[This Transcript is Unedited]
Operator: Again, this is the AT&T Conference Operator. The recorder has been connected and this call is being recorded.
Woman: Hello?
Man: Hi.
Marjorie(?): Hi this is Marjorie Greenburg(?) and Susie Bebe (?).
Dave Schultz(?): This is Dave Schultz with the National Wholesale Druggist Association.
Marjorie: Okay, hello! Are we the first ones?
Dave Schultz: I think we are.
Marjorie: Okay. What was your last name?
Dave:Schultz.
Marjorie: Schultz. Thank you for joining us.
Jeff Blair(?): This is Jeff Blair. Hello?
Kathleen Fyffe(?): Hi, it is Kathleen Fyffe.
Jeff Blair: Hi Kathleen!
Kathleen Fyffe: How are you?
Jeff Blair: Fine. I just joined, is there anyone else on?
Kathleen Fyffe: I don't know.
Marjorie: Mike ___ and Phoebe Bebe(?) and I believe Dave Schultz.
Kathleen Fyffe: Marjorie, we can barely hear you.
Marjorie: Marjorie Greenburg, Susie Burke-Bebe(?) and I believe is it Dave Schultz from the National Wholesale Druggist.
Kathleen Fyffe: Okay.
Marjorie: And we will take a poll once everybody is on, once Kathleen and everybody is on I guess.
Man: Good morning everybody. Getting ready for Thanksgiving?
Marjorie: Yes.
Kathleen: Yes, and I am not cooking this year.
Man: Well I am not coming!
Woman: Yes, I am going to go out. It is the only way to do it. Are you going to have family members in, Jeff?
Jeff: My family and Nina's family are all heading up to Stanford Connecticut to my sister's house. We're having a big old-fashioned Thanksgiving and then afterwards, we're going to spend some time in the New York area going to a Broadway Show and getting some delicatessen food.
Woman: Oh good.
Woman: ????
Jeff: We're in ______, we're going to be there for about four days visiting a lot friends and relatives.
Marjorie: Have a great time!
Jeff: Thank you. How about the rest of you while we are waiting. Marjorie, what are you doing.
Marjorie: Well actually I am having a fairly big dinner tonight because my daughter got home about 10:30 last night from college. My son is going off to New York with his girlfriend, so tonight is the night.
Jeff: Tonight is the night.
Marjorie: And we're going to a friend's house.
Jeff: See that song was sung by the Shirelles, wasn't it, 1960.
Marjorie: Tonight is the night. (Laughs)
Richard Harding(?): Hello, Richard Harding is on.
Marjorie: Hi Richard.
Jeff: Hello Richard Harding!
Richard Harding: Good morning.
Marjorie: We're sharing Thanksgiving news until everyone is on, I guess.
Richard Harding: Well good.
Jim Scanlon(?): Jim Scanlon is on.
Marjorie: Hi Jim.
Jim Scanlon: Did I hear the Shirelles in the background.
Jeff: This is Jeff, Jim. Yes, you could tell I am an old rock n'roller!
Jim: (Laughs)
Marjorie: I'm warning you this is being taped.
Man: Yes, I am sure it will be listened to, carefully, by many people.
Kathleen Frawley(?): Hi this is Kathleen Frawley.
Mark Rothstein(?): Hi this is Mark Rothstein.
Woman: Hi Mark, how are you?
Mark Rothstein: Okay.
Woman: Are you the only one on the call?
Man: No, no. Richard Harding is on.
Kathleen: Hi Richard.
Richard: Kathleen.
Kathleen Fyffe: Kathleen Fyffe.
Kathleen Frawley: Hi Kathleen.
Woman: ??.
Kathleen Frawley: Hi Gail.
Gail: Hi.
Marjorie: That's great.
Woman: Jeff Blair is there.
Jeff Blair: Hello, Kathleen, this is Jeff Blair.
Kathleen: Hi Jeff.
Jim Scanlon: And Jim Scanlon, too, Kathleen.
Kathleen: Oh great! This is a great crowd.
Elizabeth: This is Elizabeth.
Kathleen: Hi Elizabeth.
Elizabeth: Hi.
Man: Kathleen, did you hear Marjorie Greenburg's name?
Kathleen: Yes, I heard her voice.
Marjorie: And Susie Berk-Bebe(?) also.
Kathleen: Okay, great. We don't have Simon yet, or is he not participating at this early hour? Otherwise we have all the B
Man: We might make a note because we had a conference call last week, and somebody just inadvertently went on hold and then the music just lasted the next thirty minutes. So please don't anybody put us on hold.
Woman: Hello, ??.
Woman: Thanks Jeff for the warning.
Woman: Oh, I guess we are waiting for ____ also.
Woman: _______ is supposed to also, I don't know if he was going to be able to make this call or not.
Man: Will we have members of the public calling in too?
Woman: Yes, we have one person I know, who has.
Man: Okay, we can go around the speakers when everyone is on.
Woman: I will try to munch my toast softly.
Elizabeth: This is Elizabeth again. I have to sign off after an hour and half; I can be here for that.
Man: Yes, I have about an hour and ten minutes, Richard Harding.
Woman: Okay, well hopefully we will get all of our work done as quickly as possible. So why don't we just go ahead? I just want to take role call just to make sure that I have everybody who is one the call right now and then we can started. I have Jim Scanlon, Marjorie Greenburg, Elizabeth Ward, Richard Harding, Mark Russ, and Kathleen Fyffe, anyone else join the call?
Jeff Blair:
Woman: I got you Jeff, thank you.
Gail Horlick(?): Kathleen, I am on the call. This is Gail Horlick.
Kathleen: Thanks Gail.
Mike Tate(?): This is Mike Tate with the American Dental Association.
Kathleen: Mark, I didn't catch your last name.
Mike Tate: It is Mike Tate.
Kathleen: I didn't catch your first name either, from the American Dental Association?
Mike Tate: Yes.
Kathleen: Thank you.
Woman: Dave Schultz, are you still there?
Dave Schultz: Yes, Dave Schultz with the National Wholesale Druggist Association.
Roberta Dean: Roberta Dean with the National Wholesale Druggist Association.
