it actually but the idea that we had written about in our June
22nd letter that the use of health information for making financial
determinations about consumer’s loans or mortgages or other sorts of things
like that and they sort of, the response was just sort of pooh pooh that and
say well we don’t really use that, it’s not really that big an issue for us and
we don’t have so much to say about it. So they kind of declined our invitation
and I went on to other sort of industries that were more interested. There were
a couple of other places where I thought we could get more information even on
the same areas so for example I was hoping to get, on the recommendation of one
of our witnesses actually, to get the actuaries in here, because a lot of the
questions that we had to the insurance companies were about things like well
how relevant is 20 year old information that the person used to be a smoker 20
years ago and the insurers don’t necessarily know what the answer to that is
but the actuaries are the ones who think about that kind of stuff. And they
couldn’t get someone here but they were very interested in talking to us and
were happy that we were interested in them and sort of had thought of them and
so I’m disappointed that I hadn’t gotten to them earlier. But there are certain
other pockets of expertise that we might hear from that could further
illuminate what we’ve already started on now so I have I mind some of these
other ones, I’m not sure how I’d put them together in panels but we could talk
about that.

MR. ROTHSTEIN: Are there other people that we need to hear from to complete
our knowledge set on the school and college health issue?

MS. BERNSTEIN: Yeah, I think your question in particular about the
administrators, the counsels of the universities, those sort of folks,
especially when we heard Dr. Kiel’s testimony that she does get requests from
faculty members, from administrators and so forth which she has to deflect, it
seems to me that there are categories of people who would not like it that
rules would apply to them that would prevent them from, I mean right now in
practice they’re prevented from getting the information but as she said legally
they could get the information because they’re part of the same educational
institution and it’s by practice or custom that they don’t get that information
and she also said that that’s in her university but she’s not aware of what may
happen at other universities. So I think that there are communities within the
university setting or school setting in terms of administration that might be
useful to hear from.

DR. TANG: Another group, actually Dan’s comments stimulated me to think
that another group potentially are families of people with either chronic
conditions or disabilities to hear from them on either their needs, or it’s
very interesting, in a Markle survey concerned about privacy and security one
of the questions he asked was if you had medical records online what groups
would you feel comfortable sharing it with, and of course the primary doctor
was at the top of the list, insurers were at the bottom, but next to the bottom
was family. So it would be very interesting to hear from folks who have
concerns or have health information that could be sensitive and hear what their
thoughts are, so that could be another —

MR. ROTHSTEIN: As well as maybe special ed people.

DR. TANG: All the people who have special needs but also might have special

MR. HOUSTON: With regards to that first group that you discussed, the
family group, HIPAA as is already provides for that —

PARTICIPANT: Not for schools —

DR. TANG: And my context was more where Maya was going, in other words tell
me about the banks, from those groups tell me about the banks and the schools
and the employers, I mean we are also employees so we have our own view but I’d
like to hear the views of people with special needs.

MS. BERNSTEIN: The consumer population —

DR. TANG: It’s not even the broad consumer, the people with special needs.

MR. HOUSTON: We have to be very careful about that and what I mean is that
I think there’s also an opportunity, unfortunately I’m going to sound mean
spirited about this but there’s an opportunity for people to come in and whine
about the few, their vision of the horror story, their own case which may or
may not be as egregious as it sounds —

MR. ROTHSTEIN: That’s all right, we’re used to whining.

MR. HOUSTON: I mean being a privacy officer for a very large institution a
lot of what I sometimes have to deal with are the cases where we did everything
right, the person had a generalized complaint that again we did everything
correct and yet they still aggrieved and there’s nothing you’re going to do to
change your opinion and you did nothing wrong.

MS. BERNSTEIN: But we do generally get our witnesses from organizations,
representatives of policy organizations so you could patient advocacy
organizations or special ed advocacy community, that sort of thing, we’re not
talking about individual people who don’t have a record of thinking about
policy but people who are, organizations that are —

MS. HORLICK: We could look at kind of asking them what kinds of sharing
information would be helpful for them to be shared among what different parties
and what kind of information they would not want shared without authorization

MR. HOUSTON: Why can’t these groups I guess asking for additional testimony
or supplementary testimony, to ask those types of questions so that we can hone
in on, because I’m sure that they have come in contact with just these
situations in the course of, or their members have in the course of them
performing their jobs and obviously have practical solutions, or maybe don’t
have solutions or they have concerns.

