Washington, D.C.
The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics held hearings August 21 to August 23, 2001, at the Hubert H. Humphrey Building in Washington, D.C.
The Subcommittee on Privacy and Confidentiality held hearings August 21-23, 2001 in an ongoing process focused on implementation of the privacy regulations promulgated by HHS pursuant to HIPAA. During the three days, the Subcommittee heard 34 presentations and talked with six panels and other testifiers representing the health care industry, professional groups and the public in order to provide guidance to the Office of Civil Rights (OCR) and the Secretary on practical issues and concerns in implementation of the regulation.
Ms. Henderson urged HHS to rescind the requirement and return to the proposed rule. Barring that, Kaiser Permanente made seven recommendations: (1) allow continued use of the data collected before April 14, 2003 and require consent only for data collected subsequently, (2) allow use and disclosure of data collected before revocation for continuing treatment, payment and health care operations (TPO), (3) allow ongoing use of data until a patient is present and able to sign a consent form, (4) make the requirement inapplicable to states with statutory authorization for the use and disclosure of PHI, (5) defer the requirement for five years, then assess whether other HIPAA tools provide adequate protection, (6) reconcile conflicting laws, (7) rely on parental consent until a child who reaches the age of majority comes in for care.
Ms. Donohue noted health plans are intimately involved in: prevention and disease management, quality assurance, quality improvement, patient safety, utilization management, performance measurement and private accreditation. She expressed NCQA's concern that the privacy regulation impedes the flow of information necessary to perform these critical functions.
NCQA believes that, at a minimum, the preamble and policy guidance need to clarify that consent obtained at the provider level is sufficient to allow transfer of information for health care operations that support quality improvement, accreditation and other functions. NCQA also recommended that HHS delete the consent requirement for TPO, adopting the original recommendation under the proposed rule.
Concurring that consent is the final rule's major problem, Mr. Kelly said Mayo recommended going back to the NPRM's approach of a statutory consent. Otherwise, Mr. Kelly said providers would require consent for treatment and nothing but patient inconvenience, paperwork, and fairly negative reactions would be realized. He noted another unintended consequence was the issue of the first encounter: a first appointment or tests cannot be scheduled without knowing PHI and having prior written consent. Mayo identified four critical issues to manage: pharmacy, first encounter, transition, and revocation issues.
Ms. Blevins noted the rule imposes a major shift in the ethics of consent, personal autonomy, and confidentiality: for the first time, the federal government would decide who could access every citizen's health (including genetic) information. She contended the rule coerces individuals into sharing PHI, falling short of the definition of informed consent where patients have a clear choice.
She recommended the Subcommittee look at a national Gallup survey the Institute commissioned that indicated people don't want many third parties accessing their medical records. Noting it wasn't certain citizens would be fully informed about how many third parties had access to their information, Ms. Blevins pointed out that, under this rule, once an individual's medical records were disclosed to a third party other than a business associate, the final rule no longer protects that information. And the rule does not cover procurement or banking of blood, sperm, or body tissue.
Ms. Winckler described how the prior written consent requirement was a substantial deviation for pharmacy practice. She noted concern with consent about patients requesting restrictions on the use and disclosure of the information. A pharmacist who identified a potential drug interaction couldn't disclose the name of the patient or the drug to the prescriber. Noting the guidance clarifies that a pharmacist could counsel a patient without getting consent, if he didn't record that information in the patient's record, she pointed out this created a problem of documentation. APhA's options concurred with the recommendations for statutory authorization. Lacking that, APhA's members proposed: having the prescription serve as initial consent, changing the prior requirement, or a single consent form for TPO.
Dr. Goin conveyed APA's judgment that the rule allows for use and disclosure of too much information without the patient's consent. Both the Surgeon General's report on mental health and the U.S. Supreme Court's Jaffe v. Redmond decision conclude that privacy is an essential requisite for effective mental health care: the mere possibility of disclosure may impede successful treatment. She said health care plans and clearinghouses should be required to obtain a patient's meaningful consent before their medical records can be disclosed for TPO. And she expressed APA's concern that patients would lose existing privacy protections regarding the disclosure of medical records for judicial and administrative proceedings. Dr. Goin emphasized it was essential to expand the definition of psychotherapy notes. APA welcomed the opportunity to work with the Committee on a recommendation for an exception for involuntary patients who refuse to sign a release.
Ms. Hatton said AHA was in total agreement with Kaiser Permanente's and the Mayo Foundation's position and rationale. And she suggested that everyone was asking that the written consent requirement be discretionary. She noted a practical comment HHS raised in its most recent guidance: when HIPAA becomes effective, hospitals won't be able to schedule procedures until patients have received and read a privacy notice (the model is 10 pages) and signed and returned a written consent form. Ms. Hatton noted that HHS, recognizing this would be a major inconvenience for rural and elderly citizens and, in many cases, an impediment to timely care, and promised to modify the rule. Noting there were civil and criminal penalties for failing to meet the obligations under the statute, she said the question was how to track consents to know, every time the patient came in, that a valid written consent was on file, without limitations, and hadn't been revoked. Many institutions believed the only practical way was to get a form signed every time.
Ms. Darrah said the rule was consistent with AMA policy, requiring most providers to obtain patient consent prior to using or disclosing health information for TPO. But she noted it had unintended consequences for patient care and the patient physician relationship. Ms. Darrah said the rule should allow reasonable, limited uses or disclosures to carry out TPO before obtaining patient consent. She pointed out the guidance only recognizes first-time referrals. The AMA believes other necessary uses and disclosures should be accommodated. The AMA recommended HHS formally clarify in a modification to the rule that a provider who obtained any consent to use or disclose health information for TPO, prior to the compliance date, could continue to use the information for all purposes. And she said the rule should apply a good faith standard to the right to request restrictions and the right to revoke. AMA continues to have ethical concerns regarding the requirement and breadth of the definition of health care operations. Ms. Darrah cautioned that non-routine, non-critical activities had made their way into the definition. She said removing the consent requirement for TPO, without narrowing the definition, "flew in the face" of patient privacy and autonomy, merely for the provider's convenience.
Mr. Pyles said consent was essential for quality care. He conveyed the need for a better definition of protected psychotherapy notes, grounded in the therapist/patient privilege, and he advised that exceptions to the psychotherapy notes protections need to be carefully and specifically defined. He noted New Jersey and the District of Columbia had statutory models and definitions of terms that had been in place many years. Mr. Pyles asked the Subcommittee to take into account findings in the preamble that were the product of a detailed fact-finding process.
Ms. Kaigh questioned why more groups representing private citizens weren't testifying. She said patients do care if their medical records are freely exchanged without their consent. So long as patient consent is required before records are released, a patient can start over fresh with a new doctor after a malpractice, misdiagnosis or personality conflict situation. Rather than provide broad access to medical records, Ms. Kaigh said the privacy rule should reinforce consent forms and the ability of the patient to decide, on a case by case basis, what information his doctor, health insurer, or others, should know. She noted the rule said the patient only had the right to request a restriction: the doctor could refuse that request, and refuse to treat the patient, if he didn't sign. Doctors could agree to limit access, and then allow access anyway. With the new privacy rule, Ms. Kaigh said researchers, law enforcement, public health officials and others could access anyone's medical records without patient consent.
Mr. Wilder observed that the health care system is also a health information system and that it was important that this information flow wasn't unduly restricted. He stressed it could be difficult and time consuming for plans to always get consents, authorizations, or information directly from their members. AAHP had three recommendations: (1) pursuant to the consent, providers should be able to share PHI so the plan could carry out its health care operations, (2) wherever covered entities didn't have written consent, they should be allowed to use or disclose PHI collected before the rule's compliance date, (3) revocation should be honored, but only for information collected post-revocation.
Mr. Todd conveyed DMAA's belief that allowing legitimate disease management programs unhindered access to individual identifiable patient information was crucial to preserving patient access to high quality disease management programs. DMAA recommended a special exemption in the privacy rules that allows disease management organizations, as business associates of health plans, to access this information to carry out disease management activities. Mr. Todd said an alternative suggestion would be to include disease management in the definition of treatment.
Dr. Desmarais expressed concern about the legal uncertainty and vagueness created by the standard that could lead to defensive information practices and restrict the flow of information within the health care system. Member health plans must have access to PHI maintained by physicians/ practitioners, hospitals and others to do quality assessment and improvement programs, utilization review, disease management, and case management. He said the standard inappropriately places covered entities in the position of evaluating minimum necessary for the purpose; HIAA contends only the entity making the request is in a position to know that. Noting that the standard is highly subjective, Dr. Desmarais said it could be used to shield evidence of up coding, misdiagnosis, overtreatment or fraud. The Department determined that the standard would be among the most costly requirements of the privacy rule; HIAA believes that figure underestimates the cost member companies, physicians, and hospitals face.
Dr. Bussewitz reported NCPDP and NACDS have met for six months and have yet to reach an industry consensus. Pharmacies contend PBMs/claims processors request more information than is reasonably necessary; PBMs/claims processors believe pharmacies want to disclose less than the currently do. The most contentious issue has been how to adequately identify patients, so pharmacies can be paid without incurring legal liability for non-compliance with either HIPAA privacy regulations or stringent state privacy laws. Pharmacies also fear having their name associated with allegations of a breach of patients' privacy. PBMs/claims processors want pharmacies to disclose the patient name before they'll pay the claim. Pharmacies refuse, believing disclosure is unnecessary and could increase their liability. Dr. Bussewitz encouraged the Subcommittee to promote the unique individual identifier or require the payers or employers to convey detailed patient data to their PBM/claims processor clients so they, in turn, could assign a person code.
Dr. Baillie said ASCP believes the proposal to release the minimum necessary information when performing health care services is problematic. Physicians contend they need the complete history to examine and diagnose. And staff in charge of handling disclosure requests isn't adequately trained to decipher what information satisfies a particular disclosure request. ASCP advised that clarification belongs in the final rule, not just in the guidance document where misinterpretations might occur. ASCP also believes medical students, residents, and allied health trainees need to be exempt from the requirement. Dr. Baillie noted that applying the standard involves several direct and indirect costs: employees to handle compliance within the laboratory, ongoing training of staff at all levels to decipher minimum amount necessary, slowing turnaround times of reports, and patient safety, if wholly necessary information is not disclosed to the laboratory.
Mr. Fody said AAHP encouraged HHS to provide guidance making it clear that entities may develop policies and procedures that broadly describe the types of PHI necessary for categories of operations a covered entity might perform. AAHP also recommended modifying the rule so that the recipient automatically relies on a request, unless it is clearly inappropriate--or, at least, issue guidance that the rule currently allows a covered entity to rely upon another's request, specifically enumerating disclosures presumed appropriate. Mr. Fody said they recommended that HHS issue guidance establishing that the requirement doesn't apply to a covered entities' internal use of PHI, for information from another covered entity. AAHP also recommended that the rule make clear that covered entities are allowed to develop a common sense approach, recognizing different covered entities require differing amounts and types of information.
Noting Americans were deeply concerned that their medical information not be disseminated, Mr. Weich said both ACLU's testimony and the regulation stated a minimum necessary requirement was necessary to breathe meaning into the rule's basic presumption that information is private unless issued with consent. Panelists had painted horror stories about information being disseminated in ways that impaired treatment, but Mr. Weich noted the regulation states "the minimum necessary requirement does not apply to disclosures or requests by a health care provider for treatment." The requirement entailed compartmentalization of the medical record, but he said everyone went through life compartmentalizing private information. Mr. Weich said associated costs would be a barely discernable add-on to the old world cost of privacy, justified by giving patients the assurance of confidentiality that enables them to seek health care for sensitive conditions that might impact public health.
Noting AHIMA recommended for years centralizing the release of records beyond the basic claims form, with the professional making the decision on requests beyond normal TPO uses, Mr. Rode said the rule let that happen. He said the fundamental anticipated benefits of minimum necessary were the tools it gave professionals to shield PHI from those who didn't need access, and assurance that the patient could rely on them to make decisions on what should and should not be released. Noting concerns that the rule restricted treatment and operations, he said AHIMA didn't believe that was the case for treatment for payment and some operations. AHIMA believed many standards in the rule were already in place in hospitals and clinics and that implementation would not cost as much as the Secretary projected. AHIMA suggested that requiring special procedures for certain subsets of the health records was clinically and administratively ill advised and recommended modifying the right to request privacy protection for PHI.
Ms. Serkes conveyed AAPS's concern that the rules would exacerbate the situation and result in distorted, incomplete medical records. Because of the disconnect around government access to information and concerns over information and costs, she said the regulations made things worse. AAPS believed the "regs" violated the Paperwork Reduction Act and the Regulatory Flexibility Act, as well as the First, Fourth, and Tenth Amendments, and was filing a legal challenge. Ms. Serkes reported that 96 percent of 344 physicians AAPS polled in a random survey thought the rules would further compromise patient privacy. AAPS's concern with the implementation stemmed from its presumption that the information is needed under a public health need that trumps the individual's rights. The standard's lack of definition or any delineation of the professionals who decide minimum necessary meant physicians had to "contort themselves and jump through hoops." They would be subject to the criminal provisions of the act; and, if the providing entity guessed wrong, the physicians faced the possibility of criminal prosecution. Conflict of interest on the part of the requester hadn't been addressed. Ms. Serkes also said law enforcement agencies should be subject to the Fourth Amendment protections. She urged the Committee to define the term and the professionals allowed to decide it.
Dr. Guidotti said ACOEM was pleased with both the principle that a covered entity must make reasonable efforts to provide the minimum necessary information and that the final rule extends the standard to covered entities' requests for identifiable information from other covered entities, placing accountability with the covered entity requesting information. Dr. Guidotti said the rule: places the burden on the physician of deciding, on a case-by-case basis, the minimum necessary; provides no guidance on whether diagnostic information is considered in the scope of the standard; and permits a physician to disclose more than the minimum amount necessary to comply with specific state laws (a problem in terms of the state-based nature of workers' compensation law). Offering to work with the Department, ACOEM recommended that HHS develop a standard protocol for use by occupational physicians in implementing minimum necessary.
Ms. Foley said the nursing community's commitment to safeguarding the patient's right to privacy had always been part of professional practice. Many patients would go without treatment or disclose only partial information, which could lead to improper diagnosis and treatment, complications in an illness or injury, and even death, if they felt their stories were grist for the gossip mill or their records open to employers. She emphasized the overriding concern must be for the patient, not whether the rule will be inconvenient for practitioners or staffers who handle the insurance paperwork. Ms. Foley noted the minimum necessary rule requires that a hospital have in place a policy identifying under which circumstances identified practitioners and staff might access patient information. It doesn't prescribe the policy, only that it must be in place, clear, enforced, and afford the patient a reasonable expectation that records will be treated with respect and confidentiality. She said any suggestion that the expectation that a covered entity must reasonably safeguard PHI from any intentional or unintentional use or disclosure is new or burdensome was unfounded--it's the core of daily work in a hospital setting.
Mr. Wood said the rule presents two fundamental problems for P&C benefit providers. Workers' compensation is a disability program with a medical component; the objective is not only to heal an injured worker, but also to get him back to work. Giving the defending party (the employer or its insurance carrier) access to full medical records is an elementary legal principle; information must be fully available to both parties to ensure a fair and equitable result. One problem is the lack of clear authority in the rule for covered entities to disclose information sought by P&C benefit providers to carry out legitimate insurance and claim management functions AIA also believes that application of the standard to workers' compensation is inherently flawed, will impede communication of information needed to evaluate workers' compensation claims, and threaten the integrity and viability of the state-based workers' compensation system.
Dr. Welles said Genentech was specifically concerned about: the overall structure of the rule, the definition of de-identified, conditions relating to patient registries, the minimum necessary requirements, and modification of the existing common rule. Genentech recommended revising the rule to: allow covered entities to disclose PHI without patient authorization for research along with TPO; allow disclosure of PHI to conduct post marketing surveillance using procedures and formats for registries and reports free of names and identifiers; waiving the minimum necessary requirement with PHI lawfully disclosed for research purposes; and exempting from the authorization and waiver of authorization requirements all human subject research accountable to review by properly constituted Institutional Review Board (IRB) acting in accordance with the common rule; and deleting the new IRB review criteria, leaving IRB subject to the current common rule mandate.
Dr. Kulynych said the rule needlessly intrudes on IRB's system of research oversight, burdening biomedical and behavioral research with procedural requirements, ambiguous regulatory standards, and extensive liability concerns. AAMC's major concern is new civil and criminal liability upon those who use or disclose data, even when approved by an IRB. Increased liability, coupled with the compliance burden imposed by procedural requirements, is a disincentive for covered entities. She said a more appropriate remedy would be to modify common rule criteria. AAMC believes the rule's authorization provisions are unnecessarily burdensome and likely to dissuade participants. The provisions also seem to keep investigators from retaining identifiable health information obtained in a trial for future research not envisioned at authorization. AAMC finds some of the new waiver criteria unnecessary and problematic for IRB reviewed research. AAMC supports HHS encouraging use of de-identified medical information, but was dismayed that a single standard for de-identification was set so high it renders the data useless for most epidemiological health services and other population-based research. Catchall provisions and an unrealistically broad list of specific identifiers undermined the utility of the safe harbor, making it likely many covered entities would decline to de-identify data. AAMC urged HHS to modify the rule, creating an exception for uses and disclosures in common rule research not subject to the minimum necessary or accounting for disclosures provisions. The IRB should determine when information is sufficiently de-identified for researchers lacking authorization or waiver of consent.
In HHS's weighing privacy versus research, Dr. Klepinski said research lost. The door had been opened to a whole round of plaintiff's attorneys and litigation, and researchers had a problem convincing people to be as cooperative as they had been. Dr. Klepinski said de-identified research was impossible in investigational device exemption (IDE) research situations. The FDA and their regulations explicitly required many things tagged as identifiable data in the definitions. To comply with the FDA, authorization was needed for past, current and future medical records. He said authorization was their only hope, but noted it would be complex and require individuals willing to accept that they might be sued "anytime over the next 20 years." Post market issues were even tougher. Dr. Klepinski said this was all permissive to a "risk adverse" lawyer for a covered entity--and enforceable with civil and criminal penalties.
Ms. Pollak addressed weighing the protection of privacy against the burden on the research organization, noting four issues that result from the regulations: (1) tracking details of all disclosures outside the organization for non-routine purposes; (2) the practice of researchers seeking out recruits for the research protocol in preparation for unique studies where only a few people had a particular condition or disease; (3) non-profit organizations, which collect important epidemiological data researchers use all the time, are not considered business associates, and there is no way to give them anything but de-identified information without the patient's authorization; and (4) some 99.9 percent of the research dollars at Hopkins is raised by the Departments but, because of the PHI, someone who'd been to the Wilmer Clinic couldn't be contacted about a gift to the Wilmer Institute without their authorization. Ms. Pollak offered possible solutions.
Dr. Boswell said she was hard pressed to find a cost-effective way for covered entities to implement requirements of the rule without taking on excess legal liability. She pointed out that common rule research already had a system of protections in place, with the IRB weighing and evaluating risks. Dr. Boswell said she was deeply disturbed about the privacy rule authorizing a waiver of an individual's consent for research that intentionally subjects persons to clinical, biological or psychological interventions in order to collect research data, without any ethical board review. She said the 12 required elements in this new research authorization either duplicated what was in the informed consent documents, were patently untrue, or were needlessly complicated discussions of "irrelevant legal niceties" that offered no new privacy protection.