Man: Hello?
Woman: Hello.
Man: This is T.J. and Bernie on behalf of Quintels(?) and the Joint Health Care Information Technology Alliance.
Woman: This is Deborah Truss(?) and Dixie Snyder(?) of the Centers for Disease Control and Prevention.
Man: Hello.
Kathleen: Okay, well what I think we will do is to go ahead and get started. I think the easiest approach to take on this is really to start at the beginning. I would encourage committee members as they have comments, to point them out what their comments are, and any recommendations they have for language.
Kathleen Fyffe: Kathleen, this is Kathleen Fyffe. I have a question that has come up. There have been some formal requests to have an extension of the formal public comment period, a 30 or a 60 day extension. Does anybody know about the status of that?
Kathleen: I just know that some of the associations did write requesting extensions.
Kathleen Fyffe: Okay.
Jim: This is Jim. If an extension request is submitted, I'm sure the secretary would, you know, would consider it giving the timing, but on the other hand she is up against the February deadline, the final rule.
Kathleen Fyffe: Okay. What I request of you Jim and the others from staff, if in fact there is an extension granted, sometimes it takes a few days for that to come out in the Federal Register. If you know that it becomes official, if you could send an email around to all of us.
Jim: Yes, that is what we will do.
Kathleen Fyffe: Okay, thank you.
Jim: That's a great idea. Kathleen, this is Jim, before going into the actual MPR Rem(?) you may want to; oh, Linda Sanchez(?) has just joined us also, from ASBE(?).
Simon: And Simon _____.
Jim: And Simon as well. Kathleen, you may just want to indicate what the timeline is leading to the NCBHS, the subcommittee's drafting of comments and then the full committee drafting of comments and then getting them in by the actual date of January 3.
Kathleen: Well this meeting this morning is to develop the preliminary comments and the draft of this subcommittee's deliberations that would be given to the full committee by December 8. At which point the full committee would have a conference call, consider the subcommittee's recommendations, and that would be scheduled sometime within the two-week period after December 8th. At this point, the final comments would be approved by John Lumkin(?) and submitted to the department. This call is really to do the bulk of the work this morning.
Kathleen Fyffe: This is Kathleen Fyffe. With that in mind, do we want to come up with a few key areas that we would like to comment on and perhaps agree upon those key areas? I am afraid that within an hour or an hour and a half, because some people have to get off, if we start from the beginning, we could get sidetracked. Presumably, everyone has read the proposed rules and it strikes me that there are some key areas that the subcommittee would want to focus on in their comments.
Kathleen: Okay, that sounds like a good approach, Kathleen.
Kathleen Fyffe: Okay.
Kathleen: Do you have the particular areas?
Kathleen Fyffe: No, I am throwing it open to all of you.
Jim: This is Jim again. There were a couple of issues, you remember, that came up on the November 3rd meeting that you may want to consider including in your comments to the secretary. As you have done previously in your earlier recommendations, and some of them dealt with what the rule proposal does, and others dealt with what it doesn't do, and you went on record with a couple of things. For example, I think Mark brought up the idea that in essence this is a confidentiality statute for information. I think the question was raised about that this doesn't obviate the need for antidiscrimination measures, people measures as well. That was one of the points you had made, I think, in your earlier recommendations to the secretary as well. So you may. So there are certain things you may want to again emphasize in terms of what such a regulation can't do and then other things about the regulation itself.
Mark: This is Mark. As long as we're on the subject of general issues, I think the applicability and the scope of the proposal is very important. We ought to discuss the issue of whether it ought to only apply to records that are in electronic form or take a broader position. I think that is a very important issue.
Kendal(?): This is Kendal, I think in addressing that issue I would suggest that we would recommend to the secretary to extend the applicability to all records recognizing that ______ in gear, the department the authority to do so right now. I think we need to somehow recommend that this be extended to all records, not just specific EDI stuff.
Kathleen: Is everyone on agreement on that?
Replies: Yes.
Woman: I just want to point out, -
Kathleen: Who is speaking please?
Linda Sanchez: This is Linda Sanchez from the department. I just wanted to follow up to that note that B
Man: Have things gone dead?
Kathleen: Yes, if Linda Sanchez is talking, I can't hear her.
Man: Yes, I can't.
Woman: None of us can.
Man: Well how many of us are still on that could hear each other.
Woman: I can hear everybody fine.
Mark: Yes, this is Mark and I can hear everybody.
Simon: Yes, this is Simon, I can hear everybody.
Man: Okay.
Woman: Yes.
Linda: This is Linda and ___, we apparently had lost you for a moment.
Kathleen: Okay.
Linda: What was I trying to say? Okay. Regarding the scope, our general council believes that we do have the authority to cover non-electronic records that are held by those covered entities. So just as a follow up, I think someone had some concern that we didn't actually have that authority. We definitely assume that we will get a lot of comments with different interpretations of our legal authority, the position that we took here is that we did have in fact that authority but felt it was wiser at this point to stick with electronic records as they are ______.
Man: The trick is to extend it to employers, extend it to others that have entities that do not do EDI.
Man: So it really is a two-step _____. Number one would be to extend this scope to include all those who hold such identifiable health information, you know, beyond the three covered entities, and the second step would be what the nature of the information covered and it would extend to all such information, I guess.
Woman: But it wouldn't necessarily have it be in two steps.
Man: No.
Mark: This is Mark. One of the things that I would recommend mentioning, is that having uniform regulations applying to all medical records is really not over reaching by the secretary, but it is a way of simplifying the burdens and the regulations of the law for all those people who have to comply. It would be a logistical nightmare for downstream users of records to try to determine whether they are covered. I know the idea was, Well, because you are in doubt you ought to do it anyhow. But I think it is just much easier to just to require it.
Kathleen Fyffe: This is Kathleen Fyffe. That sounds like the first key point.
Kathleen: Okay.
Jeff: This is Jeff. Well that sounded like it was actually three different points.
Kathleen Fyffe: Well yes, I would say it is a discussion point within our comments.
Richard Harding: This is Richard Harding. So we're saying that individual practitioners who keep non-medical records would be included in the provisions?
Kathleen: You mean non-electronic?