So I think a way to address the situation may be to ask supplemental
questions of these two individuals, I thought it was very good testimony today
and I thought it worked very well and I think they could, especially Martha
because I think a lot of what they’re talking about is, what you’re asking,
Paul, really isn’t probably in the primary and secondary school setting. Let’s
ask them and see if they’re willing to submit more, do a little bit of research
for us to give us some additional guidance on these types of things.

DR. TANG: I mean I found Dan’s comments very helpful.

MS. BERNSTEIN: In the first panel for example I don’t think you could ask
either of those representatives to properly represent union opinions about the
use of records by employers, you need to have representatives of employees
properly representing that. And I think in the same case these are people who
work in a school setting and yes in general if they are health care
professionals they are on the same side as their patients but there are places
where they’re not, or they might not be. And we heard in a previous hearing
from sort of patient advocacy type organizations as opposed to physician
organizations and they had different opinions. I just think we could find
non-whining representatives of those organizations that give us a more fulsome
report on their position.

MR. HOUSTON: I still believe there is great value in asking these for
supplemental testimony regarding these situations.

MR. ROTHSTEIN: Let me just see if I have your wishes, collectively, and on
each of the three topics that we heard yesterday and today it’s your sense that
we want to take additional testimony? For example we did not hear from several
different insurance lines, we had the NAIC guy testify about all sorts of
things but we didn’t actually have a disability or long term care insurance and
so forth, we didn’t have an actuary here, in the employment area we did not
have any representatives of big companies, little companies, unions, I mean
there are lots of additional people you could imagine testifying as well as in
the third panel. So my question then is, I’m happy to do that but we need to
recognize that the cost of doing that is delay and that if we have let’s say
one more hearing on each of these topics now we’ve got three more panels and
we’re thinking maybe okay we want to do financial institutions and so on and so
forth. I’m happy to do that but we’re now committing to something that’s going
to take maybe a year before we get a letter out.

MS. HORLICK: All of the things that we just mentioned, this 835 is really
new to me and maybe before when we were, Maya, I don’t know when you were
trying to go to the banks and you were saying how do you use the information,
that’s different, but maybe asking them about this form, I never heard about
tearing it off and some of them keep the information and some of them don’t, I
mean I would really like to know more about that.

MS. MCANDREW: That has been, I mean that’s a transactions and code set
conversation which has been going on since the beginning of their regulations,
it is not a new thing —

MS. BERNSTEIN: Is that something being taken up by Standards and Security,
by another subgroup? Does anyone know?

MS. MCANDREW: I mean there is no privacy aspect to it except to the extent
of a conversation as to whether or not any of that activity spins out into a
clearinghouse function and/or converts the bank by how they handle that
information into becoming a covered entity and/or a business associate of the
covered entity on whose behalf they do it. And again that’s not a new issue —

MR. HOUSTON: But HIPAA applies is basically what you’re saying —

DR. TANG: So far it doesn’t apply.

MR. ROTHSTEIN: I think there’s a view that it could be, depending on what
they did they could be considered a clearinghouse, they could be considered a
business associate or they could be considered nothing and not covered, but we
don’t know exactly —

MR. HOUSTON: I would love to know how they’re not covered, in some way
shape or form either there’s a BA, business associate or as a covered entity,
I’d love to know how.

MS. MCANDREW: HIPAA has an 1179, they have a carve out for financial
institutions who are performing financial transactions. And the question is to
what extent does the processing of this information as part of the remittance
advice come within the rubric of the simple financial transaction or when does
it step over into an actual function that is separate from the traditional
banking financial transactions and becomes an extra service, non-banking
service, that’s being provided by that financial institution which then
engenders either looking at this activity as a clearinghouse function and/or
something that requires a business associate contract.