Mr. Beato expressed concern that the rule conflicts with the Fair Credit Reporting Act, which imposes a duty upon data furnishers to update personal information reported to national reporting agencies. He said the rule's sweeping definition of PHI, which includes credit-related demographic information, impedes a business associate's use of this credit information for payment purposes. ACA recommended three modifications to the rule: (1) permit business associates to report medical debts to the three main national consumer reporting agencies, (2) clarify that location information services are permitted under the rule, and (3) remove certain demographic information from the definition of PHI when used for the limited purpose of conducting payment activities.
Dr. Rada conveyed the Special Interest Group's conviction that the privacy rule should go into effect as originally published. Noting that HSS encouraged self-organization of the health care industry via the identification of best practices among peers, he urged the Subcommittee to recommend that units of HHS with available R&D funding support the discovery of best practices for implementing the privacy rule. He suggested professional societies were candidates for such funding. Dr. Rada clarified that he wasn't suggesting a new Congressional budget, but seed money to hold conferences so groups that want to comply with HIPAA could better share and publicize information.
Mr. Pyles encouraged the Subcommittee to broaden the request from OCR on first encounter to cover more than just pharmacies; medical equipment and suppliers with equipment for delivery to a patient's home often had to make determinations based on the medical record before they saw the patient. He noted that some patients want to pay out-of-pocket for a prescription and not have that information in a data base; if that information went into the system consent, the patient lost that option.
Ms. Kaigh pointed out that the common rule allows research to be done on patients without their consent, if an institutional review board decides this poses minimum risk to the patients. She countered that it should be up to patients to decide what poses a minimal risk to them. And she objected to the balance of the panelists, noting most the invited guests represented doctors' groups, hospitals, researchers and insurers that wanted maximum patient information. She asked where the equal representation was by those who only want minimum necessary information to pass and call for patient consent. Ms. Kaigh implored the Subcommittee to remember the thousands of public comments wanting no access without patient consent, and to hold further hearings in which patient's rights groups can present views protective of every citizens' privacy.
Ms. Hustead said HPP agreed that modifications needed to be made to the consent requirement to address operational glitches, but emphasized it should not be eliminated. HPP fully supported the minimum necessary standard, echoing others' testimony about the importance and workability of the concept. HPP believed the research provisions were a major improvement over the status quo that would make people more comfortable about participating in medical research. She identified weaknesses in the regulation's approach to law enforcement access, marketing and fundraising and was especially troubled that the regulation authorized precisely the marketing activities the public resisted so vehemently. Ms. Hustead said the after-the-fact opt-out in the final regulation was totally insufficient and covered entities shouldn't be allowed to use or disclose PHI for these purposes without an explicit and separate authorization highlighting the marketing or fundraising use or disclosure. What constitutes marketing needed to be defined precisely.
Dr. Villagra conveyed DMMA's belief that, pursuant to the privacy rules, disease managers who encourage patients to utilize disease management services are engaging in health promotion on behalf of patients, not marketing, and he urged the Committee to seek confirmation of this interpretation by HHS. He said the privacy rules need to clarify that disease management companies, as business associates of other entities, are not engaged in marketing when they communicate about a product or service directly related to the patient's or population's plan of treatment.
Ms. Pellow conveyed NAIC's concern that the final regulation, which allows covered entities to disclose PHI for certain marketing purposes without the individual's authorization, is a significant and unfortunate change from the proposed regulation. NAIC supports the establishment of exceptions for certain legitimate business exceptions and transactions, but Ms. Pellow emphasized their belief that this exception guts the purpose of the regulation: protecting consumer's health information. NAIC urged that the exception be removed in favor of the approach in the proposed regulation. Ms. Pellow said prior individual authorization should be required for all marketing, the final rule was better than the status quo, and the notice of proposed rule making was best because it had required opt-in authorization for all marketing.
The Subcommittee reviewed the panelists' and public's formal and implicit recommendations. Members voted to focus on issues of implementation and correcting unintended consequences, noting their letter to the Secretary needed to capture broader issues and put them in context. They summarized testimony heard, indicating issues explored, the disquietude, and support for further clarification. They also considered their own recommendations, based on testimony. Members reviewed each recommendation heard: accepting, rejecting or categorizing them among broader issues, beyond the scope of the letter, that might be recommended for further study. The issue of disease management programs and other proposals broader than consent were tabled; others so wide-ranging they reopened the basic philosophy of the rule were deferred.
There was agreement that, in some circumstances, those owning or possessing medical records should be able to use them, notwithstanding authorization or consent. They recommended that OCR explore ways for providers to access medical records in emergencies and other specific situations. Members noted providers' and plans' disagreement on the broad issue of payment. And they raised the concern Ms. Kaigh pointed out in her public testimony that free flow of records allowed information from a bad doctor-patient relationship to perpetually follow the patient. Members noted that virtually everyone was in favor of the minimum necessary concept, but considerable clarification was needed to make it implementable. They recommended that OCR's educational efforts address concern about the defensive maneuvering witnesses described. The group proposed referring the problem in relationship to the NCPDP standards to the Subcommittee on Standards and Security. Members addressed amending the rule to assure that the privacy regulation didn't prevent plans from getting information needed for accreditation and health care quality purposes. The Subcommittee agreed the letter should summarize diverging points of view and reaffirm the Committee's support for the minimum necessary standard.
Reiteration and guidance was sought on reasonable reliance and the educational effort. The consensus was that policies and procedures cover routine use; case-by-case determinations were for non-routine use. The guidance said these were reasonable determinations and, in some circumstances, reasonableness was based on prudent professional judgment. Determination was in the hands of the custodians, who could exercise their own judgment, reasonably relying on the requestors' determination of what was minimally necessary, unless clearly inappropriate. Members discussed collecting best practices. They will finish up minimum necessary and review research and marketing during their September 10 conference call: there will be a Federal Register notice and opportunity for people to call in. Mr. Rothstein noted that additional public recommendations could be received until close of business August 27. These would be circulated, so members could review consent and minimum necessary issues and e-mail additional points to Ms. Horlick. Members can bring forward recommendations throughout the full approval process.
Mr. Rothstein welcomed everyone to the first of three days of hearings on implementation of the privacy regulations promulgated by HHS pursuant to HIPAA. He noted the Subcommittee had invited seven panels of 27 invited witnesses to address consent, minimum necessary, research, and marketing. Topics, as well as specific questions were developed in cooperation with the Office for Civil Rights, which is responsible for enforcement of the privacy rule. Mr. Rothstein said the sole purpose of the hearings was to provide guidance to the OCR and the Secretary on practical issues or concerns in implementation of the regulation. Members were interested in possible unintended consequences, overlaps and inconsistencies, and areas in need of clarification. Concrete suggestions and information about successful implementation strategies were particularly welcome. He emphasized that the purpose of the hearings was not to voice approval or disapproval for the statute or rule, but was an effort to obtain expert input in identifying and solving problems and compiling successful strategies. Subsequently, the Subcommittee will submit proposed recommendations to the full Committee for discussion and possible action at its September 24-25 meeting. If approved, the recommendations will be transmitted to the Secretary.
Because of the large number of witnesses and the narrow focus of the hearings, Mr. Rothstein set ground rules: invited witnesses had 10 minutes for their prepared testimony, members would then have an opportunity to ask clarifying questions. After each panel completed its testimony, members and witnesses would have about 30 minutes for a discussion of the issues raised. Time was also scheduled on the first two days for public testimony. Witnesses had until August 27 to submit additional written testimony.
Ms. Henderson said Kaiser Permanente strongly supports the overall goals of HIPAA administrative simplification, but the consent requirement will create unintended but significant barriers to the delivery of health care services. She urged HHS to delete the requirement or, at a minimum, mitigate unintended negative consequences to patient care and health care delivery. She observed that, in the proposed rule, HHS noted the questionable validity of a blanket authorization determining it would be neither voluntary nor truly informed. As the term is used in the final rule, she said consent provides no opportunity for either.
Ms. Henderson pointed out that the rule already has meaningful tools to protect an individual's medical privacy, including: precise limits on allowable uses and disclosures of protected health information (PHI), notice, specific written authorizations for other uses, and sanctions for misuse. The requirement adds nothing to these protections and provides no real value to patients. In fact, she said it could harm them.
She noted a goal of administrative simplification is to improve the efficiency and effectiveness of the system by encouraging the development of electronic health information systems. And she stressed that, for larger organizations--particularly those with numerous electronic systems, multiple sites of care, and paper records in many locations--the process of obtaining consent and then tracking, storing and updating to reflect revocations is "mind boggling." Ms. Henderson explained that Kaiser Permanente was faced with getting consent, not only from 8.2 million current members, but also from up to 35 million former members. Many had moved or died, yet their medical information is still woven throughout these systems. State law provides statutory authorization and Kaiser Permanente hasn't obtained blanket authorizations for most. Most enroll through employers, with no direct contact. In states where blanket authorization is currently required, Kaiser Permanente obtains it solely from the subscriber, not other family members. Members, employers and Kaiser Permanente would all have to be involved in complex layers of paperwork and process to obtain HIPAA consent--a step backward from HIPAA's efforts to encourage effective use of technology. Until they sign a consent, members would be blocked from using phone and Internet appointment and advice services they heavily rely upon.
She said HIPAA consent also poses a formidable barrier to continuing health care operations. No health information in their systems can be lawfully used until consent is obtained; yet Kaiser Permanente has no practical way to segregate the data. All existing data would have to be either blocked or archived--stymieing quality review, provider credentialing, planning, evaluation of drugs and medical devices, and emergency treatment. Patient data relied upon for essential health care operations are integrated into their systems with no reasonable way to extricate it. And if members withdraw consent, the Health Plan must disenroll them--but HIPAA portability provisions generally preclude disenrollment except for non-payment or fraud.
Ms. Henderson described moral and ethical dilemmas the requirement elicits. Notified by a drug company that a batch of epinephrine solution was contaminated, Kaiser Permanente was able to go into its systems, identify all 2,350 patients at risk, and provide new medication quickly. Under HIPAA consent, what happens to patients who have not yet signed or who revoked consent? What about a patient who revoked, then was brought into ER in a coma--How could they be sure they weren't administering a medication that patient was allergic to?
Kaiser Permanente urged HHS to rescind the requirement and return to the proposed rule. Barring that, Ms. Henderson recommended seven measures to lessen the negative impact of the requirement: (1) allow continued use of the data collected before the April 14, 2003 compliance deadline and require consent only for data collected subsequently, (2) allow use and disclosure of data collected before revocation for continuing TPO, (3) allow ongoing use of data until a patient is present and able to sign a consent form, (4) make the requirement inapplicable to states with statutory authorization for the use and disclosure of PHI, (5) defer the requirement for five years, then assess whether other HIPAA tools provide adequate protection, (6) reconcile conflicting laws, (7) rely on parental consent until a child who reaches the age of majority comes in for care.
Noting Ms. Henderson said she would like to return to the proposed rules regarding consent, Mr. Altarescu remarked that the proposed rule stated providers could not use a consent form. He asked if that was Kaiser's position. Ms. Henderson replied they currently functioned under state rules with statutory authorization that worked for them and their members. Consent as defined by HIPAA or general use of data for TPO--Kaiser Permanente agreed with the proposed rule.
Ms. Donohue noted that, today, health plans are intimately involved in: prevention and disease management, quality assurance, quality improvement, patient safety, utilization management, performance measurement and private accreditation. She expressed NCQA's concern that the privacy regulation impedes the flow of information necessary to perform these critical functions.
Over the past four years, health plans have participated with physicians to improve cervical cancer screening rates from 70 to 78 percent and the use of beta blockers from 63 to 89 percent. In only three years, they improved the rate of chicken pox vaccination from 64 to 71 percent. But Ms. Donohue noted in the most recent HEDIS data collection, providers are refusing, based on the preamble language, to pass this information on to health plans. Noting the Institute of Medicine's (IOM's) estimate that medical errors contribute to the premature deaths of between 44,000 and 98,000 people in U.S. hospitals and that IOM's recent report, Crossing the Quality Chasm: A New Health System for the 21st Century, states information is the means by which integration of providers and plans can effectively be deployed to deliver high-quality care, she cautioned, that unless the regulation is changed, this critical work will be impeded.
Ms. Donohue said NCQA's foremost concern is the preamble language and clarification issued in the policy guidance that states one covered entity may not disclose PHI for the operations of a second covered entity. She conveyed NCQA's belief that, at a minimum, the preamble and policy guidance need to clarify that consent obtained at the provider level is sufficient to allow transfer of information for health care operations that support quality improvement, accreditation and other functions. Quality work cannot rely purely on administrative and billing data; one needs access to the medical records to perform the coordination of care NCQA requires for accreditation and determining whether health plans are getting valid information.
NCQA also recommended that HHS delete the consent requirement for TPO, adopting the original recommendation under the proposed rule. Ms. Donohue said the requirement was time consuming for the physician, patients would have difficulty understanding it, and enforcing revoked consent would be an "administrative nightmare." She also noted that current policy issues indicated a level of distrust between many physicians and health plans that had an impact on willingness to advocate or obtain consent to transfer information to the plans.
Responding to a query, Ms. Donohue clarified she was talking about the flow of information from the provider to the health plan for the plan's operations. The current preamble and policy guidance state that, even if the provider obtains consent for health care operations, it is not sufficient to allow that provider to transfer the information to the plan for its health care operations, including functions like accreditation and quality improvement.
Mr. Kelly noted that, though his comments were cast from Mayo's perspective, they were consistent with the Health Care Leadership Council's. Both groups support national uniform standards to protect confidentiality. He concurred that consent is the final rule's major problem. Mayo recommended going back to the NPRM's approach of a statutory consent. Mr. Kelly suggested the consent approach was an attempt to deal with something that wasn't a problem from the patient's perspective. He said he never heard patients mention in Congressional or Committee hearings any problem with the health care provider using information about them to provide treatment, bill for services, or run the institution and operations designed to foster patient and employee safety and other vital health care operations.
Mr. Kelly said providers would require consent for treatment. Patients will be told: "If you don't sign, we won't treat you." The result will be patient inconvenience, paperwork, and fairly negative reactions on the part of patients--Nothing else would be accomplished. Mr. Kelly said patients in focus groups reacted to notices and consent forms with anger, confusion and a sense of wasted time. Instead of a therapeutic relationship, an adversarial relationship would be created.
He noted another unintended consequence identified by the HHS guidance document centers around the issue of the first encounter. One cannot schedule a first appointment, tests, or fill a prescription without knowing PHI and having prior written consent.
Responding to a question, Mr. Kelly emphasized Mayo didn't want to see consent expanded to "indirect" providers. Noting Mayo is a highly-integrated, multi-specialty group practice with physicians, hospitals, home health, and nursing care under one umbrella with internal and external referrals to many different specialists, he cautioned that requiring consent at every encounter would destroy the integrated model.
The bottom line, Mr. Kelly said was that HHS "cure the problem rather than just try to manage it." But if they had to settle for that, Mayo identified four critical issues to manage. HHS acknowledged the pharmacy issue and first encounter in their guidance. The others were the transition and revocation issues. What happens to all the records they had without authority to use? And what happened to information that had migrated into other systems, when a patient revoked consent? Mr. Kelly noted it is vital to have a complete set of data when dealing with patient and employee safety and other health care operations where revocation should not apply.
Ms. Blevins focused on concerns raised in thousands of comments to HHS by citizens opposing access to PHI without their consent. She said the rule imposes a major shift in the ethics of consent, personal autonomy, and confidentiality. For the first time, the federal government would decide who could access every citizen's health (including genetic) information.
She noted the concept of informed consent has been defined as a person's agreement to allow personal data to be provided for research and statistical purposes and that an individual's agreement to share information is based on full exposure to the facts needed to make that decision intelligently. As explained in Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics, "informed consent describes a condition appropriate only when data providers (patients) have a clear choice. They must not be, nor perceive themselves to be, subject to penalties for failure to provide the data sought." Ms. Blevins said the privacy rule codifies a new ethical code for medical care in the United States: individuals may be denied medical treatment for failing to share personally identifiable information for purposes of "health care operations," a broad term encompassing many uses. She contended the rule coerces individuals into sharing PHI and does not meet this definition of consent.
Ms. Blevins stressed that the fact technology existed to facilitate exchange of medical information electronically didn't mean fundamental ethical constructs should be eliminated. She recommend the Subcommittee look at a national Gallup survey the Institute commissioned that indicated people don't want many third parties having access to their medical records--especially banks, which she noted were not covered by this rule. Ms. Blevins said it wasn't clear whether citizens would be fully informed about how many third parties would have access to their information. An accounting of disclosures regarding when one's records were released won't include an accounting of releases related to TPO. Personal information, including genetic information, could be shared "a thousand times over the Internet," but all one would see was that it was shared with two marketing companies.
She said the media told patients they would be able to demand stronger privacy protections than offered by this federal rule, but they weren't being told that physicians and other providers didn't have to agree. Even if the provider agreed to abide by stricter confidentiality, Section 164.512 prohibited them from entering into valid agreements to protect patients' medical records for a number of uses listed in her written testimony.
Ms. Blevins summarized two reasons for individuals to be concerned about the rules' impact on their ability to control access to their information. Under this rule, once an individual's medical records are disclosed to a third party other than a business associate, the final rule no longer protects that information. And the rule does not cover the procurement or banking of blood, sperm, or body tissue. Noting that these contain genetic information, she said lack of privacy protections in these areas would have far-reaching effects for millions of Americans. She listed other reasons in her written testimony. Ms. Blevins said they could turn to state contract laws and didn't need a new rule, but they had to make sure privacy didn't preempt any state laws.
Ms. Blevins observed that, clearly, an individual's rights ended when he or she became a threat to society. But until that burden of proof had been made clear, an individual's rights and important health care ethics of care, personal autonomy and confidentiality must be upheld.
Ms. Blevins clarified that she hadn't taken a position on the privacy rule, but contended it shouldn't interfere with an individual's ability to enter into private agreements. If the majority of citizens wanted such a rule, they should be free to have it. But it should be clear that this federal rule would not preempt state contract laws. Dr. Harding asked if she was saying the individual right was preemptive over the public's health. She replied she had a Master of Public Health degree, loved statistics, and her written testimony acknowledged his question was excellent. She said the individual's right preempts the public good, unless one was a threat to society. She said there was proof consent worked. For over 60 years they'd had it and wonderful advances in health care, while collecting statistical information.
She noted she also supported the provider's right to say, "This is the way we function efficiently: To be treated here, you have to share this information." But the individual should be free to try to find another hospital and maintain a confidential relationship. Mr. Kelly commented that the rule did allow a patient and a physician to place restrictions on the use of information. Ms. Blevins said she cited in her written testimony that even if a physician agreed to a stricter level of confidentiality, section 164.512 lists a broad range of purposes that preempt agreement. Ms. Donohue remarked that it is only through measurement and collection of data that one could even begin to try to improve the quality of health care, and she said there were instances in which collection and measurement of data overrode individual rights. The individual could ask for restrictions; there were built-in safeguards.
Ms. Donohue clarified that she thought providers who refused to provide information about chicken pox were not necessarily misreading the requirements. They needed to address the issue of whether, when they obtained consent, they could give any information to the health plan. She noted NCQA has standards that require health plans to make sure that care is coordinated, which they assess by looking at the individual medical records and ensuring that care across various providers is aligned. She said the de-identified information was not sufficient to enable the health plans to carry out critical functions. There were instances in which they needed access to the actual medical record. Ms. Donohue said the definition of health care operations in the "reg" was fairly broad; NCQA's issue was that, based on the preamble language and the guidance, consent only covers the entity that collects the information and is not sufficient to allow the doctor to give information to the plan. She believed this was unintended, but said they needed guidance that consent was sufficient to allow information to be transferred to the plan for fundamental health care operations. Members clarified that they were talking about the many capitated arrangements where information was not routinely sent; when that occurred, they had no access to that information. The consent form signed in the doctor's office is a consent for TPO of that doctor. NCQA wants the doctor to be able to not only share information with his or her own TPO, but also with the plan's health care operations. Ms. Donohue acknowledged that, under the rule, the plan could get an authorization, but she said that would be an administrative burden and "nightmare."