Richard: I mean non-electronic. Pardon me, I misspoke.
Jeff: This is Jeff. Let me repeat what I understand from this discussion so far because the first few comments were a little confusing to me. It is my understanding that we're looking at increasing the scope of protecting the privacy of patients' identifiable health care information in medical records. We're increasing the scope so that this would cover paper based as well - where it is originally stored in paper based form as well as whether it was originally captured in electronic form, that's one additional expansion of the scope. The second, Kappa(?) mentioned was to extend the scope beyond the three covered areas and you had mentioned extending it to employers. I don't know whether you are extending it to anyone else? Is that correct.
Man: Yes, that is correct and other entities such as maybe even schools, which I know they are already described in here, but other entities in need of protection.
Man: Okay.
Dixie Snyder: This is Dixie Snyder from CDC. I just wanted to ask the group, based on this later discussion, whether we wanted to make a comment about your agreement of the secretary's proposed rules about the preference for a privacy law that would apply directly to holders of the information as to opposed to having to go through this particular rule making, which only gets at this other entities indirectly? Does the committee share the secretary's preference about having a comprehensive privacy law that would be applied not to just covered entities under HCFA but to researchers, employers, to who ever directly as opposed to indirectly through service providers?
Mark: This is Mark Rothstein(?). That would be my position.
Richard Harding: This is Richard Harding. I think we have already stated just about that exact thing in previous statements, that we preferred legislation on a federal level.
Kepa: Richard, this is Kepa. But it may be worth restating it and saying that we prefer this legislation, but in the absence of legislation if there has to be regulations, let's expand the regulation to cover all these non-EDI entities.
Kathleen Fyffe: Okay, so I hear two different things here. This is Kathleen Fyffe. I have heard that the rules need to be applied not only to the covered entities but also to other entities. I have also heard that the rules should apply not only to medical record information in the electronic form, but to other parts of the medical record.
Woman: Right. We agreed to extend it to other records.
Kathleen Fyffe: Okay.
Man: Now that is the piece that is little confusing to me. I had thought the expansion was from medical record information that is in electronic form to medical record information that is in paper based form, but I thought that it was still related to patient identifiable medical record information.
Man: That's patient identifiable health information.
Man: Patient, okay.
Man: Yes.
Man: Okay.
Kathleen: Okay, there is another major area that I would like to throw out for possible discussion with everyone and I am going to ask Mark Rothstein if he might be able to help me out with it. Do we want to explore the idea of making a comment about the access that law enforcement has?
Mark Rothstein: Yes I feel very strongly about.
Kathleen: Okay, perhaps we could have that as a second major area that we could discuss and possibly comment on. Mark, could you give us a little background? You know quite a bit more about this.
Mark: Well the proposal has a broad exemption under subsection 164.510f which permits disclosure for law enforcement purposes and for intelligence and national security activities. That would allow, I mean it is not limited. It doesn't require any type of warrant. It doesn't require any type of emergency situation, or exigent circumstance, etcetera. Conceivably, as Bob Gellman(?) had said at our meeting, any cop with a badge can go into a hospital and demand to see any records. So I think that is in an area that needs to be tightened up. Actually, I do have a proposal on that, that I would like to see added. It would be that the general rule for law enforcement and national security would be that someone who has these records in one of the three categories, may only disclose protected health information pursuant to a warrant. However, if there are exigent circumstances, which we can define that would justify an exception, then the records can be released without a warrant. However, if records are released under such an exception without a warrant, then notice has to be provided to the department that this is done so that they can monitor potential abuses.
Man: What about if we extend; oh, let us put it this way. If we indicate that federal agencies or FBI policing, CIA and all the rest would normally be required to get a court order, it shall have access to patient record information. How does that effect the stipulations that have been, and I am not exactly sure whether it is in these regulations or not, but I thought it was. There is a responsibility for audit trails recording everyone who has requested information, so that those of us as patients would see in our record that in fact, the FBI or some other agency did check our record. Is that supposed to also be in there or not?
Man: That is a good question. I don't know whether it is currently provided for but that is the other part of the proposal that I would support. In other words, if there is one of these exceptions, then there is a notice put in the record as well as a notice sent to the department so that they can monitor the extent to which records are being released without any kind of court order.
Linda Sanchez: This is Linda Sanchez. There is a requirement in the regulations that there would be a record kept if any unusual and not regular disclosures, which would normally include for law enforcement purposes. However, there are some methods by which the FBI or others for intelligence purposes can have those notices waived and there is some other provisions as well. It certainly is a contentious issue that we ???
Man: Yes, and even the Privacy Act I think protects the access of some law enforcement officials from this kind of requirement, but you are certainly, the committee should if they feel so, should go on record as recommending that. The proposal would require a disclosure history.
Richard: This is Richard. I think that it is nice to have that history. But I think it ought to be on the other end where there is some kind of a neutral party that has to be gone through. If that is court or whatever, and not the FBI having their own person who says to go or not go, except for narrowly defined emergent issues that I think we all could come up with as being pretty good agreement on. But just having that audit trail, I mean I don't think most citizens would have any idea of how to pursue that or how to look at it even. It is a nice thought.
Man: It sounds like you are agreeing to the higher standard for access that Mark has raised.
Richard: Yes I do.
Kathleen: Okay, so we have that point taken.
Man: Well as long as; I want to try to append on to that. This is Mark. One of the exceptions that is contained in the proposal would be to exclude from the coverage individuals who are inmates in correctional facilities and detainees in detention facilities. According to the proposal they have no privacy protections whatsoever, because they are not covered. It strikes me that this is a major deficiency that we ought to clean up. These people are in very vulnerable positions and they are afforded special protection by HHS in terms of research and here they are afforded no protections under the proposal. I don't know what the justification is other than convenience for excluding inmates from coverage.
Man: I don't hear any objection.
Man: No objection.
Woman: No objection here.
Woman: No, it sounds reasonable to me.
Man: Yes.
Man: I'm quitting. I will quit on a positive note.
Replies: (Laughter)
Man: You are on a roll.