MS. BERNSTEIN: I hate to put you on the spot, is that being looked at in
some other forum or is guidance forthcoming on that issue or is it something
that’s worth taking up by this subcommittee? You seem to be saying it’s not
really because it’s being taken up elsewhere, or that the question is at least
well defined.

MS. MCANDREW: The question, it was probably about the same time that you
all last heard from the banking folks, there was a lot of discussion around
this issue, it involved us, it involved GC, it involved CMS, and I believe with
time that the heat on that discussion has tempered off and how actively a
solution is being pursued I can’t say —

MS. BERNSTEIN: And then the question is just in the industry is the
practice, or the interpretation in the industry to consider themselves not
covered, or to consider themselves a business associate or to consider
themselves on the hole, do you have any sense of that?

MS. MCANDREW: I mean it really depends, I mean it has been a tradition
within the industry that they do perform these lockbox kinds of activities on
behalf of customers and those everyone is accepting I think. The general
practice is that that is a business associate function that they are performing
outside of their traditional financial activities but much of the processing,
the routine processing of the 835, whether it’s a flow through function or
whether at the end of the day there is some translation of that information in
order to match it up to statements that they are providing to the entity, the
provider, as part of their banking function, that the banks are still looking
at that as a financial transaction that is exempt from HIPAA.

DR. TANG: I’m trying to bring some closure to your question, where do you
want to go from here, I think right now we’re on a path to exploring the costs
and the risks of the non-uniform application of HIPAA rule across all people
who touch health data, and it would be worthwhile to hear from the banking, the
financial industry that processes these 835 transactions and perhaps one or two
other panels but all in the scope of one day of hearings and move on towards
deliberations and formulation of our recommendation on this issue.

MR. HOUSTON: I said this offline yesterday and I still have the opinion
though I know I’m not in the majority that I heard nothing in yesterday’s panel
that leads me to believe that there’s anything additional for us to do with
regards to the things like life insurance and the like, that’s my opinion, my
opinion, I’m allowed to have one, and I think that these two panels today were
very clearly a case where I think there is something that we can and should do
and I would, my personal opinion recommendation is that we should focus on
these two panels.

MS. BERNSTEIN: May I say something about timing? I’m not sure exactly how
to put this but if you think about the, if we wanted to make, if the
subcommittee wants to make recommendations to the department that are going to
be useful to the department in the next little while, and you think that the
subcommittee would recommend changes to the HIPAA rule or to some other
legislation or regulation, there is a limited time in the current
Administration for when that would be most useful. So you might keep in mind
the timing of how long that kind of a process if that is your intention to
actually try to get some action out of them. But on the other hand the
subcommittee is a long term 50 year thing and you can be thinking in a longer
term but just in terms of strategy you should consider the timing of your

MR. ROTHSTEIN: My opinion is that I haven’t heard anything discussed in the
last three panels that could be addressed by HHS itself and that Congressional
action would be necessary. Certainly in the area of employment and certainly in
the area of the FERPA/HIPAA problem I think clearly there is going to be need
for Congressional action and it’s not something that can be fixed internally
and so I don’t think we’re under the gun in terms of we have to get it in the
pipeline because this Administration ends in two years. But on the other hand
it’s something that would be good for us to document because we do have a
recommendation, recommendation 12 in our June 22nd letter, and what
we are basically doing now is sort of fleshing that out and giving more
examples as to, Harry’s not here but it’s the you touch you own it principle
that he often talks about it and so that I would think that it’s, I would like
to think that by spring or summer at the latest we can get out a letter to the
Secretary on this issue. And what we should be looking to do is have another
maybe day and a half, between a day and two days of hearings, sometime after
the 1st of the year to get more information from those areas that we
think we don’t have enough now.

MR. HOUSTON: What are we doing between now and the end of the year? Is
there anything —

MR. ROTHSTEIN: I want to talk about our June 30th hearing as
soon as we wrap this up.

MS. BERNSTEIN: November?

MR. ROTHSTEIN: I’m sorry, November 30th hearing.