Ms. Henderson said that, even as an organized health care arrangement with joint consent to cover the health plan, hospitals and "med" groups, they would have trouble doing accurate HEDIS reporting, as outlined in their appendix. They wouldn't be able to get consent for some people, and others would have revoked consent. Numerators and denominators on those statistics would be off. Responding to another question, Ms. Henderson explained their understanding of the rule was that, unless former patients had signed consent, they could not use their data. Noting the epinephrine example or a drug interaction problem, she pointed out that the Kaiser Permanente System had data for everyone they'd ever prescribed a drug to over the life of the systems. But, with the consent requirement, they couldn't touch the record--which they might even have had to remove. There would be no way to access those members. Remarking that Kaiser Permanente operated many of the emergency rooms left in the community, she said a former member could end up in their emergency room in a coma. Unless they already had signed consent, they wouldn't be able to use that information. Noting that his specialty and practice is emergency medicine, Dr. Cohn concurred. One needed to treat the patient in an emergency. That was inviolate with the privacy rule, whether given consent or not. But he also saw nothing in the rule that said they could access previous information without consent. Practicing physicians in an emergency department were in a Catch 22.
Mr. Rothstein reflected on Mr. Kelly's concern about the effect of the new rule on his patients, observing that argument had been raised, in analogous ways over the last 25 years, with every new piece of consumer protection legislation and regulation. Individuals affected wouldn't understand labels, warnings, disclosures or consents--they'd be confused, angry. He pointed out the need for provider, health professional, and patient education, which the Department was planning. Informed patients might not only become more comfortable with the concept; they might embrace it. Mr. Kelly said he approved of informing the public that a new law affected their privacy; the problem was having to sign a consent when you came to be treated added a coercive nature to the relationship. Nothing was gained requiring written consent. What mattered was that patients knew, when they came into a hospital or physician's office, that a panoply of requirements were in place to protect the confidentiality of that information, that it could only be used for a specified set of legitimate purposes, and that anything beyond that--which was where the real problems lie-- now violated federal law. Ms. Blevins said the bottom line was consumer education.
Reflecting on her experience in a urology unit, Ms. Blevins said, when honest people can't control access to their data, they lie. A database full of lies could truly harm the quality of care in the United States. Prohibit consent, which is what the proposed rule would do, and you destroy the quality of medical care in this country. Mr. Kelly agreed. The disconnect was that, in at least some of the states in which they operated, existing laws provide the protection they sought.
Ms. Winckler explained that pharmacists and the pharmacies they operate abide by privacy standards laid out in state practice acts, board of pharmacy regulations, other state laws, their code of ethics, and individual confidentiality or privacy policies. The prior written consent requirement was a substantial deviation from pharmacy practice. If a prescription was called in and no consent was on file, the prescription was set aside. Evaluating clinical and duration appropriateness and billing the third party payer waited until the patient came in. Noting that more than 3.1 billion prescriptions were prepared in 2000, Ms. Winckler said they were talking about a significant number of encounters and information. The consent would erect barriers to patient care.
Noting the health care provider in Kansas City accused of intentionally diluting chemotherapy products and the significance of immediately evaluating those pharmacy files, Ms. Winckler said it was unclear whether this use of patient information was allowed without prior consent.
When patients give their consent, under the final rule they may request restrictions on the use and disclosure of the information. For example, a patient may request that his prescription for a mental health medication not be filed with the payer. Ms. Winckler said, today, pharmacists weren't challenged with that situation. With the consent, however, there was concern about patients requesting restriction. A pharmacist who identifies a potential drug interaction between a new medication and the mental health medication couldn't disclose the name of the patient or the drug to the prescriber. APhA counseled its members that there were problems with accepting any of the consent restrictions, at least in the treatment area. It would be difficult to offer and abide by those restrictions and meet compliance with state practice acts.
Ms. Winckler conveyed concern that signing a consent with each health care provider might create confusion between the consent for TPO and the authorization for other activities. Both patients and providers might lose the intent of the rule--knowing what one is authorizing. She predicted significant administrative and financial burden in securing the consent and expressed concern about the vagueness of what the rule required. What did taking reasonable precautions against accidental disclosures mean for a pharmacy that announces over the public address system that a prescription is available?
Ms. Winckler cited a situation the guidance document triggers as an example of this rule's impact. The guidance clarifies that a pharmacist could counsel a patient on the selection of an OTC product without getting consent, if he did not record that information in the patient's record. Ms. Winckler pointed out that a pharmacist providing a consultation to a patient with hypertension and recommending against a decongestant that would interact with the hypertensive medication would want to document that interaction in the patient record so it was clear he had guarded against that. Allowing consultation without consent created the problem of documentation.
She said the options that APhA posed concurred with the first panelists' recommendations for statutory authorization. In its absence, some members proposed having the prescription serve as an initial consent. Changing the prior requirement was another alternative, although that raised questions about the validity of the consent, if it is not provided prior to the use and disclosure of information. A third option recommended by many is a single consent form for TPO, although that also challenges providers with finding a way to determine the level of consent.
Ms. Winckler said pharmacists were trying to prepare for all this, but the rules "kept changing under their feet." She stressed it was important for everyone affected that the compliance date should be two years after the final modifications to the rule.
Dr. Goin noted patient privacy is particularly critical in ensuring high quality psychiatric care. Both the Surgeon General's report on mental health and the U.S. Supreme Court's Jaffe v. Redmond decision conclude that privacy is an essential requisite for effective mental health care. The mere possibility of disclosure may impede the development of the confidential relationship necessary for successful treatment. The APA commended the Administration for moving forward with the implementation of the regulations and evidencing commitment to protecting the privacy of the medical record by advancing patient privacy.
Dr. Goin said health care plans and clearinghouses should be required to obtain a patient's meaningful consent before their medical records can be disclosed for TPO. Noting provisions in the regulation regarding comatose patients, Dr. Goin linked them to the APA's professional concern for respecting the health information of involuntary patients being treated for mental illness or substance abuse pursuant to state law. Dr. Goin said APA welcomed the opportunity to work with the Committee on a recommendation for an exception for involuntary patients who refuse to sign a release.
She expressed the APA's concern that patients would lose existing privacy protections regarding the disclosure of medical records for judicial and administrative proceedings. The new regulation would allow providers to disclose medical records information in response to a subpoena, discovery request or other lawful process not accompanied by the order of a court or administrative tribunal, as long as reasonable efforts are made by the party seeking the information to give notice of the request to the patient or to secure a qualified protective order. Dr. Goin also noted these procedures provide no check on attorneys' behavior in requesting records of marginal relevance to a case or for the purpose of embarrassment or intimidation.
Dr. Goin said the APA was pleased the administration understood and appreciated the critical importance of requiring a higher level of authorization for the use and disclosure of psychotherapy notes and emphasized it is essential to expand the definition of psychotherapy notes to include: medication prescriptions and monitoring, counseling session start and stop times, modalities and frequencies of treatments furnished, results of clinical tests, and summaries of diagnosis, functional status, treatment plan, symptoms, prognosis and progress. She emphasized that, without additional protections consistent with the Supreme Court's Jaffe v. Redmond decision for mental health and other particularly sensitive medical information, protections essential for effective mental health care will be lost.
Dr. Goin conveyed APA's judgment that the rule allows for use and disclosure of too much information without the patient's consent. She noted language is needed to clarify that privacy protections cover treatment modalities broader than psychotherapy and information that is part of the patient's medical record. She said a requirement for keeping a second set of records would result in increased time, difficulty and cost associated with record keeping.
Under these regulations, she noted law enforcement agents could issue written demands to doctors, hospitals and insurance companies for patients' records, without a judge's review. APA was also concerned by the separate provision allowing computerized medical records to be searched for matches of blood or other health traits, whenever police tried to identify a suspect. Dr. Goin expressed APA's belief that the same constitutional protections that apply to a person's household possessions--fourth amendment probable cause standard, including independent judicial review for all requests--should apply to his or her medical history.
She said APA was hopeful the Committee will agree that marketing or fundraising endeavors have a patient consent or opt-in before they occur, rather than the regulation authorizing the patient to opt-out of further fundraising or marketing endeavors.
Dr. Goin concluded that APA believed the privacy regulations were needed, but inadequate to protect patients. APA's greatest concern was that some, in support of their own interests, would argue for surrendering patients' new-found protections. She urged the Secretary to not only receive all interested stakeholders' comments, but to use his regulatory authority to work with them in finding solutions.
Ms. Hatton said AHA was in total agreement with Kaiser Permanente's and the Mayo Foundation's position and rationale. She echoed a practical comment HHS raised in its most recent guidance: when HIPAA becomes effective, hospitals won't be able to schedule procedures until patients have physically received and read a privacy notice (the model is 10 pages) and signed and returned a written consent form. Ms. Hatton noted that HHS, recognizing this would be a major inconvenience for rural and elderly citizens and, in many cases, an impediment to timely care, promised to modify the rule. She said no one on the panels questioned that patients needed to receive the essential notice of privacy practices. But she suggested everyone was asking that the written consent requirement ("a practical impediment to care, which really is totally unnecessary") be discretionary. Ms. Hatton cited the dilemma Intermountain Healthcare posed in its April comments as a compelling case for making written consent discretionary. Intermountain believed they had two choices. Either ask patients to sign the notice every time they saw them or, while recognizing there was no additional patient privacy benefit, design and build a hugely complex and expensive computer system to track consents. She noted hearing this from other hospitals and associations--like SNIP, which advised its hospitals that patients had to sign a consent form "each time they walked in the door." Ms. Hatton cautioned that patients (like Mr. Kelly's focus group at Mayo) will not like having to fill out unnecessary paperwork every time they come to a hospital or provider. She mentioned an AHA study, Patients are Paperwork, that gauged it took 30-60 minutes of paperwork per-hour of patient care to meet only federal mandates. She cautioned that consumers, barraged with unnecessary paperwork, might question the whole privacy rule, if it isn't made more workable while retaining meaningful privacy protections embodied in the notice that is HIPAA's core.
Ms. Hatton acknowledged that technically, under the rule, consent only had to be obtained once. But, noting there were both civil and criminal penalties for failing to meet the obligations under the statute, she said the question was how to track consents to know, every time the patient came in, that a valid written consent was on file, without limitations, and hadn't been revoked. Many institutions believed the only practical way was to get a form signed every time.
Ms. Darrah said AMA was both pleased and disappointed with the consent requirement in the privacy rule. The rule was consistent with AMA policy, requiring most providers to obtain patient consent prior to using or disclosing a patient's health information for TPO. But she noted the requirement had unintended consequences for patient care and the patient physician relationship.
Noting the AMA considers patient autonomy fundamental to medical ethics, Ms. Darrah said in situations where specific informed consent was not practical or possible, either identifying information should be stripped or an objective, publicly-accountable entity must conclude, after weighing risks and benefits of the proposed use, that patient consent wasn't required. She conveyed AMA's belief that requiring consent honors the individual's rights, saying to truly obtain consent meant to inform the patient of the privacy practices of the provider or plan and to provide a choice. Mere notification didn't respect the patient's autonomy.
Ms. Darrah said requiring providers to obtain consent creates an appropriate incentive to de-identify information. Noting the privacy rule does not require plans to obtain consent for payment or health care operations, with the exception of psychotherapy notes, Ms. Darrah said failure to regulate them was completely misguided.
The AMA offered suggestions to ease the burden of implementing the consent requirement. Ms. Darrah said the privacy rule should allow reasonable and limited uses or disclosures to carry out TPO before obtaining patient consent. She said AMA was pleased that recently released HHS guidance states HHS intends to modify the rule to assure this flexibility. But she pointed out that the guidance only recognizes first-time referrals. The AMA believes other necessary uses and disclosures, typically initiated by a patient, should be accommodated.
The AMA was encouraged that the guidance clarifies a provider who obtained any consent to use or disclose health information for TPO, prior to the compliance date, could continue to use the information for all purposes. The AMA recommended HHS formally clarify this in a modification to the privacy rule. Noting the guidance permits only health care clearinghouses and plans to continue to use information obtained before the compliance date, when no written consent is on file, AMA urged HHS to treat all covered entities in similar manner.
A third suggestion was that the rule should apply a good faith standard to the right to request restrictions and the right to revoke. As written, Ms. Darrah said it completely discouraged such agreements. Physicians might no longer agree.
Ms. Darrah noted that AMA continues to have ethical concerns regarding the requirement and breadth of the definition of health care operations. She remarked that many uses and disclosures allowed under the definition weren't routine and most patients didn't imagine that their information would be used or disclosed for activities currently allowed under the definition. She observed that many were not critical to the care of the patient or operation of health care facilities and could be routinely conducted with de-identified information.
Ms. Darrah cautioned that non-routine, non-critical activities had made their way into the definition of health care operations and patients might unwittingly agree, or be forced, to consent to these broader purposes in order to be treated. She was troubled by these uses and disclosures being swept into consent under that definition. If the consent requirement was removed from the rule, patients lost control over many uses and disclosures of their PHI. She said removing the consent requirement for TPO, without narrowing the definition of health care operations, "flew in the face" of patient privacy and autonomy, merely for the provider's convenience. Ms. Darrah said questions in the last panel spoke directly to why plans should have consent.
Dr. Goin said customary information for the payer was the date treated and codes for treatment and diagnosis; the APA objected to automatically making PHI available and not protected. Patients were stigmatized and discriminated against. Considerable protection was needed. An internist had to know if a patient was getting an anti-depressant. Information in a chart helpful when seeing a patient in an emergency wasn't necessary to know treatment took place.
Ms. Fyffe wasn't convinced it would be difficult to know which patients had been to an institution before and signed a consent form. A large university teaching hospital, where people flew in once from across the country might pose some difficulties. But medical records departments had master patient indexes. Ms. Hatton explained the problem wasn't knowing someone had been in before, but knowing valid consent was on file and hadn't been revoked or limited. Patients could request limitations at any time and in any form--and they could be agreed to in a number of ways. There were criminal penalties for hospitals misusing information. If a valid consent wasn't on file, they faced a violation of HIPAA, the federal law, state laws and private actions. Unintended and unimagined complications to these rules needed to be dealt with.
Dr. Harding recalled that the vice president of Revco told them years ago how electronic data from each Revco was transmitted to a central data base that looked for drug interaction difficulties. He asked Ms. Winckler when, without prior consent, they felt they had permission to enter that database and at what point the patient was--or should be--informed. She said, under HIPAA, a pharmacist checked to see if they had a consent on file--If not, they stopped. Othewise, entering that information into the database was part of the clinical aspect of preparing the prescription. And it was entered again (not only against Revco pharmacies, but against any other prescriptions filed for that patient) when the claim was filed for payment. She said the notice of privacy practices APhA supports helped patients understand this. Dr. Harding noted some patients go to CVS for their allergy and hypertensive medicines, and then fill their psychotropic medications at a "mom-and-pop" pharmacy to avoid that database. He said they had to come up with a way to handle medicines so people didn't play games that got everyone in trouble.
Dr. Zubeldia asked how they would replace consent with the notice of privacy practice. How would they know patients had it? Would they give it each time--Keep a signed receipt? How was dealing with the notice different than consent? Ms. Hatton noted ways patients had access to the privacy notices. Under the rules, hospitals were required to publicly display the notice and post it on their Web site. Once the rule was finalized, patients got it the first time they presented. Dr. Zubeldia asked if the patient had the capability to disagree with some of those privacy practices? Ms. Hatton said patients would have all the rights they do now--There just wouldn't be all the paperwork. Ms. Darrah remarked that was probably why AMA focused on maintaining the consent requirement; it was the vehicle for, "I agree to be treated--and to use of this information."
Dr. Goin noted the difference people felt with an opportunity to give consent. In every study she'd been involved in, 99 percent of the time, patients were glad to be asked and go forward. Mr. Blair asked if the eligibility transaction had a field where they could ask the status of consent. Dr. Zubeldia said the payer could report consent in the free-text area. Ms. Hatton questioned how they would configure computer interaction to adjust for limitations or revocation.
Dr. Harding reflected that the first panel talked about the issue of individual rights versus the good of the public and this panel talked about the burden of compliance. He asked if signing the consent forms increased trust in the system. Several people replied it did the opposite. Doctors felt the burden of compliance. They wanted patients to feel they could trust the situation and how information would be used. Ms. Hatton said that was the function of the privacy notice. She suggested there was unanimous agreement on the notice's importance; even HHS acknowledged the burden of compliance also fell on patients. Providers couldn't use personal information in any way, until someone read the notice and returned the signed consent form. She questioned whether they really protected patient privacy by asking them to repeat this every time they presented for care. Dr. Goin replied patients in the public sector didn't have access to the Web sites and most people didn't stop to read posted notices. With the consent form, someone actually talked to the patient. Ms. Darrah remarked that, aside from the notice, patients didn't know they'd consented to use of their PHI for that column-and-a-half of the Federal Register defining health care operations.
Dr. Zubeldia observed there would be technology advances and new data mining capabilities; the notice was a dynamic document that would change. He wondered how the patient could revoke it. He also questioned how it was any different to track that patients received it than that they signed the consent. Ms. Hatton agreed privacy practices would change and she said, if online experience was any guide, providers would probably improve upon their privacy policies, making them more accessible to patients. Currently, as long as providers reserve the right to change their notice, they weren't required to get consent when the notice changed. But she noted patients had the right, at any time, to revoke permission. Ms. Hatton remarked that people gave permission by being a patient. The concept in the notice of proposed rule making is that there was regulatory or statutory authorization for the use of data in ways patients expect. Patients expect providers will use their information for payment and treatment. She said the definition of health care operations was carefully crafted to encompass expected uses of information. As a patient, you expect that an accreditation agency, like the Joint Commission, will have access to the data needed to determine whether your provider or hospital should be accredited.
Ms. Hatton explained HHS set up a two-part process. One was the privacy notice that described the expected uses of information and where, by being a patient, you accepted them, but retained the right to ask for limitations or revoke. The other part was for authorization of unexpected uses of information (e.g., marketing or research); the obligation was to exactly explain that use and let you opt-in. Your ability to revoke, under a privacy notice, or to ask for limitations, had nothing to do with the written consent form. It was a right you retained as a patient and could exercise any time. Ms. Darrah noted that the definition of health care operations was narrower under NPRM, in recognition of this dichotomy.
Ms. Hatton urged the Subcommittee to look at how patients' rights are explained in privacy notices and the fact that a mechanism must be set up for them to exercise these rights. She reiterated that, currently, a written consent form not only creates an impediment to care, but consumer backlash and a burden for institutions.
Mr. Pyles said he was surprised to hear representatives of the hospital and pharmaceutical industries recommend eliminating a patient's right to not have his or her information disclosed without consent. Reminding everyone of the ground rule that they were not there to discuss rescinding any regulations, he said he assumed elimination of the requirement wasn't on the table.
Noting section 264(b) of HIPAA states the regulation should set forth rights individuals should have with respect to privacy, Mr. Pyles said nothing was more essential in protecting the right to privacy than the right to give or withhold consent. Consent was absolutely crucial. He cited page 82473 of the preamble to the regulations that indicates half the states and many professional licensure laws and ethical guidelines require consent. Common law in almost every state makes it a breach of a patient's right to privacy to disclose information without the patient's consent. He noted the patients and practitioners on the panel understand consent is essential for quality care.