Jeff: This is Jeff. One of the thoughts that I have as I suggest one side of the concern, which is protecting the individual, both in terms of access and in terms of audit logs, is that I am not knowledgeable about the kinds of situations that the FBI and the CIA have to address. I just sort of almost wish in one way or manner, whatever we propose could be part of some kind of a dialogue, because I think there has to be a balance. But I don't have the information on the other side to know where the balance needs to be.
Man: Well you know, I am not unsympathetic to the notion that an intelligence agency or law enforcement might under some circumstances want the fact that they had access to a record and not to be disclosed in the record. In those instances I think the court should be authorized to allow them access and not record it in the record. But I don't think that should be the customary procedure. I think that for exigent circumstances, you don't need prior approval, but you do need post disclosure notice unless there is some compelling reason.
Richard: Are we done with that topic?
Kathleen: I think so.
Richard: When the time is appropriate, Kathleen, I would like to bring up a topic.
Kathleen: Go right ahead, Richard. Take the floor.
Richard: It is just, I mean I hate to be the dead horse, but I will for just two minutes. It is just the whole issue. Does the committee feel that the issue of informed consent being basically changed to statutory consent is the right policy for treatment payment and business operations purposes? I am not going to argue it. I feel that informed consent is the appropriate way. I know many people feel the other, but just should the committee go on record as saying that the statutory consent is the way to go or that we have mixed feelings about it. Not to debate that because I know we have debated it a hundred times and I don't want to get into it. But I still feel that improving informed consent is better than statutory consent and would like there at least a little bit in there about that there is still mixed reviews from the committee.
Mark: Richard, this is Mark. I agree with that sentiment. One of the things that concerns me about the proposal is that I think it would undercut traditional codes of medical ethics in certain areas. For example, in the preamble, it states that we intended the right to use and disclose protected health information would be interpreted to apply for treatment and payment of all individuals. For example, and by the way I am on page 59940, if you want to follow. For example in the course of providing care to a patient, a physician could wish to examine the records of other patients with similar conditions B
Man: Or family members.
Mark: Exactly! Likewise, a physician could consult a record of several people in the same family, blah, blah, and under current principles of medical ethics you could not do that without individual consent. I have a major problem with that. I think what the regulations intend and what we could separate is the use of a database for general treatment, versus individual patient decision making.
Bob Gellman(?): This is Bob Gellman. I have just joined the call and I have missed a lot of the discussion, but I heard Richard bring this issue up. I think there is more to be said for the secretary's position then not. I mean I agree with what he had said; that this is an issue that we're not likely to reach agreement. I don't fully agree with what the secretary has done, but I think she has got the better part of it here. You know, it is already the law in a lot of states that disclosures for treatment or payment without consent are permitted.
Man: For those two things?
Bob Gellman: For those two things, right. I don't like some of those laws because they don't allow opt out. I don't think the secretary's plan allows enough of a clear opt-out for people. On the other hand, and I think this is right, if you are physician there is nothing that stops you from telling your patients more about the informed consent process and about their right to ask for other rules that apply. If you want to sit and negotiate with your patients, terms of disclosure in this area, you can reach agreement with them and it does become binding under this. So there is that ability for people that don't think the secretary's position is appropriate for their practice. But for the reality is that for most people you go see your doctor, you sign a statement that says, I consent to the disclosure. Any and all of my information, etcetera, and you have waived all your rights. I don't see that there is any reason to fight for that.
Simon Cohn(?): Bob, this is Simon Cohn. Thank you for chiming in on that. I think I agree with all the comments, but I don't think we are going to reach consensus on this. I don't know. Someone who lives in the state where this is pretty much already the law, I'm not sure that I see any problems. I actually think it is one of the features of the bill. So, I don't know how we are going to resolve this and whether, I guess we could we say, there are some people feel this and others feel that. That is not a very strong view.
Man: Well what about in the context of access to family members'records without their consent in a treatment of another family member? So if I go for genetic testing, for example, and my physician without the consent of any family member, goes looking into the medical records of my family members as an aid to my diagnosis, that could not be ethically done today. I understand what Bob is saying about you could get waivers from all of your family members when they had signed up, but I am a little uncomfortable with just putting this in a regulation.
Man: Agree.
Simon Cohn: Obviously you are coming up with sort of interesting example. I mean it is certainly not at the 99% normal case.
Bob Gellman: This is Bob Gellman, again. I don't know. It is a fair example because genetic information is pretty important these days. I don't know what the practice is in terms of physicians looking at records. You do have plenty of circumstances, in which you have the same physician treating an entire family, so the issue is rather moot there. I don't know what the ability of physicians is to look at records in a hospital setting of patients that they are not treating but whose files may have information that is relevant to what they are trying to accomplish with some other patient.
Man: Was the issue really the physician looking at it, or is the issue disclosure?
Man: Well that is a disclosure. It doesn't mean that it is a bad disclosure, but it is a disclosure.
Man: Well I guess I was thinking of an outside of health care operations and patient care. I guess I would tend to speak of not having a comment in this area, but maybe if I saw something I might be more persuaded.
Bob Gellman: This is Bob again. I think that we are probably better off not saying anything at all, but if Richard or others feel strongly that they want to have the difference of opinion reflected, we can say that. But from the perspective of people who are revising the regulations, they are not going to much care if you simply say, We don't know whether we agree with you or not. That doesn't really move the ball one way or another. If you don't have a specific suggestion, then you are probably better off not wasting your time trying to write anything.
Kathleen Fyffe: This is Kathleen Fyffe. Are we better off, or would it be harmful at all to simply have a comment that some people on the committee had concerns about this.
Man: That's all I would ask is just some kind of a notation. That there are those who strong support it and others that have concerns.
Kathleen Fyffe: I would say that we need to show both sides - or not sides, but concerns.
Man: I don't have any objection to that. If Richard feels that he wants that on record, it is certainly true.
Kathleen Fyffe: Yes.
Man: But I think that section that Mark was referring to, that kind of thing is just something that I think ought to be looked at more.
Man: I agree.
Kathleen Fyffe: Okay.
Kathleen: Okay, got it.
Man: Thank you. End of that area.
Kathleen: Who is next?