MS. BERNSTEIN: I don’t know, does anyone have the schedule, or Marietta do
you have the schedule for the upcoming hearings of the full committee? Because
in order to get a letter out of course we would have to get it through the full
committee —

MR. ROTHSTEIN: There’s a June 20th meeting of the full

MS. BERNSTEIN: There’s a November meeting?

MR. ROTHSTEIN: There’s a November meeting, those are the two days before
our regular, there’s a February meeting and then June.

MS. BERNSTEIN: So when you say spring —

MR. ROTHSTEIN: So our goal would be to have a letter for the June
20th full meeting and if that doesn’t work out then it would be

MS. BERNSTEIN: Okay, in the process we began with the last letter which
frankly I thought was quite useful to give the full committee a heads up on the
issues that we’re considering and the type of letter that they would see we
would want to make some kind of presentation at the February meeting even if
it’s like we did last time short and highlight major themes or something.

MR. ROTHSTEIN: I think that’s a very good idea, what we can do is even make
a short presentation at the November meeting telling them this is what we’re
looking into now even though we don’t have any sort of —

DR. TANG: I would strengthen that suggestion which is June 1 target for
final approval, November give them the heads up on what we’re planning, and
schedule the hearings such that we could have the draft principles, following
our last path, available for the February meeting to basically elicit comments
on, not just that we’re doing something.

MR. ROTHSTEIN: Well February is the 13th and 14th so
we would have to have —

DR. TANG: December or January.

MR. ROTHSTEIN: We’d have to have a late January hearing, or mid-January
hearing, that’s cutting it a little close, I don’t know that we could have the
principles to them but we could certainly outline some of the issues that we
were wrestling with, for example the FERPA/HIPAA issue, we can lay that out
without giving sort of principles.

MS. BERNSTEIN: And I’ll ask Sabrina to circulate a calendar then right away
because you guys are all very busy people and it’s difficult to get on your
calendars all on the same day so if you want a mid-January date we should start
thinking about it now. Yes? Okay.

MR. ROTHSTEIN: Okay, we’ll start working on that and I want to just take
the rest of our time to talk about the November 30th hearing that we
have scheduled. Do you have something else —

MS. BERNSTEIN: We were going to talk about this topic that we talked about,
I was thinking that if you really want to get a letter out you want to consider
whether there’s anyone else on the topic that you want to write about that you
would want to hear from and postpone this one, I don’t know, let’s talk about

MR. ROTHSTEIN: I don’t want to postpone this, it’s too important.

The topic for the November 30th hearing you’ll recall from our
conference call is how would you go about designing a research strategy to
measure the effects of the HIPAA privacy rule, and not do the research but to
just see whether research is feasible and if so what kind of research that
would entail. And at the moment I have been sort of playing around with the
idea of having three panels, the first panel would be survey research experts
who could tell us what a survey or focus group of patients for example, do you
feel like your health privacy is protected now, is it better then it was
before, do you know what protections are in effect as a result of the HIPAA
privacy rule, etc., etc., etc., and there are various possible names under the
survey research heading.

The second would be national organizations which might have an interest in
or access to, or might want to help us collect data for this research, for
example JCAHO, what questions do they have that ask about these sort of things,
the Federation of State Medical Boards in terms of complaints relative to
alleged privacy breaches by physicians and the licensing processing, AAMC, to
what extent are medical schools and residency programs training people in
privacy and confidentiality, etc.

And then the third group would be study design people, in fact I talked to
Ed Sondik this morning and he is going to search around for somebody at NCHS
who was a study design person, and I also talked to Gene about somebody from
the Urban Institute and maybe somebody from RAND, etc., to see if they can give
us some broad ideas, and any suggestions that you have would be wonderful,
about this.