He also commented on the need for a better definition of protected psychotherapy notes, grounded in the therapist/patient privilege. And he said exceptions to the psychotherapy notes protections need to be carefully and specifically defined. He noted New Jersey and the District of Columbia had statutory models and definitions of terms that had been in place for many years. And he asked the Subcommittee to take into account findings in the preamble that were the product of a detailed fact-finding process.
Speaking as a private citizen who tracked the medical privacy issue ever since HIPAA was passed, Ms. Kaigh said patients do care if their medical records are freely exchanged without their consent. So long as patient consent is required before records are released, a patient can start over fresh with a new doctor after a malpractice, misdiagnosis or personality conflict situation. She questioned how a patient could secure an objective second opinion if the medical record is shared without patient consent, with the second doctor drawing upon the first's prognosis and diagnosis. She told how her father, who was a physician, had been given three months to live, but was able to start anew with other doctors' unbiased suggestions for treatment and lived for four years. With automatic sharing of the medical record, she doubted that would be possible.
Ms. Kaigh questioned why, with 50,000 comments about the final privacy rule, more groups representing private citizens weren't testifying. Remarking that panelists were predominantly information or fact-gathering groups wanting broad access to medical records without patient consent, she cited a recent Gallup Poll, done by the Institute for Health Freedom, showing the majority of citizens do not want anyone accessing their medical records without their consent.
With the new privacy rule, Ms. Kaigh said OCR could--without notice, subpoena, or patient consent--access anyone's medical records. Researchers could access them, if an institutional review or privacy board decided patient consent wasn't necessary. Law enforcement, public health officials and others could also access without patient consent. Ms. Kaigh noted the rule said the patient only had the right to request a restriction. The doctor could refuse that request--and refuse to treat the patient, if he or she didn't sign. Noting page 82553 of the December 28, 2000 Federal Register, Ms. Kaigh said doctors could agree to limit access to medical records-- then go ahead and allow access anyway.
Ms. Kaigh said she worked in her father's office for 13 years and only in emergency situations did doctors share patient information. She emphasized considering privacy of the patient and every citizen's freedom to share sensitive information with his doctor without fearing others will know about the patient's abortion, alcoholism, impotence, HIV or other private matters. Rather than provide broad access to medical records, Ms. Kaigh said the privacy rule should reinforce consent forms and the ability of the patient to decide, on a case by case basis, what information his doctor, health insurer, or others, should know.
Mr. Wilder observed that, in many respects, the health care system is a health information system. Plans and providers share health information for a variety of legitimate reasons in order to carry out their functions. Noting most of the information the plans use comes from the provider, he emphasized it was important that this flow of information wasn't unduly restricted. He stressed it could be difficult and time consuming for plans to always get consents, authorizations, or information directly from their members. He noted 15-20 percent of the addresses and phone numbers plans engaged in Medicaid operations had for their members were incorrect; their only contact with that beneficiary was through the provider.
Mr. Wilder depicted what most witnesses had discussed as the need to balance respect for the confidentiality of information with needs of the health care system. They might disagree about where the fulcrum should be or the relative weights to give those important needs, but he asserted it was this balance they were looking at as they struggled with the privacy rule and, especially, the consent requirements. AAHP had three recommendations: (1) pursuant to the consent, providers should be able to share PHI so the plan could carry out its health care operations, (2) to avoid disrupting essential health care functions in states that currently didn't require written permission, wherever covered entities didn't have written consent, they should be allowed to use or disclose PHI collected before the rule's compliance date, (3) revocation should be honored, but only for information collected post-revocation. Dr. Zubeldia remarked this implied that the plans time stamp and compare all the data collected--The administrative burden would be incredible. Mr. Wilder replied it would be less burdensome than how the rules were now set up.
Mr. Todd recalled the HHS regulations were issued at the same time as the IOM's second Crossing the Quality Chasm: A New Health System for the 21st Century report, which stated that blockages to connectivity and free exchange of health care information were a barrier and concern to addressing chronic illness. He conveyed the DMAA's belief that allowing legitimate disease management programs unhindered access to individual identifiable patient information (e.g., claims forms, eligibility files and medical records from all sources) was crucial to preserving patient access to high quality disease management programs, as suggested by the IOM report.
DMAA recommended a special exemption in the privacy rules that allows disease management organizations, as business associates of health plans, to access this information to carry out disease management activities. Mr. Todd said an alternative suggestion would be to include disease management in the definition of treatment.
Discussion times were scheduled following each topic area to give members "a running start" on recommendations to bring to the full Committee. Mr. Rothstein noted these had to be distributed to members a week prior to the September 25th meeting. Dr. Cohn suggested reviewing prior recommendations about consent might streamline the process. Mr. Rothstein reminded members of the admonition directed to the witnesses: their purpose was not to rewrite the statutes or rule, but to make recommendations on: (1) the most effective way of implementing the rule as enacted, and (2) areas that needed clarification or revision by OCR or the Secretary. They didn't want to take on a responsibility broader than they could properly have or exercise, but they also didn't want to be derelict in pointing out problem areas. Finding appropriate balance was their main task. He proposed they assemble a tentative list of areas they'd heard that might be appropriate for discussion at the Subcommittee level.
Mr. Blair remarked they'd received excellent testimony, though the different stances made them difficult to reconcile. One area he personally struggled with and said he would like more information on was an assessment of the burden and expense of tracking the consent and revocation forms. He suggested some of the testifiers and others had data that could provide a better sense of the financial and administrative burden. Mr. Rothstein added two issues: how broad the psychotherapy exception ought to be, and the issue of the burden of consent, revocation and tracking. Dr. Zubeldia noted another issue was the provider's ability to send information to the payers when it was not for payment (e.g., encounters on capitated plans). Dr. Cohn mentioned the demonstrable value of the actual consent versus the fair information practices. Dr. Zubeldia added the ability to revoke consent.
Dr. Harding recalled times in the testimony when people gave opposite interpretations of the rule. He said he had looked through many of the 1,500 pages and didn't know which was accurate. Mr. Rothstein said the staff would Xerox parts of the rule that formed the basis of their recommendation. Dr. Cohn said he thought he understood the rule, but he wanted to make sure their understandings were similar: they needed to be sure they had a common understanding of what they were changing. He also suggested identifying, at the end of each testimony, issues that weren't clear and then getting clarification. Noting they'd heard opposing points of view, Ms. Horlick said they had an obligation to include in the letter other testimony they'd heard.
Mr. Blair said he found compelling some things he heard about the legislation setting certain provisions of protection of privacy as rights. He asked for a review from the staff, to make sure they were clearly fixed on the rights in the law. The balance another witness indicated they had to have also impressed him. A patient had rights, but the providers and payers had to be able to provide care. Rights needed to be protected in a way that wasn't excessively burdensome or impractical. And they needed to be clearly defined, so everyone understood them and how to trade aspects to make this pragmatic and workable.
Mr. Scanlon mentioned two areas that came up around the first encounter: suggestions on how to deal with informed consent in a hospital emergency or pharmacy encounter, and clarification on the policy regarding information received before the effective date of the final rule. He remarked that the day's testimony came down to the basic potential conflict over informed consent: were they trying to make it easier, within the existing framework, to address some issues--or were they looking at the nature of the informed consent framework.
Dr. Fitzmaurice reflected that sometimes he called his doctor and asked for a prescription for his son who had a sore throat. They needed to clarify whether the doctor could treat his son over the phone without the consent when he turned 18. He noted the burden of joint health operations was another issue. Did providers have to sign business associate agreements with every provider in order to pool data, and then return the pool to each? Could they do it with everybody signing one agreement, or did they have to sign N-1 papers?
Mr. Rothstein reminded everyone that the comment period for submitting written testimony was open until Monday. They might still receive issues to add to the list. He began deliberation with the burden of tracking consent and revocation. Mr. Blair suggested the panelists have information on tracking these costs. Mr. Scanlon pointed out that medical record professionals testified the next day. Dr. Cohn said a number of larger organizations testifying could offer input on the cost and difficulty. Dr. Fitzmaurice suggested they also track limitations agreed upon by the patient and the physician. Dr. Zubeldia agreed the burden would be in tracking limitations. Every time he took his children to the doctor, he had to sign for the assignment of benefits and release of information. Predicting the consent would replace the release of information signature, he said the systems were already in place and the incremental cost to track the consent was minimal. Tracking the revocation or limitations would be more complicated. Mr. Rothstein said he felt strongly that if they did away with an individual's ability to revoke consent, they did away with consent. He said he spent a lot of time on human subjects and approving protocols for IRBs. Research participants were allowed to revoke consent at any time. When they did, years of work could go down the drain. But he emphasized that was an essential cost they needed to be willing to pay to promote and protect the autonomy of individuals participating. He concurred that their first issue was the burden of tracking consent, revocation and limitations.
Dr. Cohn questioned the additional value in all this paperwork and process they were putting into place. Fundamentally, revocation sounded good, but he didn't know how to implement it. Mr. Rothstein suggested consent revocations would be rare. But it was important that individuals giving up their private information knew that, if circumstances changed, they could say, "I've rethought the use of my medical records."
Mr. Blair agreed they ought to carefully look at both the cost and value of doing consent. He agreed revocation was an area of value, but he had difficulty with them "blurring together" and suggested keeping them separate for discussion. Dr. Harding concurred that revocation was an important principle, but he said the thought of a million different revocations left him "weak-kneed." Mr. Altarescu said the rule provides a single yes or no for TPO, which the revocation parallels. Revocation is black and white. Restriction has all sorts of parameters, based on the patient and provider agreement.
Jody Goldstein, another attorney with the General Counsel's office, clarified that the right to request restrictions is with respect to TPO or the 510s, which are disclosures to family members or persons assisting in care. If the patient requests a restriction in the public purpose disclosures (section 164.512) and HHS does not enforce and agree to a restriction, she said it is possible that, under another law, there is some commitment to honor that agreement. But HHS can only enforce against agreed-to restrictions for the TPO and the disclosures to family members or persons assisting in care. She also noted an exception in emergency situations.
Dr. Cohn noted they confronted a spectrum of options: (1) the consent would remain the same, (2) going back to what was in the notice of proposed rule, (3) a "bunch" of intermediate things that could reduce the burden and make things easier on everyone. They needed to gauge the cost and value, burdens and opportunities of each position. They'd heard a lot of testimony that it would be cheaper and easier to go back to statutory authorization. Dr. Cohn personally thought they were trying to help with unintended consequences.
Members discussed eight issues: (1) burden of consent revocation, tracking and limitations, (2) psychotherapy, the exceptions should be limited to notes, (3) provider's ability to send information to health plan when not for payment, (4) the ability to revoke the notice of information practice, (5) first encounter problems, (6) the policy problem of information obtained before the compliance date, (7) what happens when a patient turns 18, treatment over the phone, (8) the business associate issue with the joint health care operations.
Dr. Cohn observed that a number of issues formed the intermediate position. Mr. Rothstein suggested several addressed the Subcommittee's charge at these hearings: how to make implementation go more smoothly. He reiterated that they weren't re-litigating or re-negotiating, but identifying implementation issues and practical solutions. Dr. Cohn concurred. The psychotherapy notes, which went to the issue of expanding the rule, were the exception. Ms. Greenberg noted there was also the issue of potential changes: the Secretary had said he might modify the rule to facilitate implementation.
She noted they'd heard keep consent as it is in the final rule, make it stronger, and go back to the proposed rule that didn't allow for consent. The status quo was in-between. A large number of states already required consent and the health care system hadn't shut down. But they hadn't heard any evidence that there were more abuses or problems in states where it was statutory. Having plans that cross state borders, something could be said for doing everything the same way. But people who were comfortable with consent would no longer be able to require it.
Mr. Rothstein noted they told OCR they would have recommendations completed by October to use in preparing additional guidance. They had to be approved by the full Committee at the September 25 meeting. To the extent they could make narrow, targeted recommendations based on these problems they'd heard about from those trying to implement, they could come up with something valuable for OCR and the Secretary. But they had limited time and staffing. And hearing from 25 people was not the same as getting 50,000 comments. There were practical limitations on what they could accomplish.
Dr. Cohn noted there had also been a recommendation about state laws and more discretionary statutory authorization. He suggested another option was presenting considerations to mitigate valid industry concerns. They weren't going to agree on one thing, and the Secretary probably would like some flexibility. Mr. Rothstein doubted they could give a fair accounting and balanced discussion of any of those issues in the time frame they had, but he said that wasn't their charge. They had gone into the issue of consent because OCR had received lots of questions and comments and thought that industry representatives, professional groups and the public could help clarify the problems. Consent was a touchstone of this rule. If consent, broadly stated, was on the table, they would be debating "until Christmas."
Mrs. Altarescu advised taking into consideration that the Secretary explicitly stated in the guidance his concern and that he would propose substantive changes in the rule to address the referral issues and phoned-in prescription. That would go through the notice and comment process and didn't necessarily mean there would be a change. Nor did it preclude their recommending, or the Secretary deciding, something more global. He noted that if they didn't require consent for TPO, and a state law required it, then that state law provided greater privacy protection and preempted their provision.
Mr. Scanlon observed that every subcommittee struggled with this. Many of the privacy issues were balances between rights, efficiency and effectiveness. Each testifier eloquently defended conflicting points of view. Some suggestions proposed within the informed consent framework probably would help. In their letter they would want to tell the Secretary they'd heard both, "Don't change the basic informed consent framework," and, "Go back to the statutory authorization." It was helpful to describe the situation, the pros and cons, and things you probably want to move forward, assuming Committee majority. Some of the best analysis to the Secretary was to point out where things stood, suggestions of a practical nature, unintended consequences, ways to improve things. Mr. Altarescu suggested the Subcommittee consider ways the rule could be improved and guidance additionally needed.
Dr. Fitzmaurice said going through things this way, after every set of hearings, was a way to gain a recording of the different options. At the end, they could consider and prioritize, task staff with further development, and--with conference calls and e-mails--probably find where there was agreement. Where there was no coalescing, they could point out contentious issues they'd identified, for which they didn't yet have recommendations. Ms. Fyffe agreed they had to define scope, because they didn't have enough time or staff. She said she felt obligated to report all the public testimony and identify implementation issues, suggestions for improving implementation, and areas that needed clarification. Even though HHS had already come out with guidance and clarification, they needed to do more on issues they thought they had clarified. Dr. Cohn said, personally, he thought they had to give a range of recommendations, based on what they'd been offered. He said he tended to think of recommendations as providing options and suggested they needed to be agile in order to give HHS, which was in more of a political milieu than they were, flexibility.
Mr. Scanlon said explaining the situation and some practical solutions might serve the purpose. He reminded everyone that this would go into an NPRM and they'd have another 50,000 comments. Ms. Greenberg noted a number of recommendations talked about ways to make this work better, relating to the first encounter and being practical so "things didn't shut down." She suggested pulling out what was fairly specific and, either the rule currently allowed but people didn't understand, or what might make for reasonable change. They should consider what could be handled through clarification, look at specific recommendations, and see if there was at least general support for any of them. As Mr. Scanlon had said, if they recommended them, once the Department decided how they felt about them, they would go into an NPRM. Mr. Rothstein commented that this wasn't as representative a group of witnesses as possible--They'd had a narrower vision of what they were going to do, and had asked people to comment on very specific things.
Mr. Rothstein proposed working on two tracks: (1) a longer-term track, keeping in mind that some issues need additional study and data analysis and would be around a considerable period of time, and (2) on a more specific level, finding narrower areas where they--and the witnesses--might agree on clarifications and minor revisions that made the rule work better and didn't disrupt the system. They should highlight broad areas and give specific, concrete recommendations.
Dr. Cohn questioned what a long-term view meant, given that the Secretary was revising the final rule. He proposed that one option was statutory authorization, which as Ms. Greenberg said, would give states the right to continue consent. If that didn't happen, he noted a number of testifiers mentioned real problems and unintended effects with solutions. Noting that he was a Kaiser employee, Dr. Cohn apologized that many of the points he was mentioning were in Kaiser's testimony, but he said he was talking about getting at the balance of options. He noted recommendations about allowing use and disclosure of data collected before revocation; for continuing TPO, allowing the continued use of data until a patient makes a physical appearance and is able to sign a consent; the issue of parental consent when the patient reaches the age of majority; the NCQA's comments having to do with clarification around the disclosure to health plans for use in health care operations. He said he was pulling up specific recommendations where they'd heard all around consent. That might be a reasonable framework.
Mr. Altarescu clarified that information provided to the plan for its health care operations had to be either an authorization from the provider or a separate consent from the plan. The health care operations referred to in TPO is the health care operations of the entity getting the consent, not another entity. Dr. Zubeldia remarked that the plans consider that reporting part of payment. Ms. Goldstein replied that information disclosed under payment could only be what was minimally necessary in order to conduct those payment activities. Dr. Zubeldia noted that the standard 837 encounter was exempt from the minimum necessary. Ms. Goldstein acknowledged that then that information could be disclosed for payment purposes. She added there might also be cases where information could flow to the plan, if the plan and provider were part of an organized health care arrangement and there was notice of that arrangement.
Members noted they couldn't go through all the recommendations submitted that day in the remaining five minutes before the transcript and their on-the-record public meeting had to end. Ms. Horlick said she would compile a list they could work from during the next discussion period. Items that had consensus would become recommendations. Those indicating pros-and-cons could be options. Others would be set aside. Mr. Rothstein noted they had ten witnesses in the morning, six in the afternoon, and two 45-minute Subcommittee discussion periods. By the time they got to this, they would already have ten more witnesses on minimum necessary. And they didn't have staff to compile 50 recommendations. Members considered continuing discussion at lunch tomorrow or during a conference call next week. At 6:00 p.m. the meeting was recessed to reconvene the following morning.
Mr. Rothstein welcomed everyone to the second day of the Subcommittee three-day hearings on implementation strategies and other issues related to the privacy rule and again explained the purpose and the rules.
While noting HIAA supports strong confidentiality standards, Dr. Desmarais said members prefer nationally uniform standards for privacy and were concerned about difficulties they had due to burgeoning and diverse state and federal policies. He acknowledged the issue of federal pre-emption was beyond the hearing's scope, but said he would be remiss if he hadn't mentioned it.
HIAA was encouraged by statements indicating the Department intends for the minimum necessary standard to be applied with flexibility, taking into account capabilities of the health plan, health care provider, or other covered entities. Nevertheless, Dr. Desmarais said they continued to have significant concerns, particularly about the legal uncertainty and vagueness created by the standard. He cautioned these could lead to defensive information practices and restrict the appropriate and beneficial flow of information within the health care system.
He said member health plans must have access to PHI maintained by physicians/practitioners, hospitals and others to do quality assessment and improvement programs, utilization review, disease management, case management and other functions aimed at maintaining the affordability of health coverage and improving outcomes. To the extent the standard diminished information flow, there would be problems with the quality and affordability of health care.
Dr. Desmarais noted the Department acknowledged the standard was inherently subjective. The guidance states the Department expects covered entities to exercise substantial discretion about how to implement the standard and appropriately and reasonably limit access to the use of identifiable health information. Member companies welcome the flexibility described in the guidance and elsewhere in the regulation. But that flexibility introduced a great deal of uncertainty and HIAA was concerned that covered entities would seek to minimize exposure to potential liability and financial penalties by being overly restrictive.
Members also believe that the standard inappropriately places covered entities in the position of evaluating whether the requested information is the minimum necessary for the purpose. HIAA contends only the entity making the request is in a position to know that. Dr. Desmarais said this would almost certainly lead to inappropriate restrictions on the disclosure of health information.
Reiterating that the standard is highly subjective, Dr. Desmarais said it could be used to shield evidence of up coding, misdiagnosis, overtreatment or fraud. He noted reports issued recently by the General Accounting Office and others documenting the pervasiveness of fraudulent, abusive, and questionable practices in the system.