Kepa: This is Kepa. I have a couple of things that we may want to discuss for a minute again. In the applicability there are some general exceptions on the preemption section, where if a state has later penalties in the state law that automatically preempt this regulation, and the fact that they have greater penalties is a form of being more stringent, but I don't think that is sufficient. The way it is now, just the fact that they have greater penalties would be sufficient proof that it is more stringent. That's kind of a picky thing. Another on the general preemptions, the general rule is preempted if the secretary determines that this disclosure is needed to investigate firm(?) abuse and compliance with the law. It is also preempted if it addresses controlled substances. It is just a blanket statement, that looks like a single line and all it says is that it addresses controlled substances. I'm not sure that controlled substances should get blanket preemption.
Kathleen: Kepa, this is Kathleen. Can you tell me what page? It helps me to have a page when you are talking about the state penalties being higher.
Kepa: 16202 is the sub part that talks about preemption of state law.
Kathleen: Okay.
Kepa: And 16202 it has some definitions and then the definition of Amore stringent. Under the definition of more stringent number three.
Kathleen: Okay that is on page 60050. Okay. Thank you. I'm sorry that I interrupted, you were making a second point?
Kepa: Okay, the second one is right under that paragraph, a little bit below, where it says 16203 General Rule and Exceptions. The general rule applies except where one or more of the following conditions is met. And number two under that says, Addresses Controlled Substances.
Kathleen: I'm not sure how I feel about this.
Man: That is actually right from the statuettes.
Kathleen: Yes.
Man: You may want to raise it, but I don't think; it is right from the HCFA(?) statuettes I think.
Kathleen: Okay.
Kepa: The controlled substances?
Replies: Yes.
Kepa: Okay, then what about the other one, greater penalties.
Kathleen: Well in that case it says State law had greater penalties. Our entire Federal Regulations would not be preempted. It would just be if a state law addressed a particular issue and had a greater penalty. You could look at it that way.
Woman: Are you sure about that?
Kathleen: Well if you look at it by provision by provision, there is only an issue of preemption if the state law addresses that particular issue specifically and is more stringent than.
Woman: I am not an attorney, but I mean if you read higher on the page here, it says, The law which meets one or more of the following criteria is applicable.
Man: Well it is a very difficult area.
Woman: It has to be contrary to and more stringent than.
Man: Right, you have to read it right from the beginning and it is says A more stringent means in the context of a comparison of a provision of state law and a standard. Then you would look at these. I mean, I agree. It is quite complicated.
Woman: It is very complicated but the state law would have to be contrary to ours and it would have to be more stringent than ours, and then you would just be comparing the penalties.
Man: Yes, and then you couldn't comply with both.
Woman: But if they had a particular provision that met this criteria, it wouldn't mean that the rest of our regulations would not apply in that state, or it would just be for that particular provision?
Kepa: If a state law has provision that is less stringent privacy wise but does have greater penalties, does that override the corresponding provision in the HCFA?
Woman: I think you are saying that it does not.
Woman: I this it would really depend on the actual case. It is a very complicated scenario. It would have to be contrary to, so if it does not conflict with what we're saying, then the issue doesn't come up.
Woman: So it has to be both contrary and stringent.
Woman: Right.
Man: Yes.
Woman: It would be too tough.
Kepa: Well that was a two-minute discussion, see?
Replies: (Laughter)
Kathleen: This is a very difficult area.
Kepa: Another of the discussions that we had in doing the committee meeting last time was on child abuse versus spouse abuse and maybe we need to recommend that everywhere where it is addressing child abuse that it also addresses spouse abuse.
Elizabeth: This is Elizabeth. I think the common term is family violence, because everywhere there is increasing geriatrics, there is increasing abuse of the elderly.
Man: Okay, good.
Richard: This is Richard. I apologize for not having the regulations in front of me. I am in a meeting. But there is a section that said that if a state had a rule that was less stringent then the federal, that the governor could ask for a by(?) I believe to maintain the lower standard. Is that correct? Am I saying that right?
Man: The governor could apply to the secretary B
Richard: Yes, the governor, exactly, the only thing I would say B
Man: ????
Richard: I understand that, but I would like somehow or other after appropriate input from the citizenry, not just the governor's decision that that's the thing to do. There ought to be some kind of input from the citizenry about asking for a by for the preemption.
Man: We might have a hard time doing that. We might be better served by doing it on the other end and require that the secretary before granting any such waiver, provide for notice and comment period which would allow the people from that state to comment.
Richard: That would be acceptable, too.
Jim: This is Jim. Yes, the process that allows any state to request the determination or advisory opinion as to whether how preemption may apply. If you want to ask for clarification, that would be fine.
Richard: That would be great. Thank you.
Man: To whoever is taking notes, I think that another thing that we have to do before we raise any of the issues of the first matter of business is to congratulate the department for the good work.
Kathleen: Absolutely!
Man: Yes, I think we do need to emphasize the good things that we see in this.
Kathleen: Oh yes, absolutely!
Richard: This is Richard. One of the issues that kept coming up in all the hearings that we have had in the two years is the concern about employees, about employer access, or supervisors having access. I think there is a lot of goo improvement there, but that continues, I think, to be a particularly sensitive and important issue. If we can tighten up as much as possible, that would be greatly I think appreciated by many occupational nurses and occupational physicians as well as employees.
Kathleen Fyffe: This is Kathleen. I have a question for Richard and Mark on that. Mark, how do you think the proposed rule handled that and do you have any specific suggestions for tightening that up? Because I think you had said something about; and maybe I am mistaken, you had said something in the meeting about employment discrimination and being a separate matter, or whatever.
Mark: What I had said was I think that Jim had mentioned this at the outset.
Kathleen Fyffe: Right.
Mark: That this regulation should not take the place of statutory protection against discrimination based on the use of medical information in a variety of contexts because individuals can be required to release their medical records as a condition of employment and all sorts of things.
Kathleen Fyffe: Okay.
Kathleen: I just want to make sure; what point are we trying to make here?
Kathleen Fyffe: Yes, I am not sure, Kathleen.
Kathleen: Yes.
Man: There are statutory statements that in some cases you have to release medical information to your employer?