I also met with Marjorie and she thinks that there would be money to hire a
contractor for this project and I think this would be very valuable because the
role of the contractor would not be to do any of the research, just to prepare
a document that would be sort of like a feasibility study that yes, research
could be done along these dimensions and to do that we would need some
individual or entity with expertise that I certainly don’t have and also
someone who would have the time to devote to putting together a report for our
consideration and then possibly endorsement by the full committee. And at that
point depending on what people came up with and how good it was and whether you
would want to disaggregate the parts or whatever, either HHS might decide they
want to fund it internally or Congress would want to give it an extra
appropriation or NLM or NIH or AHRQ or who knows, IOM. But I think this is a
topic that we’ve talked about for a long time doing this kind of research and
taking the first few steps to kind of outline what it might look like I think
would be very helpful.

MR. HOUSTON: Can I make a suggestion on another panel or panelist? You and
I have talked about the fact that one of the problems we’re going to have in
trying to measure this is that unfortunately there was no measurement done
prior to the privacy rule and as a surrogate for that I think maybe one of the
things, and I don’t know if this even exists, but if there is somebody who is
some type of anthropologist, somebody who could go back and infer privacy
perspectives information pre-HIPAA from publicly available surveys that maybe
had been done through the course of the last decade. I don’t know how this
person would do this but it might be interesting to see if we can track
somebody down who is able to try to —

MR. ROTHSTEIN: Well, an example would be the California Healthcare
Foundation has done pre- and post- privacy world surveys.

MR. HOUSTON: Right, but I’m talking about somebody, one of my fears is
depending on who’s doing the survey and what their perspectives are you’re
going to get some bias, I’m thinking of somebody that, finding somebody who is
skilled at looking at multiple surveys, maybe that would be just one, who could
take that information and in a way normalize it so that we can say okay, I’m
going to use that information against the backdrops of the surveys that now
we’re going to do in order to infer back —

MR. ROTHSTEIN: But keep in mind, John, what we want is not someone who is
going to do the study that you suggest but someone who could describe the
methodology of the study —

MR. HOUSTON: I understand, I understand, but if there was somebody who
could testify as to maybe the approaches to do it or whether this is something
that could be done, I think it would be valuable to hear because that would
tend to shape and inform our discussions about how to do it and what to do in
terms of a study.

MR. ROTHSTEIN: Absolutely but we’re not going to be evaluating any studies

MR. HOUSTON: I understand, we’re talking about putting together an agenda,
I mean you’re talking about making, basically at the end of the day almost what
you really want to do is form a proposal in order to do studies and all I’m
saying is part of that I think could be having somebody who could provide us
guidance as to how to scope this to make it —

MR. ROTHSTEIN: I agree. We have over the last several years and including
in our June 22nd letter recommended that the Secretary engage in all
sorts of research activities and now to sort of push the ball forward a little
bit we’re going to say well and this is what we have in mind and here are the
experts who told us that. Paul?

DR. TANG: I completely agree with the need and the value of such a study, I
don’t know that I agree that that’s the best use of this committee’s time, in
other words that sounds tactful in execution but as you’ve said we’ve put words
down in recommendations to say that we’d like this to happen, I could see
hiring a contractor like you’ve used Margret A. to do certain projects to come
up with it but I don’t know that having a hearing on various methods is the
purview of this group, I mean I think you can act out on some recommendations
by hiring a contractor.

MR. HOUSTON: I recognize the point about the methods issue, I’m just trying
to, my purpose is to understand the feasibility of even, I don’t want to make a
recommendation for which isn’t feasible, I think we need to at least get enough
information on whether it’s possible and appropriate before we make a
recommendation to do it or not to do it.

DR. TANG: That’s why I like the idea of engaging a contractor, a well
selected contractor to ferret that out. But we just finished talking about
something where we have a very sense of urgency, where we said we didn’t have
time to complete a phase of it by February, why wouldn’t we use that time to
act on that, to provide input to formulate a recommendation for our June
meeting that does seem like it involves committee work, subcommittee work and
then committee work.

MR. ROTHSTEIN: The advantage of doing this in the sequence is that we might
give the contractor six months to do it and take up the issue again after we
have finished this, there’s going to be some lead time in actually doing the
work by the contractor. So if we didn’t sort of, if we put this on the back
burner and dealt with the uniformity issue first by the time we could get to it
again, let’s say next summer or fall, then we’d have to start all over again
and six more months would go by before we could get anything in hand.