Dr. Desmarais noted HIAA's concern that, unless the Department clarifies the application of the standard and the uses and disclosures authorized by the individual, the regulation could compromise the ability of health plans (e.g., a disability insurer) to assess risk and obtain information to evaluate and process claims. Proper assessment of risk (underwriting) is essential to setting premium levels fair and sufficient to cover expected claims. And efficient, timely processing of claims requires complete information.
He said members also had difficulty proceeding with confidence in trying to implement the standard without the final rule on data security. The requirements of the standard and the proposed security rule substantially overlap in many areas. Dr. Desmarais said member companies, moving down a path based on the privacy "reg," remain at considerable risk of finding they need to adjust as a result of the security regulation.
Dr. Desmarais noted the Department determined that the standard would be among the most costly requirements of the privacy rule: with a total implementation cost over ten years of $5.75 billion. HIAA believes that figure underestimates the cost member companies, physicians, and hospitals face. A recent study by First Consulting Group prepared for the American Hospital Association, found that implementing the standard could cost hospitals alone $19.8 billion.
Dr. Desmarais conveyed HIAA's believe that, even without the standard, the privacy regulation contains considerable restrictions on information that covered entities can use and disclose. He said these other restrictions are more amenable to objective, consistent application than the standard, and would be sufficient to create strong safeguards for confidentiality while avoiding the potentially serious complications of the minimum necessary standard.
He expressed a plea for the Subcommittee to encourage the Secretary to make further adjustments in the confidentiality regulation. Members had begun the process of spending time and energy trying to deal with the "reg" published last December, because they couldn't wait until the last minute. He applauded the Department for signaling its interest in furthering changes.
Dr. Bussewitz noted that HHS first identified the relationship between the HIPAA privacy minimum necessary disclosure requirement and Version 5.1 of the pharmacy transaction standard in the HIPAA privacy regulation in response to a comment to the NORM. He reported that NCPDP membership, including chain pharmacies, software vendors, PBMs/claims processors, and NACDS have met for some six months trying to convert the optional fields into situational, mandatory/required, or not-used fields to earn the exemption. Industry consensus has not been reached to yield the required precise and unambiguous situation-specific language. Pharmacies contend that PBMs/claims processors request more information than is reasonably necessary. The PBMs/claims processors believe pharmacies want to disclose less information than currently.
The most contentious issue has been how to adequately identify patients, so pharmacies can be paid without incurring legal liability for non-compliance with either HIPAA privacy regulations or stringent state privacy laws. PBMs/claims processors want pharmacies to disclose the patient name before they'll pay the claim. Pharmacies refuse, believing disclosure is unnecessary and, if it resulted in a breach of patient privacy, could greatly increase their liability under both the HIPAA privacy "regs" and state privacy laws. They argue that disclosing a patient name is unnecessary and will be unlawful because the PBMs/claims processors already have that information from their clients for some 70-75 percent of the claims and could get the rest from their employer/payer clients. The HIPAA privacy regulation that the pharmacies rely on is Section 164.514(d)(3) p. 82,819. "For any type of disclosure that it makes on a routine or recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the PHI disclosed to the amount reasonably necessary to achieve the purpose of the disclosure."
Pharmacies argue that it is also unreasonable and will be unlawful for PBMs/processors to request information that they already have or should be able to obtain from their employer/payer clients. (Section 164.514(d)(4)(i) p. 82,819) "A covered entity must limit any request for PHI to that which is reasonably necessary to accomplish the purpose for which the request is made when requesting such information from other covered entities." They fear being sued for any breach of patient privacy that results from disclosing more than the minimum information reasonably necessary. Widespread concern is evidenced in a retail pharmacy position paper that Dr. Bussewitz noted is supported by NACDS and the National Community Pharmacists Association, which represents independent pharmacies. In addition to fears about increased legal liability, Dr. Bussewitz said chain pharmacies don't want their chain name associated with allegations of a breach of patients' privacy, potentially more damaging than a lawsuit.
Dr. Bussewitz said an electronic minimum necessary financial disclosure model used millions of times a day, the ubiquitous credit card, which requires only the cardholder number and expiration date, illustrates what should be adequate patient identification to authorize payment of an electronic health care claim.
Asked why pharmacies didn't reach industry consensus by agreeing with the payer's agent PBMs/ claims processors to earn the HHS v5.1 exception to the requirement, Dr. Bussewitz replied that exception wouldn't be adequate. NACDS believes disclosing more than the minimum necessary could trigger state laws more stringent than HIPAA.
Dr. Bussewitz said pharmacies offered to submit the person code (assigned by the PBM/claims processor) and date of birth as a check on the majority of claims, where PBM/processors already have dependent-level patient names. A person code would even identify same sex, multiple births on the same day. For the rest of the claims, (other than same sex, multiple births), where a PBM/claims processor had neither requested nor been provided dependent-level information necessary to assign a person code, pharmacies offered to submit the cardholder ID sex indicator and date of birth. Dr. Bussewitz encouraged the Subcommittee to promote the unique individual identifier or require the payers or employers to convey detailed patient data to their PBM/claims processor clients so they, in turn, could assign a person code. Noting that Dr. Bussewitz had referenced the NCPDP standard extensively, Dr. Cohn asked if the patient name was optional for the NCPDP transaction. Dr. Bussewitz said, currently, it was mandatory.
Dr. Baillie gave two reasons why ASCP believes the proposal to release the minimum necessary information when performing health care services is problematic: (1) in order for physicians to examine, diagnose, and review an individual's health history, it is imperative to obtain the complete history, and (2) staff members in charge of handling disclosure requests weren't adequately trained to decipher what information satisfied a particular disclosure request, delaying timely care to patients. He said the final rule appears to address these concerns in section 164.592(b) stating a covered entity may use or disclose PHI to carry out TPO. But he noted the requirement doesn't apply to disclosures or requests by the health care provider for treatment.
Dr. Baillie called for clarification. Health care providers had to be able to share information so that patients obtained appropriate care. For example, a surgeon might have informed the pathologist that a hysterectomy was performed, but no other history was released on this patient who also had a seemingly unrelated diagnosis of sarcoidosis--and so, additional testing for fungus and tuberculosis might have to be performed to explain the pathologic findings in the lymph nodes. A medical technologist notes an elevated calcium level, an occurrence in individuals with any of several conditions including sarcoidosis. Again, confirmatory testing could be avoided, if the technologist knew this patient had already been tested. Provider-to-provider communication, critical in patient care, should not be impeded.
He said clarification in the guidance that the rule provided the covered entity with substantial discretion and its suggestion that covered entities might develop role-based policies that allow its health care providers and other employees, as appropriate, access to patient information for treatment purposes creates ambiguity. ASCP believes clarification belongs in the final rule, not just in the guidance document where misinterpretations might occur. Dr. Baillie said the guidance document gave so much discretion that ASCP questioned whether the minimum necessary provision, as it applies to health care providers, needs to appear at all in the regulation.
Dr. Baillie said applying the standard involves several direct and indirect costs: employees to handle privacy compliance within the laboratory, continual training of staff at all levels to decipher the minimum amount of information necessary, the cost of slowing turnaround times of reports, and the possible cost of patient safety, if wholly necessary information is not disclosed to the laboratory. Speaking as president/CEO of INREACH Corporation (a company that specializes in customized software designed to augment access to health care information), Dr. Baillie said software that monitors the access and disclosure of health information costs about $60,000.
Dr. Baillie also noted that the definition of health care operations includes conducting training programs for health care students and trainees, yet these individuals are not exempt from the minimum necessary requirement. ASCP believes medical students, residents, and allied health trainees need to be exempt.
In allowing each institution to shape its own policies for minimum necessary uses and disclosures, Dr. Baillie said the guidance provides latitude and ambiguity that needs to be clarified in the rule. Asked if the gist of his comment was, if strong comprehensive software to audit access to information was available, it would be a sufficient deterrent and minimum necessary wouldn't be necessary, Dr. Baillie replied, "In part." He described how at Anderson Area Medical Center, workers with minimal education and training review Medicare pathology reports for audits. They understand the software watches every keystroke, documenting what they tried to look at, whether they accessed it, and if it was physically opened.
Mr. Fody said the requirement's primary benefit occurs when a covered entity requests PHI. The privacy rule require entities to create policies and procedures that provide guidance to employees on what PHI should be requested, disclosed or used in particular situations. Requests not covered by these policies and procedures must be reviewed to verify that the requirement is satisfied. He said this might not reduce the amount of protected health care information used or disclosed, but it would ensure entities were aware of uses and disclosures.
He noted drafting the policies and procedures could be a burden. The minimum necessary requirement is problematic for a number of activities undertaken by plans. Functions categorized as health care operations under the rule present a special challenge. The range of information required and how that information is used varies within and between entities. Many uses and disclosures cannot be anticipated. Routine functions can require different information from one moment to the next (e.g., the claim processor might look at a claim for a routine office visit one minute and for open heart surgery the next). Even routine functions that appeared standardized could be complex undertakings. Variations became even greater when the standard was applied to underwriting, authorizations or disease management. Health plans faced the problem of either developing many different, specific policies and procedures covering minimum necessary information or adopting broad policies that cover categories of uses and disclosures.
If a plan adopts a specific policy for every diagnostic and treatment code, it becomes a time consuming, expensive process to create and maintain the policies. If the plan formulates a broadly worded policy that applies to all claim processing, it exposes itself to charges that the policies failed to satisfy the requirement. AAHP encouraged HHS to provide guidance making it clear that entities may develop policies and procedures that broadly describe the types of PHI necessary for categories of operations a covered entity might perform.
Mr. Fody noted that different covered entities had different interpretations of the minimum necessary information for their purposes. It was natural for them to use their interpretations to evaluate requests for PHI. The problem was their definitions and needs weren't the same. Mr. Fody said it is critical that bickering not impede the flow of information. He noted that the privacy rule provides that a covered entity that receives a request from another covered entity may rely, if reasonable under the circumstances, on a requested disclosure being the minimum necessary. AAHP recommended modifying the rule so that the recipient may automatically rely on that request, unless it is clearly inappropriate. Absent that change, HHS could help prevent disagreements by issuing guidance emphasizing that the rule currently allows the covered entity to rely upon a request from another covered entity, specifically enumerating disclosures presumed appropriate--e.g., a request for HEDIS data from a health plan subject to NCQA accreditation.
Mr. Fody said a concern about who will "enforce" the rule overshadows deliberations. Enforcement will not come only from HHS, but also plaintiffs' lawyers. Comments and concerns that might seem reactionary or "knit picking" need to be seen as a reaction to the potential for class action litigation. AAHP recommended that the guidance clarify that the standard is satisfied, so long as the covered entity reasonably believes the information is necessary.
AAHP recommended that HHS issue guidance establishing the requirement doesn't apply to a covered entity's internal use of PHI, if the information came from another covered entity.
The recent agency guidance on the privacy rule indicated that the minimum necessary requirement is not a rigid technical standard, but a common sense approach to prevent a covered entity from accumulating information it clearly does not need. Mr. Fody said the line for determining reasonably necessary should be drawn similarly. AAHP recommended that the rule make clear that covered entities are allowed to develop a common sense approach, recognizing different covered entities require different amounts and types of information.
Mr. Fody related how, the first business day after the privacy rule took affect, a provider denied Blue Cross's staff doing a HEDIS quality audit access to information because of the rule. People anticipating a rule that would not go into effect for two years, were already denying access. He emphasized that the evolving health care delivery system increasingly relies on the team approach for delivering care; health information needs to be shared responsibly to improve quality and reduce errors.
A key goal of HIPAA is to make health insurance more available. The administrative simplification standards were proposed almost ten years ago as a response to health costs spiraling upwards, not unlike increases seen today. Mr. Fody said it would be ironic and tragic if HIPAA standards, which have promise of providing more coverage and better care, brought about higher costs, rather than a solution. A balanced, reasonable approach could provide individuals with greater privacy protections without creating or causing the harm HIPAA meant to prevent.
Mr. Weich recalled that when Ms. Horlick asked him to speak on minimum necessary he wondered if there was enough to say. He now realized the minimum necessary requirement was the "heart and soul" of the rule, giving life to the presumption that medical information was private, unless there was good reason. Noting it was important, when talking about medical privacy, to return to first principles, Mr. Weich observed that it was among the most sensitive and intimate information human beings had about themselves. A doctor's office was a place one undressed in front of a stranger, and provided body fluids that revealed enormous secrets about oneself in this age of the human genome. Everybody was a patient and wanted high quality medical care, but Americans were deeply concerned that their medical information not be disseminated unnecessarily or unreasonably. These words appeared repeatedly in the regulation and the guidance, and he noted they had significant meaning in the system's day-to-day operation.
Fellow panelists had painted horror stories about information being disseminated in ways that impaired treatment. He said he went back to first principles--the regulation. And 45 CFR 164.502(b)(2) states "the minimum necessary requirement does not apply to disclosures or requests by a health care provider for treatment." Mr. Weich clarified it was a requirement that health care providers and other covered entities think twice about whether it was necessary to disseminate the patient's entire medical record when a portion sufficed for the purpose at hand.
He said the requirement entailed compartmentalization of the medical record, a word that could sound scary or costly, but needn't be. Everyone goes through life compartmentalizing private information. Individuals have a professional biography and other information shared with close friends. Other information belonged with the family. Medical information shared only with one's doctor (like legal information shared with one's lawyer) was parceled "out" with the conscious intention of having it only used for certain purposes. Mr. Weich said this model, which everyone utilizes, is easily transported into the health care system with policies and procedures. The minimum necessary requirement entails that such policies, procedures, and protocols be developed and followed by entities. The policies and procedures and protocols need not be unduly complex. They should, as the guidance ably sets out, allow for substantial discretion so, in individual cases, health care can be provided effectively and information can flow freely--but HHS should set the bar high for privacy, because, as a practical matter, there will be slippage.
Legally, the costs are minimal, because the requirement is a common sense one. There will be some administrative cost, but the privacy rule itself requires that plans hire staff to monitor and carry out policies--and this would be an additional duty of the privacy officer within a health care entity. Mr. Weich said associated measurable costs would be a barely discernable add-on to the old world cost of privacy, and justified by giving patients the assurance of confidentiality that enables them to seek health care for sensitive conditions that might impact public health.
While noting that ACLU's testimony set out significant concerns about other aspects of the regulation, Mr. Weich said both their testimony and the regulation stated a minimum necessary requirement was necessary to breathe meaning into the rule's basic presumption that information is private unless issued with consent. In issuing the rule in fairly general terms along with guidance that provides discretion in individual cases, HHS had ensured that the rule could be implemented in a common sense way.
Noting that Dr. Desmarais was against the minimum necessary concept, Dr. Cohn asked if Mr. Fody's recommendations would make implementation in HIAA's members' plans easier. Dr. Desmarais said they would. The Department had evolved away from where it started in the area of treatment and the concern was that the bar wasn't stable. They were spending a lot of money, time and energy on something hard to adjudicate and enforce, which would be open to abuse. They'd already heard anecdotal reports of people using the rule as justification for withholding information the plans felt was necessary to properly adjudicate claims, run other kinds of utilization review, and make judgments.
Mr. Scanlon clarified that the HHS budget for the year included a prohibition on spending any HHS appropriations related to the development and promulgation of a unique identifier. Congress had included the prohibition, which originated with the Clinton/Gore Administration, in its appropriation. They would know shortly what the FY 02 budget brought.
Mr. Fody explained that his point was that the regulations clearly laid responsibility on the entity requesting information to ensure that it only asked for what it needed. He said he'd like to see a line drawn as to who makes that judgment. He emphasized that it was the entity making the request that understood their business needs, processes and what information they had to have. Dr. Harding noted that Mr. Fody testified they should self-regulate. Mr. Fody said the initial step would be self-regulation, but there were enforcement provisions if they sought more than they needed. Mr. Weich responded that ACLU believed both the requestor and the requestee had to determine the minimum necessary information. There could be some reasonable reliance on the assertion and a requestor in a particular situation might know best, but he noted Mr. Fody had articulated the concept that the requestee would be able to say, "Look, this doesn't seem right--You couldn't possibly need that." Mr. Fody acknowledged there were parallel provisions in the law. He suggested the only way "out of this box" about other people trying to make a determination in the patient's best interest was to have the patient be the ultimate source of consent. But he pointed out that patients don't always have a face-to-face relationship, as they do with pharmacy. They're not even aware of some things the plans do with their information.
Mr. Rothstein observed that the recurring costs of complying with the minimum necessary standards, once the policies and procedures were in place, would be mostly the labor cost of making a determination. Mr. Weich said he was hopeful cost would diminish as clinical records became increasingly computerized. Dr. Desmarais said the problem was they had a long ways to go. Paper claims were still the most common way they got claims from physicians. Many physicians' offices didn't even have Internet access. Things were changing, but there were training costs and turnover in employees. And when a state had a different definition of minimum necessary than the federal government, that overlay caused problems. Companies struggling with what is out there now, recognized pressure to adopt more privacy standards across the country. Mr. Fody added that, while in some respects technology drove down costs, it cost to build functionality and limited access into a program. One has to update on a periodic basis and hire staff to maintain and administer. There's a cost for additional functionality.
Dr. Cohn suggested this was a potential privacy issue they probably should defer until they held a hearing on unique health identifiers. Dr. Bussewitz reiterated that the pharmacy point of view and the PBMs and claims processors' perspectives of what was minimally necessary or reasonable in the payment claim version 5.1 didn't look alike. The biggest issue was the patient's name, which they had in most cases and could get in the rest. Breach of patient information with the name was easier than with a patient code number, which PBMs give if they have that depth of information from the payer or employer. Dr. Cohn said he understood a mandatory field on the NCPDP transaction was not a minimum necessary issue, but an ongoing issue for resolution within NCPDP. It wouldn't need further clarification or changes in the federal legislation. Mr. Fody noted the need to consider, as they moved forward, whether standardization of transactions or privacy was more important. How would they resolve a pre-emption issue where a competing public policy more stringent on privacy impacted on the transaction?
Mr. Rode said AHIMA members had confronted and addressed the functions and activities incorporated in the issue of minimum necessary for years and believed in limiting access to PHI. He said the fundamental anticipated benefits of minimum necessary were the tools it gave professionals to shield PHI from those who didn't need access, and assurance that the patient could rely on professionals to make decisions on what should and should not be released. Observing that professionals needed to have the allowance the ACLU's testimony expressed and AHIMA believed the rule allowed, he remarked that the rule was beginning to sound like the proverbial elephant. He emphasized it did provide the "clout" to say "No." Noting concerns that the rule restricted treatment and operations, he said AHIMA didn't believe that was the case for treatment for payment and some operations. He pointed out that they'd heard the rule permitted exceptions, that it didn't address demand for PHI beyond what was carried on the UB92 and 1500, and that some professional offices and hospitals had to outsource to keep up with the constant demand to copy records beyond the basic claims function. He suggested an industry task force work with the Department on this issue.
Noting the cost of applying the standard varied greatly, Mr. Rode expressed confidence that the plan was flexible enough to allow variations and he said AHIMA believed that many of the standards in the rule were already in place in hospitals and clinics and this would not cost as much as the Secretary projected. Only the most advanced facilities had a complete electronic medical record; most facilities still dealt with paper-based records. Smaller facilities had different problems. It was not unusual for everyone in a physician's office to have access to the record, but the rule heightened awareness of the requirements and training a small staff wasn't a problem. Not everyone in a university teaching hospital ought to have access to the record, but now, with a paper record, they lacked the ability to segregate the record internally. The technology didn't fit, but computerized databases would change this.