Mark: Yes, well there is a provision, section 102D3 of the America's Disabilities Act, that says as your conditional offer of employment, an employer can at its discretion, undertake a medical examination of the individual that is not limited in scope. Also as part of that, and this is where the interpretation from EOC comes in, the employer can require the signing of a release by the employee, releasing all the individual's personal medical records from their personal physicians. That is lawful under the ADA.
Kathleen Fyffe: This is Kathleen Fyffe. Let me ask a question, what prevents nosey employers from poking around into the protected health information of employees? Not in situations where they might be apply for disability but just people who are nosey?
Mark: Well theoretically there is a provision of the ADA that says that all medical records have to be treated as confidential.
Kathleen Fyffe: Okay, regardless of whether or not it is related to disability?
Mark: Correct regardless of the source of it and so forth.
Kathleen Fyffe: Okay, that helps me. Thank you.
Kathleen: So do we have a comment to make then?
Kathleen Fyffe: I am not sure.
Kathleen: See, I am not sure either.
Man: Yes, I am kind of pondering on that, too.
Mark: Clearly this is an area where the law could be a lot better. I mean it is unlikely this is the vehicle for improving the current state of the law.
Kathleen: Okay, it is unlikely that these proposed rules are the vehicle.
Mark: Correct.
Kathleen Fyffe: Okay.
Kathleen: But then we don't have a comment.
Kathleen Fyffe: Yes. Okay.
Kathleen: Okay.
Kathleen Fyffe: Thank you.
Kathleen: Any other big hot points for anybody?
Jeff: Kathleen Fyffe, this is Jeff.
Kathleen Fyffe: Yes.
Jeff: Can I piggyback on the issue that you had just raised.
Kathleen Fyffe: Okay.
Jeff: It appears clear that there are certain limits on this regulation and we can't do more to protect the privacy of individuals from their employers having access to that information for whatever purposes the employers might have. Do we have any latitude within these regulations? I guess that in part I am sort of asking you, Kathleen, because you represent a number of insurance companies. So I don't know whether this would be burdensome of unpractical. We had indicated that there should be an audit trail of individuals or agencies or organizations that either requested or have access to our health records. So clearly if a payer were to request information; well actually that is automatically granted. But is there anyway of there being an audit trail of an employer asking an insurance company, either for access to MIB information or access to the individual's patient record, or is that simply getting into an area that is just too complex to deal with?
Man: MIB is completely outside the scope of these regulations.
Jeff: I guess that is the answer.
Man: Yes, if you want to _____ that's the instance that you want the rights of the information to be provided to B for example, you are applying for life insurance for example. Generally you authorize the information to be sent to the Medical Information Bureau.
Jeff: But from there in terms of disclosure to an employer?
Man: Theoretically, MIB only discloses information to other insurance companies.
Kathleen Fyffe: That's correct, Jim. Theoretically.
Dixie Snyder: This is Dixie Snyder as CDC. I would like to throw out a question and hear your comments on it. One general concern I have, after you read all the regulations, is that because of the way these rules have to be applied again through covered entities, I have some concern that for permissive type disclosures, for example, and the main concern I guess is around research, epidemically research. Will there be or likely be a decision on the part of a lot of entity covered organizations that don't necessarily have, as part of their major mission, an interest in conducting research. As result of the administrative burdens that are to be placed on them, is there likely to be a lot of entities opting out of the research? I guess I am coming from the standpoint that I want all of these protections for individuals, but again, back to the issue. I would like to place the burdens in the most appropriate place. It seems like a lot of burdens that we would under other circumstances place on researchers result in placing burdens on covered entities, which may be a disincentive to participation in research. I'm not sure what the solution is, except maybe in the regulations to say something for being less neutral and more positive towards the value of research and encouraging covered entities to participate in appropriately approved research.
Man: Is it that you are concerned that requiring IRB like procedures in the private sector will discourage research? Is that your concern?
Dixie Snyder: No, as a matter of fact if that discourages it, I would say too bad, because I think the private sector needs to do the same thing that federally funded research does with regard to the review of the research. I am more concerned about the other issues that they are going to have to go through which means at the beginning, disclosing that they are going to be releasing information for research purposes. The agreements that they will have to work out with researchers and the record keeping requirements that they will have to keep up with, if I understand correctly, the audit trails and things that they don't necessarily have to do now as a result of the research enterprise, if they agree to participate in it.
Man: I'm not sure that any of those requirements are anything different than are required federal agencies today, under the privacy act. If there have been any problems of federal agencies not being willing to go through that and making information available to researchers, that hasn't come to my attention in twenty-five years.
Dixie Snyder: But the federal agencies I am not concerned about. Just to get specific, I mean I have had this before as Jim knows. It would have been extraordinarily difficult this summer I think to operate under these regulations to get information about the occurrence of intussusception(?) in recipients of rotavirus vaccine. If we had to negotiate with HMOs or other organizations to get the information as would be required under these regulations. Now any one we could make the argument that it is not research, but public health activities or whatever. Again, it is just a general concern and maybe others don't share this concern and maybe there is no reason to have this concern, but it is just something I would appreciate some comments on.
Man: Well can I offer a comment? I understand your point and I am not unsympathetic, but anyone who has records is going to have to develop a facility for dealing with audit trails, because they are going to have to disclose records for public health purposes or for lots of other purposes. I actually think the audit trail requirement here is too narrow, but be that as it may, they are all going to have to learn how to do it. Once you have established a procedure for doing that, whether you are doing audit trails for public health, or research, or law enforcement, or something else, you are going to have the facility to do it, or you ought to be able to do so. So it is sort of, at least from my view, it is more of a one time cost in figuring out how to do it. The marginal costs should be minimal. Secondly, if this discourages some people from making records available for some purposes, the answer is, So be it! That's the point of privacy rules. If you can't justify what you are doing to someone to their satisfaction, that this is worth the effort and the risk and everything else, then their records won't be disclosed and privacy will be protected. We will not accomplish other objectives as a result, but maybe, if they are not important enough to overcome their concerns here then they shouldn't be carried out. All research is not a good thing. Most research is a good thing.