DR. TANG: But I’m not sure why you need to put it on the back burner, I’m
saying the committee is useful to hearing input and formulating recommendations
about policy, I don’t know that we need the committee to hear different study

MR. ROTHSTEIN: Because we can’t just hire, A, we don’t know what contractor
to hire and B, we don’t know what to tell them we are looking for, and so that
is really the purpose of the hearing, to try to get a sense of where in the
universe we’re going to find information and talking to senior staff on NCVHS I
raised the question of hiring the contractor first and it was suggested to me
that we should have the hearing first and then the contractor because we
wouldn’t know what to tell the contractor to do and wouldn’t be skilled enough
to evaluate who to ask.

MS. BERNSTEIN: That’s sort of the problem, I feel a little uncomfortable
because I feel like I wouldn’t know how to evaluate what I was hearing because
it’s not my expertise and I’m not aware of how much expertise there is in the
subcommittee, probably more then for me about this kind of thing. I wonder if
what we could do is, if there is contract money, is basically draft an RFP
which would result in a bunch of proposals coming in that could be evaluated as
opposed to doing it by hearing although that’s the usual way we do our work, I
don’t know if we have the authority to do that but if we know the questions
that we want answered, we know we want to somehow evaluate HIPAA, we could
either, if we have contract money for NCVHS itself we could somehow draft an
RFI or an RFP that would get us the same result without doing it by hearing.

MR. ROTHSTEIN: The committee can’t do it, I mean we can’t send out RFPs —

MS. BERNSTEIN: The department, because the contract money has to be
overseen by the department but in the same way that AHIC has, it’s not AHIC’s
contracts but there are contracts put out by the department that are designed
to give input into that advisory committee process —

MR. ROTHSTEIN: See, I think this issue can be studied but I don’t know, I’m
not an expert, and I would love to hear from three people who say you can’t do
this for the following five reasons and the only thing that you can do is this
little subpart of this and here’s why and that would be very helpful tome.

MR. HOUSTON: I would tend to agree with Mark, we don’t know what we don’t
know and therefore taking a little bit of time to understand it and then put
the RFP or RFI out I think would at least give us some basis what we’re going
to ask in those.

MS. BERNSTEIN: Did you happen to talk to Harry or Simon about it?

MR. ROTHSTEIN: Did I? No. Well, I did talk to Simon generally about it and
he was supportive but I have not talked to Harry in detail about it.

DR. TANG: Of course I don’t know what Harry would say about this idea but I
do know how strongly he believes about the uniformity and so I am only talking
about timeliness and impact and I believe that the timeliness is much higher
for dealing with the uniformity and I would guess but do not know how he would
compare this, that Harry does feel very strongly about that as well.

MR. ROTHSTEIN: Well an option is, first of all I feel very strongly that we
ought to have a hearing before we start marching down here because I don’t know
what I don’t know. But I’m open to the idea of having a November hearing if
that’s feasible to sort of plug gaps in our knowledge base relative to the
uniformity issue.

MS. BERNSTEIN: Well the January, if we set on a January hearing, if we
don’t think it’s going to deter our getting to the June recommendation and you
want to have a January hearing, I mean we have then two shots at it basically
to schedule however you like with whatever topics you want, one in November and
one in January, and in fact we could have, we can have meetings of the
subcommittee, you guys are going to be here for the committee meetings anyway,
we can certainly have meetings in between by phone but at the meetings that
you’re already planning to come to for the full committee that will give us
time to discuss the matters that we’re talking about getting on the agenda for
the June meeting, both in February and then like we did the last time by
conference call. The question is whether doing what Mark wants will deter the
timing and I’m not sure that it will, like they would defer is the word I mean,
is it going to cause a problem with us getting to our June goal.