Mr. Rode said AHIMA recommended for years centralizing the release of records beyond the basic claims form, with the professional making the decision on requests beyond normal TPO uses. He reiterated that the rule allowed that to happen. He noted the practice briefs attached to his testimony outlined things AHIMA had done for years to show how to design policies and procedures and where the line was drawn. Every state and accreditation rule, every rule from every federal program, court order and consent had to be addressed--another reason for centralizing. Mr. Rode said this was where they drew the line in favor of the patient, as Mr. Weich suggested. They had the right, under the rule, to look at may vs. must. AHIMA members took this rule and obligation seriously and believed other professionals needed to, as well. Noting examples of generic ways of explaining minimum necessary were in his testimony, Mr. Rode said AHIMA had held consumer conferences and would work with anyone to help explain this.
In a letter to the Secretary, AHIMA suggested that requiring special procedures for certain subsets of the health records was clinically and administratively ill advised and recommended modifying Section 165522 and the right to request privacy protection for PHI. He noted HHS made a similar comment in the preamble to the testimony (Volume 64, page 59919).
Mr. Rode explained that telling a patient their right--and that they couldn't grant it, because they didn't have the ability--put providers and patients in a bad framework. They'd rather say, "We'll grant the right when we can."
AHIMA recommended that the requestor present or sign a statement stipulating that the information was limited to minimum necessary for the stated purpose (excluding emergency and urgent treatment or customary exchange of information on the HIPAA transactions). They also recommended requiring that a statement prohibiting the use of information for other than the stated purpose accompany any disclosure of health information to external requestors.
Observing that the rules were basically good, but misunderstood, Mr. Rode conveyed AHIMA's concern with the right of the individual to request restrictions and disclosure of uses and encouraged everyone to come together.
Noting AAPS's mission was preserving and protecting the sanctity of the patient/physician relationship from third party intrusion, Ms. Serkes said she wasn't just representing physicians and their problems implementing the privacy regulations and the standard, but also patients. She reflected that their voice had not been well represented. They had talked about issues of operations, centralizing records, streamlining operations and reducing cost as opposed to protecting privacy. She noted that AOPS had been a vocal opponent of the regulations for specific reasons and general philosophical grounds outlined in their statement submitted in March. AAPS believed the "regs" violated the Paperwork Reduction Act and the Regulatory Flexibility Act, as well as the First, Fourth, and Tenth Amendments, and was filing a legal challenge.
Ms. Serkes reported that 96 percent of 344 physicians AAPS polled in a random survey (from a mailing list provided by the AMA) thought the rules would further compromise patient privacy. It indicated physicians already believe third parties ask for information they know violates confidentiality. More than half reported those requests come from government agencies; 70 percent said they came from health plans. Nearly 87 percent reported a patient requested information be kept out of the record. And 78 percent reported they kept information out of the patient's record, due to privacy concerns. Some 19 percent admitted lying to protect patient privacy; 74 percent actually withheld.
She called for considering AAPS's concern that the rules would exacerbate the situation and result in distorted, incomplete medical records. Physicians already said patients withheld information because of privacy concerns. Because of the disconnect around government access to information and concerns over information and costs, she said the regulations made things worse.
Ms. Serkes said AAPS's concern with the implementation stemmed from its assumption that the information is needed under a public health need that trumps the individual's rights. The standard's lack of definition or any delineation of the professionals who could decide minimum necessary, meant physicians had to "contort themselves and jump through hoops" to provide what the government and plans deemed minimum necessary. Physicians would be subject to the criminal provisions of the act; and, if the providing entity guessed wrong, the physicians faced the possibility of criminal prosecution. A physician couldn't win attempting to fulfill the requirement.
She questioned the purported benefit they'd heard that the standard would prevent widespread dissemination of sensitive information that might harm the patient without providing any advantage. Information detrimental to one patient might not be detrimental to another. AAPS's concern was that the agencies with the greatest power to do harm also had the power to define minimum necessary for their purposes, including government agencies that might use the information for "planning purposes" and, under the guise of quality or cost containment, effectively ration care.
Ms. Serkes said another factor that diminished the effect of the standard was that the recipient might have a vested interest in obtaining the information. Conflict of interest on the part of the requester had not been addressed. Ms. Serkes also said law enforcement agencies should be subject to the Fourth Amendment protections.
She said she was "shocked" yesterday to hear Dr. Blair say he would like to see some numbers on implementation. Under the Paperwork Reduction Act and the Regulatory Flexibility Act, those numbers already should have been "crunched." She noted that compliance costs projected by the government for small business ($40,188 in the first year, $2,217 thereafter) did not include social costs or continued cost of compliance. AAPS's research added $8,000 for hardware, $12,000 for new software, plus seminar fees and lost time from work for compliance. Ms. Serkes noted that California's Senate Committee on Privacy was concerned the state could not be in compliance because smaller clinics in the hinterlands assisting under-served populations that couldn't afford implementation.
Noting the regulations mentioned minimum necessary 33 times without defining it, Ms. Serkes urged the Committee to define the term and the professionals allowed to decide it. Intelligent, well-educated people well versed on these issues interpreted differently; either they were all wrong, or there was an inherent problem in the complexity of the regulations.
While calling the new rules a positive step forward, Dr. Guidotti said ACOEM's members found the rules fell short of eliminating the risk of disclosing health information to employers. Dr. Guidotti noted these risks are real, commonplace, and interfere with management of occupational health problems and the cooperation of workers necessary for prevention.
Dr. Guidotti said ACOEM was encouraged by the Committee's commitment and how many issues raised that day and in formal comments might be resolved by issuing modifications through new rulemaking. ACOEM urged the Department to use this opportunity to close the existing gap and clarify areas that remained vague for occupational physicians on "the firing line."
Dr. Guidotti emphasized that issuing modifications and protecting confidentiality and privacy was imperative to preserving patient and employee trust in the workplace. Overall, ACOEM was pleased with the general principle that a covered entity must make reasonable efforts to provide the minimum necessary information to accomplish the intended purpose. ACOEM was also pleased that the final rule extends the standard to covered entities' requests for the identifiable information from other covered entities, placing accountability with the covered entity requesting the information. Dr. Guidotti suggested this would take some of the burden from providers and might help identify unreasonable requests.
Dr. Guidotti said retaining the ability to challenge overly broad requests will keep the system fair and provide productive internal tension to ensure the standard is honored. But Dr. Guidotti noted that the standard presents challenges to ACOEM members. The rule places the burden on the physician of deciding, on a case-by-case basis, the minimum necessary amount of information to disclose. For example, if in the medical surveillance examination a physician finds a hazardous waste worker has abnormalities in liver function, what is the minimum amount of information to release to the employer? What is the minimum amount if the worker signed an authorization? What is the minimum amount in screening for occupational illnesses, when false positive evaluations are inevitable, and may be on the medical record?
The range of hazards to which workers might be exposed further complicates medical surveillance of hazardous waste workers. Liver function tests may be affected by many factors (e.g., alcohol, infections) as well as exposure to toxic substances. How should the standard be applied to information that could be used in litigation and challenging workers' compensation claims? Noting the rule provides no guidance on whether diagnostic information is considered in the scope of the standard, Dr. Guidotti cautioned that without such guidance, physicians might be strong-armed into releasing diagnostic information.
Sharing certain information with the employer might protect the employee from further liver damage from exposure to hepatotoxins--or the employer might take action which could be unjustified or illegal, dismissing the employee to circumvent further health care or workers' compensation problems. Dr. Guidotti said the occupational physician might act in a way he believes is most protective of the employee by advising the employer of potential exposure, while withholding information that is not necessary, potentially violating the rule.
Observing that the rule permits a physician to disclose more than the minimum amount of information to the extent necessary to comply with specific state laws, Dr. Guidotti noted this was a problem with regard to the state-based nature of workers' compensation law. Dr. Guidotti also remarked that the requirements would impede the processing of workers' compensation claims.
ACOEM recommended that HHS develop a standard protocol for use by occupational physicians in implementing the minimum necessary, and offered to work with the Department to develop the protocol.
Ms. Foley said the nursing community took the third charge in their code of ethics safeguarding the patient's right to privacy seriously. In following their charge that the need for health care does not justify unwanted intrusion into the patient's life, registered nurses were well aware of patients' concerns regarding privacy and confidentiality.
She said this commitment was always part of professional practice, but the need for federal law is, in large part, a function of the momentous change in our communications technology. The complexity of the health care system meant that transgressions of confidentiality, intentional or not, had much broader consequences than ever before. The information travels faster, further, cannot be retrieved, and can be used in ways never intended for health care services.
The most important test these regulations must meet is whether each patient's reasonable expectations for privacy and confidentiality were addressed. Could patients be assured that when they described the most intimate, troublesome, embarrassing, frightening aspect of their lives to those who treat and care for them, that this sensitive information will be safeguarded and used appropriately? If not, many patients would go without treatment or disclose only partial information, which could lead to improper diagnosis and treatment, complications in an illness or injury, and even death.
Noting it was hard for patients to talk about sensitive issues (e.g., mental illness, sexual practices and physical abuse), she said it wouldn't happen at all if they thought their stories were grist for the gossip mill or their records open to employers. Ms. Foley emphasized the overriding concern must be for the patient, not whether the rule will be inconvenient for practitioners or staffers who handle the insurance paperwork.
Ms. Foley said it was important to convey, as the Department's guidance document does, ways in which normal practice would continue without change. The rule speaks to carelessness and insensitivity, but a subtler and, in some ways, more important issue was the need for institutional systems that support practitioners and other health staff in methodical applications of ethical decision-making. The regulation requires that a covered entity must reasonably safeguard PHI from any intentional or unintentional use or disclosure. Ms. Foley said any suggestion that this expectation is new or burdensome was unfounded. These institutions were the core of daily work in a hospital setting.
Ms. Foley related how, when the chief medical officer in her hospital was a patient, doctors who were not his attending physician offered him advice and commented on his condition and family matters gleaned from his medical record. When he returned to work, the officer made clear what he thought about this breach of privacy. It was unacceptable.
The minimum necessary rule requires that a hospital have in place a policy identifying under which circumstances identified practitioners and staff might access patient information. It doesn't prescribe the policy, only that it must be in place, clear, enforced, and afford the patient a reasonable expectation that records will be treated with respect and confidentiality.
Ms. Foley noted a patchwork of state laws provide some protections to some people, some times, in some places. The ANA welcomes this new national standard of basic protections for all people, all the time, everywhere in this nation.
Mr. Wood noted workers' compensation is a disability program with a medical component and the objective of the system is not only to heal an injured worker, but also to get him back to work. Inherent in that objective is the need for sound disability management practices.
AIA agreed with HHS's legal position that property and casualty (P&C) benefit providers are not covered entities under the rule, but believe that application of the standard to workers' compensation is inherently flawed, will impede communication of information needed to evaluate workers' compensation claims, and threaten the independence of the state-based workers' compensation system--an issue which goes far beyond the Committee's consideration. Mr. Wood reiterated AIA's recommendation to HHS and the Subcommittee to not apply the standard to P&C benefit providers.
Mr. Wood said the rule presents two fundamental problems for P&C benefit providers: (1) a lack of clear authority for covered entities to disclose information sought by P&C benefit providers to carry legitimate insurance and claim management functions; and (2) superimposition of federal information disclosure rules on the state-based workers' compensation system, which threatens the integrity and viability of that system. Congress has consistently determined not to interfere with the carefully constructed regulatory system developed by the states.
Under the workers' compensation system, when an injury occurs, a claim for benefits automatically places the claimant's health status and medical history at issue, giving the defending party (the employer or its insurance carrier) access to full medical records is an elementary legal principle, because this information must be fully available to both parties to ensure a fair and equitable result. Full disclosure is particularly important with respect to workers' compensation claims, because state law, reflecting a careful balancing of worker rights and employer obligations, holds the employer liable for all workers' compensation benefits prescribed by statute, even if the worker were negligent himself.
Mr. Wood said requiring physicians to make selective disclosures of medical information needed to evaluate a claim will frustrate the self-executing objective by creating an incentive against cooperating with the workers' compensation provider, thereby damaging the ability to effectively determine liability for payment and manage disability. The result was: more litigation (they'd heard Dr. Guidotti suggest there ought to be an action against carriers for inappropriate requests to disclose information), increased administrative burden, higher medical costs, longer duration of disability benefits, certainly high indemnity costs and decreased worker productivity.
Prohibiting covered entities from disclosing to P&C benefit providers information beyond what the medical provider deems minimum necessary puts medical providers in an unwarranted and untenable position of making legal judgments about information that has a direct bearing on legal rights and obligations of claimants. Mr. Wood gave the example of an injured worker with diabetes. Diabetes prolongs recovery from an injury. Unless the benefit provider is aware of that condition, the length of time the worker will be out of work will be miscalculated. Mr. Wood said significant financial implications when an insurer lacks the patient's medical history drive up the cost to employers who pay for the workers' compensation system and creates system instability.
Mr. Wood said he didn't believe HHS understood the implications of establishing a federal rule governing state workers' compensation, which was a significant departure. Dual jurisdiction and enforcement would confuse matters and drive up both disputes in litigation and costs in the workers' compensation system.
Asked if his position was that the entire medical record should be requested and sent in all workers' compensation cases, Mr. Wood said his point was there shouldn't be a federal disclosure standard, because of interference with state compensation. Drafting a disclosure standard into a regulation or law was a step beyond a judgment a physician might make in consultation with a workers' compensation carrier. Mr. Wood refuted that there was a relevancy standard in state workers' compensation laws, stating that expressed medical privacy provisions in the statute were exceptions to the rule. Ms. Serkes said she sat on the task force of the American Legislative Exchange Council's HHS Subcommittee that earlier in the month passed model language to take to the states that would exempt workers' compensation programs from state medical privacy controls. She suggested research was needed to see how legislators' actions interfaced with implementation. Mr. Wood responded that, to date, laws hadn't been enacted that would significantly impair the transmission of information under the workers' compensation system, with one partial exception. California was having discussions similar to those "around this table." He said most privacy bills were drafted with health plans in mind and there was a disconnect between that construct and a P&C insurance carrier's--particularly workers' compensation's need to obtain information and fairly evaluate legal obligation to pay.
Dr. Guidotti contended that the primary information problem in the workers' compensation system was access to reliable, accurate and timely information on the basics--additional information often required was irrelevant in terms of the theory of the particular claim. He saw no reason why a workers' compensation carrier shouldn't be held to the same accountability as others in justifying the need for information that is almost extraneous, sometimes prejudicial and usually highly sensitive to the individual. Without safeguards, they would get what, in many instances they have now: a biased medical record that does not record important information because of legitimate fear and distrust on the part of the worker disclosing and the person reporting.
Mr. Rothstein applauded the ACOEM's statement that they now support minimum necessary. Noting that ACOEM had consistently opposed any restrictions on blanket authorizations, after a conditional offer of employment, for pre-placement examinations of unlimited scope, he asked if the organization had reversed its position and would now lobby for legislation as well as amend its code of ethics to make unlimited authorizations illegal and unethical. Dr. Guidotti noted a subtle distinction. Information needed to be disclosed and interpreted by the medically knowledgeable provider, and the person in the best position to do this was the one with the background in occupational exposures and environmental circumstance that might produce illness. The physician needs to have sufficient information to decide that the information is irrelevant and come to a legitimate conclusion. Mr. Rothstein replied, "You want us to prescribe what you disclose, but not what you get?" Dr. Guidotti responded that they were in the gatekeeper position--this provided a framework, rules of the game, and welcome relief from the pressures occupational/environmental physicians were under "to fly by the seat of their pants." Ms. Serkes responded that AAPS supported the minimum necessary, but took the reverse position: the physician's role was to be the gatekeeper and the one willing to take on that burden. Participants discussed having a task force or industry commission look into operations and issues where the payer and the plan couldn't agree. Ms. Serkes observed that the problem went back to the way the act uses the term "health care operations" without defining it.
Members reviewed the issue of consent, working from a summary of formal and implicit recommendations proposed by panelists in their oral and written testimonies. Members expressed the Subcommittee's intent to continually monitor all issues. Observing that their recommendations had to be approved by the full Committee, they noted their letter to the Secretary needed to capture broader issues, as well, putting them in context. A motion was made and passed, four to one, to focus on issues of implementation and correcting unintended consequences of the rule, rather than discussing changes and major policy issues. Mr. Rothstein established that their letter would summarize the testimony heard, indicating issues explored, the disquietude, and support for further clarification. The Subcommittee could also recommend things, based on the testimony, that ultimately the full Committee could recommend as well. Members reviewed each recommendation in the summary: accepting, rejecting and categorizing them among broader issues beyond the scope of the immediate letter that could be recommended to the full Committee for further study.
The first proposal, We strongly urge the HHS delete the consent requirement, was deferred as a big issue that the Subcommittee would follow closely.
Ms. McAndrew linked Allow continued use of the data collected before the April 14, 2003 compliance deadline and require consent only for data collected after that date more to the transition provisions than consent. She noted this would replace current transition provisions requiring prior legal permission with a general blanket grandfathering existing data. Dr. Harding remarked that this was an important issue for researchers. Mr. Rothstein observed there was a mechanism in the rule to continue using extant records with privacy committee approval. Dr. Zubeldia pointed out another recommendation that would allow continued use of data until the patient could sign consent. He said Kaiser having to go through 35 million patients to recall a pharmaceutical product was an example of a situation where this provision was better than the current rule. Dr. Cohn noted that NCQA recommendations indicated significant issues around abstracting data. Mr. Scanlon concurred with Ms. McAndrew's view: this was intended to be a transitional recommendation for addressing a practical issue--It didn't mean the information could be used forever. At the next opportunity, consent was expected. Ms. McAndrew said the recommendation would permit use of a former patient's records in perpetuity. Members voted in favor of recommendation two with one opposed, one abstained. Dr. Zubeldia clarified that his sense of the discussion was that this was a broad recommendation that needed additional protections so that it didn't allow continued use of all the data. Mr. Rothstein noted widespread agreement among members that, in certain circumstances, people who own or possess the medical records ought to be able to use them, notwithstanding authorization or consent. The Subcommittee will recommend to the Secretary that OCR explore ways in which medical emergency and other specific records can be accessed.
No one brought forward recommendation three: Allowing for use and disclosure of data collected before revocation for continuing TPO. According to the ground rules, it was rejected.
Members considered the next recommendation, Allow the continued use of data until a patient makes a physical appearance and is able to sign a consent form, was subsumed within recommendation two, under the continued use of previously collected data. They noted the issue of the minority becoming a majority was also addressed in another recommendation.
Recommendation five, Make the HIPAA consent requirement inapplicable to states that have statutory authorization for the use and disclosure of PHI, was deferred as a major issue that involves the whole notion of Federalism.
Recommendation six, Defer the consent requirement for five years; then assess whether the other HIPAA tools provide adequate protection, was rejected with one abstention, one non-voting.
Ms. McAndrew explained that the next recommendation, Reconcile conflicting laws, such as those that do not permit disenrollment upon the revocation of consent, addressed a limited problem for entities that are both plans and providers (e.g., Kaiser, VA) and subject to the consent requirement. They might wind up in situations where the rule is contradictory with regard to the statutory requirement to provide benefits versus failure to obtain consent. Members approved.
Recommendation eight would, Rely on parental consent for a child who reaches the age of majority until that new adult comes in for care. Ms. McAndrew clarified that, according to the rule, the fact that a child reached the age of majority did not invalidate parental consent. Upon reaching the age of majority, he or she becomes solely responsible and could revoke consent. Dr. Fitzmaurice said clarification by the Department and guidance could resolve the problem. Ms. Greenberg remarked on the need to educate adolescents on the privacy rule. There were no objections to the motion.