Jim: Dixie, this is Jim. Were you concerned about the notice at the beginning that all patients would be given that their information could be disclosed for research purposes? That it might have a chilling effect or was it actually further along in the process?
Dixie Snyder: I think it is the totality of the requirements. It is not any single individual aspect of it. I think the point that we had just made about the fact that all these entities are going to have to come up with the procedures anyway for other disclosures, makes me feel a lot better. Again, it just has to do with the fact that we're talking about entities who; yes, we're opposing these rules on, who may have very little interest in conducting research, or investing in it themselves, although they love to use it. Especially if it is cost saving, and so forth. But we all the time work with entities in which the majority of the effort to conduct the research activity is ours. We are just permitted to use records as long as we send our people in to abstract the records and do this and do that. When you talking about these regulations you are talking about minimal disclosures and putting the burden on the covered entity to decide what is required. You are putting all the other burdens on it. I just wonder if the entities themselves in many cases will just throw up their hands and say, This is not our game. I mean it may be good for society, it may be good for science in general, but it doesn't help our bottom line. We will just opt-out.
Bob Gellman: This is Bob Gellman. Let me share with you the experience under the Privacy Act of 1974 when it passed and it imposed all kinds of rules like this across government. Research was just a small part of it. The response from federal agencies for the first two years was, Oh my God, if I disclose a record improperly I could go jail. This wasn't actually the case, but be that as it may, I am not disclosing any records without my lawyers in the room. Two years later they all learned how to live with all of this and all the problems went away, and now agencies shovel records out the door like there is no tomorrow and ignore totally the requirements of the Privacy Act. The exact same thing is likely to happen here. Any concerns you have are likely to be transitional ones, and as soon as everybody gets used to dealing with all of this, will go back to business as usual. Especially since these rule don't provide any individual enforcement. The only enforcement comes from the secretary, who is not going to spend ten minutes a year, doing enforcement of this stuff. So I don't know that anyone has got much to worry about under these rules. There is a lot more to worry about under a law, but these rules are not going to be much of a threat to anybody.
Man: Jeff, I appreciate the comments.
Mark: This is Mark. If the subject of researches is on the table I would like to revisit an issue raised with the committee meeting. The proposal does not currently allow individuals to opt-out of having their individually identifiable health information used in research and I would propose that there would be an opt-out provision allowing individuals to choose not to have their records used in research. People cite to the Minnesota experience, but Minnesota was not an opt-out provision. It was basically an opt-in provision where what the Minnesota law contemplated as required was the mailing of consent forms to individuals. They had a low response rate in Minnesota and that interfered with the ability to do research. I think that the percentage of individuals who will affirmatively opt-out is likely to be very small, but I think it is an important part of the protection of individual autonomy of people who have their health records on file. This gives them an opportunity to say that I don't want it used for research for religious reasons, or moral reasons, or personal reasons, and just leave it at that.
Man: Well Mark, my memories of the current regulation actually, or post regulation, says that a person can try to negotiate with that???. Isn't that how it is currently written? Effectively what it says is that they can request and then health plan has the option to either say fine or nay.
Mark: Well let me see, it is 508.
Man: I think the provision, Simon, that you are referring to; I am trying to find it, too.
Man: ? confusing of the pieces there.
Man: That is individual authorization.
Man: It is my favorite section.
Richard: Mark, this is Richard. I would tend to agree with you that people should have the option of opting out unless it could be shown that it is a special unique group that would distort the research process if they opted out all the time.
Mark: I have no problem with that as long as you put the burden on the researchers and let them convince an IRB that there should be some exception made.
Man: Okay.
Man: I guess I would speak against this, I think administratively. It is certainly a nightmare when one thinks about it. I think there is; I guess I am trying to think of the compelling reason why people should have statutory permission to opt-out of these things.
Man: Because it is their information. It is very simple.
Man: Well I thought that was why the people were sending them out information about how their data would be used initially, to give them the right to go to some other health plan or arrange some other coverage if they disagree.
Man: I think that the practicalities will be that there will be no way to go to get out of it. I think it will be standard practice and if you want to be treated and you want your bills paid, you are just going to have to go along with the arrangement. I think that's the problem.
Jeff: This is Jeff. I am tending to agree with Simon here and I am almost wondering whether we could maybe narrow that mark to indicate for religious reasons I don't think we would argue with that. But if people are starting to self select because they have a particular virus or something that could be a threat to public health or certain other areas
Man: I would prefer to do it the other way, as Richard had suggested, where the researchers can make a showing that look, because we want to do research on this virus and we don't want people to select out, we need to do it on everybody. If the IRB agreed then there could be a special protocol adopted for that. I would rather do it on the other end rather than list the reasons why you could opt out. I think it is much more practical to say you have the right to opt out but because; let's say you alluded to religious reasons. How are you going to verify that someone's religious reasons are bona-fide and so forth?
Linda Sanchez: This is Linda Sanchez. Just to clarify, in 506 the right of an individual to restrict uses and disclosures as someone suggested earlier, does not extend to researches. It is only for treatment, payment, or health care operations.
Man: Okay.
Linda Sanchez: I know the research provision, if it is an IRB like group, a privacy board has not certified that there is a good enough reason basically to over ride the requirement for an authorization then a researcher would have to get an authorization from the individual. If the IRB believes that the research is important enough and has enough protection to over ride any concerns the individual would have, then that would be the only instance in which they could admit a waiver as an authorization requirement.
Bob Gellman: This is Bob Gellman. I am going to make a comment and then I have to go. This is an area in which there are strongly held views on various sides here and I don't think you are going to reach any kind of consensus in the committee. It seems to me you can't opt-out of law enforcement disclosures. You can't opt-out of public health disclosures. You can't opt-out of most of the disclosures. This is my view and I respect others. But to say now we are going to let you opt-out of research when your records are less likely to be used and abused in that way then they are for law enforcement or for fraud and abuse, where there are virtually no controls over what happens to the records once they are disclosed under this scheme, or basically most other schemes. I don't see it, but I don't see how you are going to get agreement on the committee on this. Maybe this just falls into the category of one of those issues on which there are different views and either we say that there are and let it go at that, or we say nothing.
Man: Or maybe we should say the way we did earlier, that there are different views.