DR. TANG: So I don’t have any problem with doing the hearing before trying
to engage in a contractor, can we work on the higher timely proposal first,
ensure that it gets scheduled, and if there’s a contingency schedule like
January where we don’t know, we already have a November scheduled and as long
as we can get the other one scheduled —

MR. ROTHSTEIN: Let me see if I can have a recommendation that we can live
with. We’ll shift the November 30th hearing to the uniformity issue,
we will try to schedule a mid to late January hearing and leave the topic open
for the moment where we can use it for a second additional uniformity hearing
if necessary and if we think we have enough information we can then make that
hearing over into the initial one for the research methodology. Would that

MS. BERNSTEIN: Yeah, and another advantage which is there’s not that much
time between now and November, probably easier to get people on the uniformity
issue then to have researchers think about a new issue that they might, a
survey design for something they haven’t thought about, and I can start on that
now whereas starting in December to find witnesses is not going to work because
people are going to be away. So the question though then is left okay well we
still don’t have that much time between now and November, who do you want in
November? Who do you want me to track down and I’ll be happy to do it.

DR. TANG: I can’t make the November meeting.

MR. ROTHSTEIN: Now you want to go back to the other topic.

MS. BERNSTEIN: So you won’t be here, okay. I’m waiting for suggestions on
what you want me to track down for the November meeting.

MR. ROTHSTEIN: Well, I think in the interest of completeness we maybe ought
to try to fill in the gaps of the people that we haven’t heard from, so for
example in the school issue we might want to hear from NACUA, the National
Association of College and University Attorneys, who would have —

DR. TANG: I don’t know that we need to go back to other insurers or other
schools, I think we get domains, so we got schools because it has a FERPA, we
get banks because it has an 835 —

MR. ROTHSTEIN: So other then financial institutions who do you want?

DR. TANG: I don’t know.

MS. BERNSTEIN: John was saying that he thought that the schools, I know
there’s this interest in the financial stuff, we heard a couple of compelling
arguments that the school issue even if it needs legislation is sort of
reasonably well defined, and if you think that that’s, if you think that’s an
area you want to pursue we could fill in the gaps on that.

MR. HOUSTON: Might I suggest, I agree with Paul, maybe what we do is we do
a single panel related to banking and that we then use the rest of the time to
do work on the research.

MR. ROTHSTEIN: What do you mean by do work?

MR. HOUSTON: Well I mean get a panel together on the research, we may find
that, how much time do we have in November?

MR. ROTHSTEIN: We’ve got a whole day?

MR. HOUSTON: Why can’t we hold three panels and have one for banking and
two related to developing a research strategy and do it all in one day?

MS. BERNSTEIN: We could have four panels, it’s a long day but you could do

MR. ROTHSTEIN: We could do it, yeah, we could do it, one in the afternoon

MR. HOUSTON: Personally I was satisfied with what I heard today —

MS. BERNSTEIN: It’s a 9:00 to 5:00 meeting for us?


MR. HOUSTON: I think we can draw the conclusions that we need to draw at
the level we need to draw them at based on what I think we heard today and I
think that it does allow us to move both forward.

MR. ROTHSTEIN: I’m happy to do that.

DR. TANG: I’d actually prefer the uniformity stuff for the afternoon.

MR. ROTHSTEIN: Okay, so we need to find out what time the second day
adjourns, that is November 29th, to see whether we can get a panel
to begin that afternoon like we did yesterday, and then have two or three
panels the following day.

MS. BERNSTEIN: So you want to do them both in November, and you’re done
with schools and employers —

MR. HOUSTON: Again, I think we have the opportunity to ask for supplemental
testimony if we need to if you think there’s areas we need to try and dive into
a little more and ask them even for recommendations if there are additional
testifiers that —

MR. ROTHSTEIN: We’ve heard from employers at least five times already, that
I can think of.

MS. BERNSTEIN: And we heard from employees once that I know about.

MR. HOUSTON: We can always supplement as we see fit.

MR. ROTHSTEIN: We did invite several employee groups and we can invite them
to submit comments to us.

Well if that’s it I know there are people with planes to catch and I want
to thank the staff for facilitating our meeting and we couldn’t do it without
you and I want to thank our AV people and Maya for putting the hearings
together and my colleagues for being here and both of you folks on the
internet, we’ll talk to you next time. The hearing is adjourned.

[Whereupon at 1:11 p.m. the hearing was adjourned.]