Recommendation nine: Guidance is needed to clarify that under the rule a health care provider may, without individual written authorization, disclose to a health plan PHI necessary for the plan's health care operation. Clarification is needed to ensure that the privacy regulation does not prevent plans from getting information from providers that they need for accreditation and other health care operations. Noting this would require a rule modification, members changed the beginning of the second sentence to Amend the rule.… Members noted that this was not just accreditation. Sometimes the encounter transactions were for payment; other times they weren't and could not be disclosed from providers to health plans. Members split the two components, voting on each separately. The first: Guidance is needed to clarify that the ruling would permit disclosure of PHI to a health plan for the plan's health care operations. Four approved. One non-voting. The second: To ensure that the privacy regulation does not prevent providers from disclosing information to plans that plans need for accreditation and other health care purposes. Three were in favor. One opposed. One non-voting.
Dr. Welles said that, while Genentech could comply with the letter of the privacy rule, its scope and structure made that fact moot; as currently written, the rule had a detrimental impact on the ability to research, develop, test and monitor breakthrough therapies for serious unmet medical needs. Without swift and significant modifications, patients would be unavoidably denied access to medical breakthroughs, harming the nation's health and health care system. Genentech was specifically concerned about: the overall structure of the rule, the definition of de-identified, conditions relating to patient registries, the minimum necessary requirements, and modification of the existing common rule.
Dr. Welles said the primary concern is that the rule places all obligations, responsibilities and liabilities associated with disclosure of PHI for research purposes on the wrong entities. The rules all apply to HIPAA-covered entities, with some obligations placed on researchers. In light of these obligations and potential liabilities, Genentech was concerned that covered entities, which are vital data sources for research companies, would be less willing to share this resource, seriously undermining biomedical research. Genentech recommended revising the rule to allow covered entities to disclose PHI without patient authorization for research along with TPO. Researchers would remain obligated to protect this information and keep use of the information consistent with what was otherwise allowed by the rule. Genentech also contends IRB review would be necessary to determine whether the patient's authorization would be required or if circumstances warranted waiver. Dr. Welles said this would allow access to the data, yet the researcher's use of the data would remain under control of the rule, ensuring confidential and responsible use.
Although many point to the rule's reliance on de-identification as the way to circumvent the myriad requirements necessary to obtain PHI for research purposes, Dr. Welles said their reading of the definition of de-identified found it too restrictive to meet. Method two required the PHI be stripped of 18 kinds of identifiers and that the entity not have actual knowledge that the data could be used alone or in combination with other information to identify an individual. She said stripping the types of identifiers specified in the regulation would render a data set essentially useless for research purposes. For example, knowledge of a patient's age and gender are relevant when researching associations between age and sex with risk for heart attack. In addition, Dr. Welles said the second test and method to establish was an impossible standard. Researchers were almost always aware that a particular data set could be used or combined with other data to ultimately identify an individual. Relying on what could be done with the data, rather than what was actually done, would arguably establish an impossible standard to satisfy.
She added that method one, which called for subjective review by a statistician, was equally unrealistic--it would prove costly, time consuming and administratively burdensome, particularly for large-scale studies involving review of thousands of archived patient records. Genentech recommended amendments to the definition of de-identified under the rule.
Noting the rule allowed for disclosure of PHI without an individual's authorization for use in patient registries and post-marketing surveillance studies, but only where these were required by law, Dr. Wells said the vast majority of registries were not required by law, but strongly encouraged by the FDA as an effective tool for monitoring ongoing safety and efficacy of drugs already approved by the FDA. The ability to obtain specific patient authorization for large-scale studies was impossible, and, if enforced, would dramatically limit the scope and quality of information obtained for this important aspect of the research continuum. Genentech recommended amending the rule's language to allow disclosure of PHI to conduct post marketing surveillance using procedures and formats for registries and reports that did not identify patients by name or with identifiers such as addresses or phone numbers.
Dr. Wells said the rule's minimum necessary requirement, which limits the PHI for the minimum necessary to achieve the specified purpose, is particularly problematic when applied to research uses of data. Should a covered entity decide to disclose PHI to a researcher, pursuant to the various requirements imposed under the rule, the covered entity is further limited to disclose only the minimum amount of PHI necessary for the performance of the particular research goal. Noting that researchers typically obtain information from multiple sources, she predicted, with different individuals making subjective determinations regarding the minimum necessary requirement, researchers would inevitably receive disparate data sets. There would be no way to ensure that the data sets were comparable and researchers would be unable to establish a reliable baseline. This requirement would introduce bias into records-based research, making the results questionable at best. Genentech recommended the minimum necessary requirement be waived with PHI lawfully disclosed for research purposes.
Dr. Wells said Genentech was also troubled that the rule directly modifies the existing common rule, imposing an unprecedented new set of privacy conditions on research, which they believe is beyond the scope of the HIPAA mandate. Further, the rule added to the criteria IRB and privacy boards are directed to consider when reviewing the research protocol, going well beyond the arguable authority of an IRB by directing them to consider the overall merits of a particular research project. Such judgments about what research has societal value had always been left to physicians, patients and the marketplace. Genentech recommended that the rule be amended to exempt from the authorization and waiver of authorization requirements, all human subject research accountable to review by a properly constituted IRB acting in accordance with the common rule. In addition, Genentech recommended that the new IRB review criteria added by the rule be deleted, leaving IRB review subject to the current common rule mandate.
Responding to a query about her request in an attachment addressing de-identification for the five-digit zip code and full date, Dr. Welles noted dates were critical; patients were at greater risk with many diseases as they got older. And zip code was important in terms of regional affect--e.g., a cluster of cancer cases. Dr. Welles said a serious concern was that the restrictive nature of the rule might cause some partners to find it less desirable to do research. Genentech could set up its own privacy board, but now their partners' legal counsel might decide not to enter into relationships because of liability. The aggregate structure of the rule made research extremely cumbersome. Dr. Fitzmaurice said he understood that the covered entity could rely on the researcher requesting only the minimum necessary; but even without minimum necessary, people giving data would still make independent and different judgments. Dr. Welles said that hadn't been their experience. Typically, they asked people to fill out a simple form, tracking patients linearly. Genentech's growth hormone registry, for example, tracked 30,000 pediatric patients, asking for age, height and weight. If one institution decided that minimum necessary meant leaving out weight or other concomitant measurements, they'd end up with holes in their database and any analyses would be unusable.
Dr. Fitzmaurice asked if some of this problem would be solved if the covered entity could rely upon the researcher requesting the minimum necessary. Dr. Welles replied there wouldn't be an issue, so long as everyone agreed and provided the data. But if it was left to everyone's subjective opinion, the data sets wouldn't be consistent. Again, the research would be useless. She noted they often do research in large multi-center trials with up to 1,000 sites and many IRBs. It was already cumbersome. Typically, they look at the integrity of the research protocol, the protection of the subjects, informed consent and the data established to date. She questioned whether the IRBs, as now constituted, were capable of weighing in on the merit of the research. The IRB should focus on risks and safety for the patient and leave the knowledge to be derived up to the researchers. Mr. Rothstein remarked that IRBs often consider the merits of the protocol; they might not go into the nth degree of analysis, but needed to assess that it was a worthwhile enterprise. Dr. Welles distinguished the merits of the protocol from the actual merit of the research. For example, in considering a drug for psoriasis, it was one thing to say the protocol, as written, wouldn't give the answer you're looking for--"And further, you'll harm the patient and not offer any benefit." That was different than arguing that therapies were already out there. That was subjective opinion. Genentech saw a need: current therapies cause renal and liver failure.
Dr. Welles clarified that Genentech recommended that, when an individual signs a consent, it should be TPO and R rather than just TPO. Asked if that meant that a private researcher, not subject to the common rule, would have access to individually identifiable patient medical records without further review or scrutiny, Heidi Wagner, an advisor with Genentech, responded that the point of their recommendation was that the focus then would be on the use of the information--if Genentech had access to data lawfully disclosed by a covered entity, they would still have to review whether the research use was appropriate. Mr. Rothstein replied that Genentech would be required to go through an IRB, because its research was in furtherance of an FDA application; with a researcher not subject to the common rule, either by NIH or FDA, there would be no further safeguards. Ms. Wagner said it would be as it is today; anyone not already subject to the common rule would not be. Dr. Fitzmaurice observed that the rule did change the status quo.
While AAMC strongly supports the capacity of human research participant protection programs to safeguard privacy while retaining the vitality of the research enterprise, Dr. Kulynych conveyed their belief that the final privacy rule was not such a measure. She said the rule needlessly intrudes upon the current IRB system of research oversight, burdening biomedical and behavioral research with procedural requirements, ambiguous regulatory standards, and extensive new liability concerns. AAMC's overarching concern is that the rule imposes new civil and criminal liability upon hospitals, health plans, and providers who use or disclose data for research purposes, even when approved by an IRB. Under the rule, a covered entity must shoulder this additional legal risk whenever it makes research-related determinations regarding minimum necessary and de-identification, provides an accounting of research disclosures, or its IRB or privacy board acts to waive the rule's authorization requirements. Dr. Kulynych said such liability is above and beyond the legal consequences that flow from an entity's failure to observe research regulations or applicable state laws.
Increased liability, particularly when coupled with the compliance burden imposed by procedural requirements, creates a substantial disincentive for covered entities to accommodate the needs of researchers. As Dr. Lumpkin noted in a February 2000 letter to the Assistant Secretary for Planning and Evaluation concerning the NPRM, "disincentives caused by the rule may well cause covered entities for whom research is not a core mission to conclude that the cost--and the risks--of disclosing data for research are simply too great. The threat is most severe to research that requires access to large numbers of medical records…." Dr. Kulynych urged the Subcommittee to keep in mind that federal requirements already address the privacy of participants in federally regulated common rule research. IRBs reviewing research under the common rule must evaluate all risk to participants, including risk to privacy. The common rule grants IRBs the flexibility to determine, on a case-by-case basis, which physical, procedural, and technical safeguards are necessary to protect participants' privacy and confidentiality. An IRB may not approve research unless it finds that safeguards are adequate. Similarly, an IRB may not waive consent unless it documents that the research is of normal risk and the waiver will not adversely affect participants' rights and welfare. And IRB must also review and approve the content of all information provided to the participant during the informed consent process. Dr. Kulynych said the privacy rule would supplant IRB discretion by overlaying complex authorization requirements and new waiver criteria, some of which are hopelessly ambiguous and likely to promote gridlock in an already overburdened IRB system.
Dr. Kulynych noted that the Committee recognized in its 1997 report to the Secretary that it had received no evidence of documented breaches of privacy resulting from researchers' use of medical records. She said if additional safeguards were deemed necessary, a more appropriate remedy would be to modify the common rule criteria. Noting that, in 1998, AAMC endorsed the addition of objective privacy review criteria to the common rule, she said that when reviewing research the IRB should be required to document that, when identifiers will be retained, research will be impracticable without the use of identifiable information. The IRB should also be required to review the physical, technical, and procedural safeguards for participant confidentiality.
Dr. Kulynych expressed AAMC's belief that the privacy rules authorization provisions are unnecessarily burdensome and likely to dissuade participants. Clinical trial participants could be asked to sign, in addition to the standard consent, as many as three research-related forms that, per the rule's mandate, contain lengthy, precisely worded disclosures. The authorization provisions also appear to preclude investigators from retaining identifiable health information obtained in a trial for future research not yet envisioned at the time of authorization.
She said AAMC also believes some of the new waiver criteria are unnecessary and problematic for IRB reviewed research. Federal research regulations contain criteria the IRB must satisfy to waive consent. Some of these criteria in the rule duplicate criteria already found in the common rule. Others are inherently ambiguous.
Although an IRB can evaluate safeguards for confidentiality, Dr. Kulynych pointed out there is no agreed upon normative standard by which to make determinations about "privacy rights" or "privacy risks," particularly in research that must be deemed minimal risk as a threshold criterion. She conveyed AAMC's fear that an IRB's review of a waiver request could become an irresolvable debate over "privacy rights" based on little more than personal beliefs.
Dr. Kulynych said AAMC enthusiastically supports the Department encouraging use of de-identified medical information in research, but was dismayed that the Secretary set a single standard for de-identification that, though it may serve other purposes, is so high it renders the data useless for most epidemiological health services and other population-based research. She noted the de-identification standard provides that information is preemptively identifiable unless there is "no reasonable basis" to believe that de-identification is possible. As a legal matter, this standard is difficult to meet. Even under the rule's safe harbor provisions, a covered entity might never be entirely confident that the information met the regulatory requirements.
Dr. Kulynych said catchall provisions and an unrealistically broad list of specific identifiers undermined the basic utility of the safe harbor, making it likely many covered entities would decline to de-identify data for research purposes. She said AAMC continued to urge the Department to modify the rule to create an exception for uses and disclosures of information in common rule research that would not be subject to the minimum necessary or accounting for disclosures provisions. IRB should continue to apply the common rule, modified if necessary to incorporate necessary corporate review criteria when determining the form of consent both for participation and for the use of PHI and when granting waivers.
Similarly, the IRB should be permitted to determine when information has been sufficiently de-identified to researchers lacking authorization or waiver of consent. The rules of the de-identification standard should resemble the standard articulated in Representative Greenwood's Medical Information and Research Enhancement Act of 2001, which require the removal of direct identifiers. Concerns about inappropriate secondary use of research data should be addressed by requiring IRBs to obtain written assurances from investigators that data will not be used.
In HHS's weighing privacy versus research, Dr. Klepinski said research had lost. Everything was going to be more expensive, slower, and more difficult. He said the reactions Dr. Kulynych reported were what researchers feared most. The door had been opened to a whole round of plaintiffs' attorneys and litigation. Legal staffs were advising institutions where research had always been done not to take unnecessary risks. Researchers had a problem convincing people to be as cooperative as they had been.
Dr. Klepinski said clinical researchers were jealously protective of their patients and had no interest in identifying data. In all the steps taken in the past, they never believed they were dealing with identifying data. This was no longer true. With the proposed standard, Dr. Klepinski said they couldn't actively do the type of research they did on a de-identified basis.
Dr. Klepinski contended that de-identified research was impossible in IDE research situations. The FDA and their regulations explicitly required many things tagged as identifiable data in the definitions. To comply with the FDA, authorization was needed for past medical records to know if the patient fit the protocol, for current medical records to make sure the study is conducted properly, and, when the FDA required post market surveillance to monitor adverse events, records were needed after the study.
When an FDA device was filed and received premarket approval, there was an obligation to keep that data, including an enormous "swath" of the patient's medical history, for as long as there were incremental devices in that field and it might form the basis for a PMA supplement. Dr. Klepinski said authorization was their only hope, but noted it would be complex and require individuals willing to accept that they might be sued "anytime over the next 20 years."
Reiterating that early research was difficult, with researchers asking for what was now identifying data, Dr. Klepinski said post market issues were even tougher. A common post-market study collected information on every device implanted at a number of centers, following every one. They'd never identified any patient, but they'd collected the implant date, every adverse event, and when devices reached end of life. The study couldn't be done under HIPAA regulations. Institutions that had always cooperated, would say, "Why risk it?" Dr. Boswell added that the privacy rule only said the covered entity might disclose. It was all permissive to a "risk adverse" lawyer for a covered entity--and enforceable with civil and criminal penalties. Dr. Fitzmaurice said his understanding was that if FDA had laws requiring it, then they had to follow that law. Dr. Klepinski responded that FDA's quality systems regulations were short and general "aspirational statements" about what one was supposed to achieve. Details had been filled in, over the years, by standards organizations developing techniques and FDA inspectors imposing ways of doing things--but weren't written down. A hospital or quality system regulation states you're required to follow up complaints. It doesn't specify the data, how deep to go, or the need for identifying information. Asked if he was sending a message to FDA to be more specific, rather than asking to change the rule, Dr. Klepinski said the latter. If it was simple to change FDA on a two-decade old rule, he would already have done it.
Ms. Pollak addressed weighing the protection of privacy against the burden on the research organization, noting four issues that result from the regulations and four practical solutions every medical center must address in order to comply with them.
The first is the accounting requirement that provides an individual the right to ask for a six-year retrospective accounting of all disclosures outside of the organization for non-routine purposes. She noted the information required looked reasonable and the purpose (so people understood who got their information and could protest if they hadn't authorized disclosure) was a good objective. But it was daunting writing down those 8-9 items for every single disclosure in an institution with 3,000 protocols and 75,000 research subjects each year, and thousands of disclosures every day in multiple center trials. The regulation attempts to address this by letting multiple disclosures to the same party about the same subject only be recorded once. The problem was tracking details of those disclosures for 75,000 people. Ms. Pollak questioned the purpose of all this. If someone enrolled in a research study, they knew that information was going to be used for that study and they had every right to know who's in that multi-center trial. They could ask for any information they wanted at the time they entered. If it was waived research, then the IRB was now under these "regs." The privacy board would make those determinations. So whether they were under the common rule or the expanded criteria under HIPAA regulations, an objective body would look at that and determine if the privacy was protected or, to the extent necessary, valued against that research end.
Ms. Pollak said it wasn't comfortable knowing there was a regulation "out there," with civil and criminal penalties, which one thought was neither needed nor possible to fulfill. She commended to the Subcommittee the change detailed in her written testimony that exempted research from the accounting requirement.
Secondly, she noted the practice of researchers through the years, particularly for unique studies where there might only be 10-20 people in a region with a particular condition or disease, to seek out recruits for the research protocol as part of their preparation for research. Ms. Pollak proposed an amendment to the regulation clarifying that, if a researcher used PHI to identify subjects, that researcher could not disclose that to anyone, including the subject, until the IRB or privacy board approved the research.
Third, under the regulations, non-profit organizations that collect important epidemiological data researchers use all the time are not considered business associates; there is no way to give them anything but de-identified information without the patient's authorization. A way suggested would be to have the Heart Association get a waiver from the IRB. But Ms. Pollak noted there wasn't a particular research study for the IRB to review. They were talking instead about making available an epidemiological database important historically. She offered an amendment that would not be required by law, but would allow disclosure on behalf of the covered entity, so long as there was assurance that information would be used only for that public service purpose.
Noting that the Departments raise 99.9 percent of the research dollars at Hopkins, Ms. Pollak mentioned the issue of fundraising. Under the regulations, someone who'd been to the Wilmer Clinic couldn't be contacted about a gift to the Wilmer Institute. The fact that they came to the clinic was PHI and they couldn't be contacted without their authorization. Ms. Pollak provided two solutions: adding the department or doctor to the permissible use of PHI, or a modified authorization form indicating it was okay to contact the individual for fundraising purposes.
Asked about disclosing information to organizations, Ms. Pollak remarked that researchers would respond they didn't give identified information, because they had de-identified it. But under these criteria, they would also have destroyed the value of the information to the organizations. Zip code, sex, race, age were all important for epidemiological research. An epidemiologist with a sample of 30,000 individuals studied in East Baltimore might give that information in a de-identified form to a researcher in the Heart Association studying the impact of urban climate and diet on heart disease. That information became a database available to researchers all over the country. Ms. Pollak explained that if the Heart Association came to an IRB and asked for an exemption, the association wouldn't have a particular protocol. Clarifying that this section didn't relate to individual protocols would require a burdensome exemption route. The association would have to go to 125 major research centers, 5,000-6,000 hospitals to prepare and present the IRBs.