Man: I don't have any objections.
Man: Yes.
Man: But it is not a very strong statement, but certainly that is the outcome.
Kathleen: Okay, I got it.
Bob Gellman: All right, this is Bob signing off. Good luck!
Replies: Bye Bob.
Man: I like Bob, but I was doing better before he got on. (Laughs)
Replies: (Laughter)
Man: Actually, I like having Bob's view.
Kathleen: I think Bob adds a lot to the discussion.
Man: Yes, I am just kidding.
Kathleen: Okay, who else has some issues?
Woman: I just wanted to ask and I guess because then it would go to the full committee obviously. But in these cases where there are differing views, I mean, in and of itself I guess it doesn't leave the department with any guidance other than this is a difficult issue obviously. Does the percentage ???.find out where the balance is, whether it is a minority position, one position, or the other is a minority position, or whether you want to state that there are different views.
Kathleen: My understanding is we're just going to go with just Adifferent views.
Man: Yes.
Man: Would it be valuable however, to set out what the positions are of the two sides? I mean their rationale behind their views.
Woman: Yes I think it would be. I think that our comments need to be helpful to the department.
Man: Yes.
Man: Yes but I think there is something where there is no conclusion. I am not sure that putting out the two arguments does anything else other than, I would say confusing the matter. If we can come to a conclusion on something or if we have a strong majority rational and there is a minority rational, I think that makes sense. But if we're saying our rationales are not even indicating what the ponderous(?) weight of the committee is one way or another. I don't know that I would think that would be particularly helpful. When I see that some of these things where we can't reach decisions are more, well jeez, we put a sentence somewhere that says on a variety issues including dah, dah, dah, there was mixed opinions by the committee.
Man: Silence is richer. Silence would mean going along with the recommendation, wouldn't it?
Man: You mean my recommendation or the recommendation?
Man: The recommendation, if we were silent on an issue, I would assume that we were in agreement.
Man: Well, I think you would be basically silent or not able to come up with anything other than a mixed opinion is probably-
Woman: No, I think silence means we simply haven't made a comment.
Man: ??..
Woman: Yes.
Man: I have a procedural question and that is does the committee have any position on individual members submitting comments?
Woman: I just remember that there is definitely - that you should feel free to submit comments in their non-committee capacity.
Man: Yes, any member of the committee as an individual is free to comment directly.
Man: Okay.
Kathleen: Do we have any other big areas of hot buttons that we need to comment on?
Man: I have one last one. It is on the issue of minimum necessary disclosure.
Kathleen: Oh yes.
Man: The proposal in 506 supports the position of minimum necessary disclosure, but I would propose that be complimented by a second standard which would be the minimum identifiable form, which is alluded to in the preamble and it is alluded to in the actual regulations, but not expressly so. I think it is an important principle that would be driving the form in which disclosure is made and not just the amount.
Man: In what way Mark would you;
Mark: The sample that I like to use and someone; sorry I can't remember who, brought up the issue of employer access to medical records and that is when the employer is a self-insured company and pays the bills for medical treatment. The employers customarily and certainly immediately if it is self-administered program, but indirectly often is that there is a third party administrator, get the names of the employees and their diagnoses and all sorts of treatment information. When that degree of disclosure is not necessary to pay the bills, they could very easily use a medical identification number for that individual employee. The company could verify that they were benefits eligible. They could monitor the utilization of that individual and so forth without turning over the names of the individual employees and their medical records. So I think a goal of the regulation should be to have the minimum identifiable information disclosed.
Woman: Okay, so it is slightly different. You are saying minimally identifiable, not minimum necessary?
Mark: What I would like to do is we have minimum necessary which goes to what is the disclosed. I would like to in addition add when disclosing that amount, it should be in the minimally identifiable form. It should be disclosed in the least identifiable form consistent with the essential uses of the information.
Man: I actually like your idea, though. I am sort of struck by it. I think the last conversations that we had at the NCBHS where people on one hand talking about unique identifies, which is of course what you really are sort of talking about.
Mark: Right.
Man: But also on the other hand, sort of questioning whether that alone without other information to assure that was indeed the individual would be enough to assure that they hadn't done something wrong in terms of identifying that person. So it is sort of an interesting catch-22 on this one, but I think the idea is a good one.
Mark: And there are all sorts of ways you could do it. You could do it through encryption measures, you could do it by numbers and having the code inaccessible to most people except if it is essential to look up something and so forth. But I think as a principle it is very important.
Man: Yes, I think that the general concept, Mark, brings you into the discussion of identifiablilty(?) and how do you reduce the potential for identifiability in any sense. As a principle, in fact, that might be a good thing for the committee to raise.
Woman: Yes, I would say that it is a very good point to raise.
Elizabeth: This is Elizabeth I agree with that.
Man: Yes.
Woman: Okay.
Kathleen: All right we have got it.
Mark: Thank you.
Kathleen: Other burning issues?
Man: I think my only burning issue is let us not do a 7:00 AM conference call
Replies: (Laughter)
Kathleen: I apologize, Simon, but it was the only time we could get everybody on.
Simon: Okay
Kathleen: I know you and Elizabeth are suffering there.
Simon: Yes, I thought I would make that point so everybody would know the pain.
Woman: Simon, I thought you would be out swimming your laps.
Simon: No I am actually an afternoon swimmer, but I dragged myself out because this important, but it is painful.
Kathleen: Thank you, we appreciate it. Any other comments?
Woman: No I think we have come up with a good comment letter.
Kathleen: Good! Then what I am going to do is I am going to draft it and then I will send it around to all of you so you can take a look at it, the next part. Then you will have a chance to look at it. If you have any comments you can get back to me. Then I have to turn it over to Marjorie for the full committee by December 8th. After we get off the call today, I am going to work on this letter and get it out to you today, so you can take a look at it while it is still fresh. I guess that is really it. Happy Thanksgiving to everyone!
Replies: Thank you.
Jeff: Simon, this is Jeff. Could you call me right after this call?
Simon: Do you want to give me a call?
Jeff: Are you at your office?
Simon: Yes.
Kathleen: Good bye everyone.
Man: Thanks everyone.