Dr. Boswell said she had been working since 1996 for many of the hospitals and academic medical centers and researchers heard here, trying to balance the protection of privacy while not completely restructuring how research was done in this country. Perhaps the most frustrating thing about the regulation, she said, was that its research requirements, while burdensome and costly to implement, seemed to have little to do with enhancing the privacy of research participants, and everything to do with elaborating the rule's formal structure, and fixing problems created by its other requirements. She clarified that she was not speaking on behalf of any specific client, but was expressing her own strong views. Noting the problems and issues hadn't changed in five years, she suggested this stemmed from a tendency to view the statute being crafted as a structure everybody must follow, rather than looking closely at the research community and seeing whether or not privacy was protected and if solutions were really needed.
Dr. Boswell commented that she was hard pressed to find a cost-effective way for covered entities to implement requirements of the rule without taking on excess legal liability. To explain her perspective, she asked the Subcommittee to think of health care research in three distinctly separate categories: (1) research that involves the use of data and medical archives collected for other purposes (e.g., by not-for-profit associations and registries), (2) research subject to regulation under the common rule (or the FDA's codification of that rule), where individual IRBs already review, weigh and balance risks to the individual against the value of that protocol and the knowledge to be gained, and (3) research that falls into neither. Dr. Boswell suggested that the regulation's "lumping" these last two categories together was a likely cause of many of the legalistic boxes it built for itself and the industry.
In common rule research, Dr. Boswell pointed out they already had a system of protections in place, with the IRB weighing and evaluating risks. She said Dr. Welles' suggestion of letting approved research proceed under the common rule was a doable thing for most medical centers and hospitals. They knew the system; the IRBs knew how to evaluate risks. And Dr. Boswell argued the IRBs were already importing minimum necessary amount and all the other new requirements of the privacy rule into their proceedings.
Dr. Boswell said she was deeply disturbed about what the privacy rule authorizes for this third category of research, which intentionally subjects persons to clinical, biological or psychological interventions in order to collect research data without any ethical board review, and she wanted to "take it off the table." She didn't understand why, in the name of new federal privacy regulations, the rule should authorize a waiver of an individual's consent; without that piece of the regulation, the research would be subject to the prior approval and authorization of the individual under the regulation as it stands.
Dr. Boswell said the 12 required elements in this new research authorization either duplicated what was in the informed consent documents, were patently untrue, or were needlessly complicated discussions of "irrelevant legal niceties." She said there was no new privacy protection apart from the fact that what was implicit in electing to give informed consent was now explicit and separately documented in a legal form.
The authorization is required to state that the information disclosed to a researcher "may be subject to redisclosure by the recipient and no longer be protected by this rule." Dr. Boswell said she wasn't aware of any informed consent documents or IRB approvals in recent years that permitted a researcher simply to disclose research information. The common rule and IRB process assured that research information was used and disclosed only for the purposes specified in the consent documents.
The regulation also requires the authorization to state that their data will be available to them to inspect or copy as provided under 24 CFR 164.524. She called this "bait and switch." A fine reading of 164.524 establishes that the researcher's proprietary database does not meet the definition of a designated record set to which individuals have access; all the patient gets is the data that would otherwise be in the hospital's file.
The regulation says that any information created or received by a covered entity is PHI and subject to the rule unless it fits in de-identified. Even 6,294 admissions by zip code to a hospital are identified data because it has zip codes, unless a statistician says patients can't be identified. A statistician needs to be hired even for aggregate stats. IRBs need to be trained and ready to waive authorization or an army of statisticians need to evaluate the data sets and every research report associated with what the covered entity wants to publish. Any table of data reported by date or any other factor in the list of identifiers remains PHI unless there's a statistical blessing.
Dr. Boswell recommended a definition in the privacy rule that stuck closer to the statutory definition for identified data: it's individually identifiable if there's a reasonable basis to believe it could be used to identify an individual. The regulation "flipped" that: Could anybody somewhere use this to figure out who this is? She observed that researchers were willing to be bound, accept penalties, and protect this information. Others had gone overboard in creating the safe harbor. Mr. Rothstein pointed out that she could disclose the information of the 6,000 people in a zip code because it was above the regulatory number. Dr. Boswell asked what she was supposed to do about the strip printouts Mr. Klepinski wanted to look at for that non-identifying information--They contained the date the strip was printed. Mr. Rothstein asked the question, "How could they make life easier for research and still protect individual privacy rights?" He suggested using some statistically based number. Dr. Boswell observed a statistician would still have to analyze the database. If the data was going to be used under a precisely defined set of purposes, she suggested the kinds of de-identified data available before could meet regulation requirements. There were other circumstances in which the regulation permitted disclosure to others for specified purposes. Dr. Boswell said she was troubled relying on the statistics and probability measure, as if all research involved electronic data. She favored their earlier discussion about research approved under the common rule; there was no reason an organization like Hopkins shouldn't be waived to operate that way. She acknowledged problems with data research; the regulation didn't allow this kind of controlled, limited contractual uses. They didn't have any mechanism for a privacy board and needed something to "bless the creation" of the databases for research purposes.
She noted the need to do a lot of "big number" database research as they plowed through the genomic information. Dr. Boswell wasn't sure they were ready for this in the regulation, but she envisioned authorizing a privacy board to create access to a database subject to specific, limited access and held accountable for the use of the data in the public interest. She reiterated that she wasn't comfortable with anything other than authorization for research that involved interventions and would be reviewed by an ethics board.
Dr. Zubeldia said he heard proposals for three different types of safe harbors for the de-identification of data: the one that exists today, another for data released to the general public, and a lesser safe harbor for data released to qualified researchers. He assumed they wanted full disclosure about what was in the safe harbor and authorization or consent. Dr. Boswell said it wasn't possible to get patient authorization in those circumstances. Dr. Klepinski reiterated that much was retrospective. When you have a complaint from a hospital that a device is not working as expected, you have design experiments. You gather data on what happened and look back at other patients implanted commercially, to see if there's a trend. Those people never signed authorizations.
Dr. Zubeldia questioned the safety of that safe harbor. Dr. Boswell replied it was as safe as the trustworthiness of the researcher/clinician relationship, something they'd relied on for years. Dr. Klepinski added that the analysis was controlled by either the quality systems or clinical regulations in the FDA. A well-established set of processes had been set up, over the decades, for handling these issues under FDA control.
Dr. Kulynych observed there were several possible routes to address de-identification of protected information for research. One was to simply say the standard for research is a safe harbor, but require contractual agreements. Another would be for the IRB to determine the information received is de-identified to a standard appropriate and obtain assurance that, in setting up a registry, it wouldn't be released for other purposes.
Noting a line in the preamble stated that one of the goals of the "reg" was to encourage de-identified research, Dr. Klepinski commented that nothing could be further from that result than what had happened. He suggested beginning again; the direction they were going seriously discouraged or made research impossible. Dr. Kulynych added she'd just heard from community hospitals that had consulted with their counsel. Some concluded it wouldn't be possible to de-identify data. All their research disclosures were of identifiable data.
Ms. Pollak clarified what a researcher at Hopkins would have to do, under her proposal, before getting access to medical records of all the people in the institution. As provided in the adopted regulation, a researcher would have full access to all PHI for all patients, past and present, to prepare a protocol for IRB review. The regulations require that that researcher only use the information to prepare the protocol; it could not be disclosed for any other purpose. She wasn't changing that for recruitment. If you found six adults in these files who had a particular rare cancer and the study was approved, you were allowed to call and ask them to participate in this research protocol. Currently, a protocol is reviewed by the IRB before the researcher approaches the individuals. Hopkins approves all research protocols through its IRB, so no research could be approved that wouldn't have had that review. There are privacy protections under the common rule. Part of what one brought to the IRB was a sense of what it would mean to be identified. If there were only six people, and the study was important, and this was the only way to do it, that initial contact was an appropriate concern. Each person had an objective right to say yes or no.
Mr. Rothstein noted that the way the rule read, someone checking into an institution signed a consent for TPO and presumably needed to also sign a "big stack" of authorizations. In theory, they could reduce the kinds of disclosures to get authorization and have check boxes on one sheet of paper. He asked if they felt more comfortable with the distinction between authorization and consent? Ms. Pollak said authorization was a less desirable solution. Some 400,000 people might come to Hopkins this year. Without anybody to explain how the information would be used, 150,000 might decline. With her suggestion, there would be a whole process of review, under the common rule, before that question was asked for a very specific purpose. She noted fundraising was different. People knew what that meant; that didn't change the database for research. But for many types of epidemiological research, they would have to redesign their computer system to track responses to all those research issues. Dr. Kulynych said it wouldn't address concerns about covered entities that weren't research institutions and discretionary activity. So long as there was liability for research disclosure and authorization provisions applied in any form, there was a substantial disincentive to disclosures.
Mr. Fanning noted questions had been raised about criteria set out in the regulation that weren't in the common rule. He asked what was wrong with them. "The liability and substance concerns," Dr. Kulynych replied. Whatever the criteria, he said this parallel new regulation with all its associated liability was a concern. For R&D research it was an unnecessary disincentive, triggering concern about debates over privacy rights and risks. It was an amorphous criterion and they weren't sure how RVs would handle it. The focus should be on protections for the confidentiality of the data and the research's scientific merit. Mr. Fanning asked if the IRBs weren't already taking those things into account in judging whether the consent requirement should be waived. Dr. Boswell replied that this requires an independent weighing of the privacy risks versus the value of the research. The regulation was asking for a separate evaluation independent of all of the research risks IRBs weighed. She said disallowing the identifiers or contacting people could control those. The regulation asked people to weigh privacy risks in the absolute versus, "Do I like this research protocol, is it worth subjecting people to that kind of risk?" It was a different weighing.
Members continued reviewing the consent recommendations, resuming with number ten. Permit providers to share individually identifiable health information to support TPO without obtaining a written consent. Leave in place the requirement for written notice at the provider level to ensure that individuals are educated about the use of their protected information for TPO. Noting that this was similar to the first recommendation they deferred, they set it aside.
The requirement for individual prior consent to use or disclose information for TPO should be eliminated, as was the case in the original HHS proposal. Members deferred, concurring that this suggestion was subsumed within the first and most recent recommendations.
We recommend that the right to revoke consent categories not apply to categories of information that are necessary for treatment and certain health care operations. Those categories would include patient and employee safety, quality, certain population-based activities, peer review, employee performance review, education and training, accreditation, certification, licensing, credentialing, medical review, legal services, auditing, compliance, resolution of internal grievances and similar activities that require complete information. The group observed there were legitimate issues around revoking access information and quality measurement, but expressed concern for diluting revocation. Noting they'd heard testimony about many different ramifications and circumstances surrounding revocation and wanted to consider them all, they revised the proposal to recommend that the circumstances surrounding revocation be reconsidered and clarified by the Department.
We believe that revocation cannot be applied to information that has "migrated" into various systems beyond the individual record. Ms. Greenberg noted Mayo had a number of registries for various diseases and procedures, used for quality control and improvement purposes. It would be extremely difficult to extract information from them. It would also dilute the registries' usefulness for quality purposes.
Mr. Rothstein suggested that what they might need to recommend was a clarification on the duty of the individual provider upon receipt of a revocation. Did they have a duty to notify all the people they'd ever sent medical records to that it had been revoked? Mr. Blair reflected that the idea that revocation meant being responsible for removing consent to all prior information, including what might be shared, seemed impractical and beyond the scope a provider could track. He suggested instead simply revoking new information from that date forward.
Ms. McAndrew clarified that, because consent is for the entity's own uses for TPO, when it is revoked that universe is affected as a whole and can no longer be used by them. If it has migrated to another covered entity, that covered entity's either on its own consent to that data or, if it is a plan where no consent is required, it has that regulatory authority for TPO. Dr. Cohn reflected that, assuming revocations occur in the provider environment, the insurer or health plan could have a lot more information about what the provider was doing than the actual provider. Ms. McAndrew noted some "legal room" within a provision permitting continued use based on reliance factors, but she said it couldn't be expanded infinitely or it lost all meaning. She confirmed that initial consent does not expire. Mr. Rothstein proposed giving examples of things they were concerned about. He suggested that the last recommendation for reconsidering and clarifying circumstances surrounding revocation could address this issue as well.
Records created before the implementation of this rule should be exempt from the consent requirements until a patient encounter occurs after implementation of the rule. Members noted that they'd already agreed to discussion of this in recommendation four.
A revised rule is necessary; guidance alone cannot fix all the problems. It also is important that the changes be made quickly. Ms. Greenberg acknowledged that the Secretary said he intended to revise the rule, but she also noted their considerations that guidance alone could fix the problems they'd heard about. Members suggested comment in the body of the letter that, if a revision in the rule is necessary, it should be done expeditiously.
In a comment letter to HHS APhA recommended several different possible modifications to the prior consent requirement. First, APhA strongly recommends that the prior written consent requirement revert to the statutory authorization concept that was in the proposed rule. Alternatively, the regulation could be modified so that the very act of bringing a prescription to the pharmacy or having a prescription called in qualifies as implied patient consent. Dr. Zubeldia remarked that the two concepts of consent and prior consent were jumbled. He questioned how the prescriber calling the pharmacy constituted consent from the patient and pointed out that, if a patient didn't consent, one could not dispense the product and delete the information. He suggested there might be a way to separate prior consent from consent. Mr. Rothstein said the recommendation two bullets down looked at that. Dr. Fitzmaurice noted the concept in the privacy rule that, when a physician referred a patient such as to, a radiologist, the latter physician became an indirect provider and could build on a consented report. He suggested thinking of a pharmacist as an indirect provider working under the consent received by the referring physician.
Dr. Harding recalled he'd tried to ask Ms. Winckler about this yesterday. It troubled him that the prescription was put on the database before he ever got there--a number of people never showed up. Mr. Scanlon observed that three bullets addressed this issue and proposed dealing with them as a family. Noting that HHS had already committed to resolving the situation, members agreed to acknowledge that this was an issue that needed to be addressed or clarified and to present a couple possibilities for resolution.
Dr. Fitzmaurice interjected that he'd received an e-mail answering a testifier's question about whether the patient's name was a standard element in the NCPDP standards for a claim. It wasn't.
It should be up to individuals--not the federal government--to decide to whom they want to disclose personal information. Individuals and their doctors (and other providers) should be free to enter into private agreements regarding disclosure of patient information including genetic information. Ms. McAndrew noted Ms. Blevins envisioned an actual contractual agreement between the doctor and the patient concerning the permissible releases of the information and actual negotiation. She said it was not a contract necessarily enforceable under the rule, but it would have whatever enforcement rights a state granted such a contract. Ms. Blevins explained it was for the individual to have consent on the terms they would like to have and not let the rule dictate terms. Mr. Rothstein asked if another way of putting it would be that HIPAA provisions protecting privacy served as a floor for protections that could be negotiated between the physician and the patient. Ms. Blevins said, "No"--They'd heard a lot of different opinions and she was saying: "If you didn't want what's offered, you can have an alternate arrangement." Mr. Blair asked if one of her examples explicitly excluded access by law enforcement agencies or employers. Ms. Blevins said she didn't say what it could exclude or cover, just that it should be individual and the patient and doctor should jointly decide. But she noted it couldn't override a law that said law enforcement could get a subpoena.
Ms. Blevins clarified that she was not saying the doctor had to agree; but the doctor did have to abide by the minimum necessary laws and regulations in his or her state. She said what really concerned her was the section that said, even if a doctor agreed, this rule preempted that agreement. Dr. Fitzmaurice said he wasn't sure a doctor could sign away abiding by the section 164.512 exceptions of the privacy rule. Dr. Fitzmaurice said what concerned him was that she was going all the way back to the law passed by Congress. They didn't have the ability to abrogate that. Ms. Blevins replied this was basically unconstitutionally delegated. Congress never voted on what privacy rights should be. There was no clear definition of privacy rights or of contract to be offered to individuals in that statute. The recommendation was not moved forward.
Modify the rule to provide one consent form for all treatment, payment, and health care operations and this would extend to the pharmacy as well. Members decided to put in the recommendation their recognition that the issue of pharmacy dealings needed to be clarified and that they supported OCR in its efforts to resolve this issue.
In conclusion, it is imperative that HHS delays the compliance date until two years after the final modifications have been made to the rule. Requirements in the final rule will substantially alter pharmacy operations, and compliance will take two years of preparation. Members declined to act, remarking it would take an act of Congress--or God.
The APA agrees with Secretary Thompson when he stated in the guidance he "will be proposing modifications to allow direct-treatment providers receiving a first-time referral to schedule appointments, surgery or other procedures before obtaining the patient's signed consent," thus clarifying a statement in the regulations. Patient consent should not be required for treating physicians to consult with colleagues or medical students to establish patient referrals or to begin "indirect treatment relationships" with other providers.
Members noted that the issue of consultation with colleagues and medical students and other concerns already had been addressed in the regulations or guidance. The authorization had already been given for the referring physician to disclose information. This was both a use and disclosure limitation on the provider receiving the referral. Members discussed making the prior agreed to statement broader, including pharmacies and other referral services.
Health care plans and clearinghouses should be required to obtain a patient's meaningful consent before their medical records can be disclosed for TPO. The regulation should not be limited to health care providers obtaining consent. Members noted the proposal was intriguing, but probably unworkable. They didn't see that clearinghouses had a way to get patients' consent.
The patient should have the freedom and the ability to revoke the consent at any time. The APA is concerned that the rules do not adequately give protection to the patient. Members had already addressed revocation.
There are provisions in the regulation regarding comatose patients. We suggest these have a relationship to the APA's unique professional concern with respect to protecting health information of involuntary patients being treated for mental illness or substance abuse pursuant to state law. The privacy rule does not make an exception for involuntary patients who refuse to sign a release permitting the use and disclosure of their medical information. Dr. Harding explained that this had to do with a competent person, held involuntarily, who refused to sign for information and consent. Was his or her consent allowed or was access to information automatically granted for tending to that patient refusing treatment desperately needed? Ms. McAndrew clarified that there were three exceptions to the consent: emergency treatment, required by law to treat, or substantial communication barrier to obtaining consent. This proposal fit required by law to treat. The rule already permitted a waiver of the consent requirement. Dr. Harding noted some people committed did refuse treatment, but agreed it could fit in this category. The Subcommittee would request clarification on whether there was regulatory waiver of the requirement for involuntarily committed competent patients who refused to consent to treatment.
Members shelved their consent discussion, agreeing to resume after the public period.
Mr. Beato testified on unanticipated consequences of the privacy rule for the small business members of this trade association of credit and collection specialists that provide account receivable services to the health care industry. The Fair Debt Practices Act (FDPA) and the Fair Credit Reporting Act, federal statutes that contain detailed legal requirements for the collection of debts and reporting of consumer information to national consumer reporting agencies, regulate ACA's members. Under the privacy rule, the majority of ACA members are business associates or health care clearinghouses. In 1999, hospitals wrote off an estimated $23 billion to bad debt. Mr. Beato said providers recovered million of dollars annually through these services.
Mr. Beato expressed concern that the rule conflicts with the Fair Credit Reporting Act, which imposes a duty upon data furnishers to update personal information (e.g., address and telephone number of place of employment) reported to national reporting agencies. He said the rule's sweeping definition of PHI, which includes credit-related demographic information, impedes a business associate's use of this credit information for payment purposes.
Mr. Beato noted that the guidelines do not carry the force and affect of statutory or regulatory law, leaving members and their health care clients in the untenable position of reconciling the conflict with practices permissible under other federal law. He requested that the Subcommittee consider three modifications to the rule: (1) permit business associates to report medical debts to the three main national consumer reporting agencies, (2) clarify that location information services are permitted under the rule, and (3) remove certain demographic information from the definition of PHI when used for the limited purpose of conducting payment activities.
Dr. Rada conveyed the Special Interest Group's conviction that the privacy rule should go into effect as originally published. He said members' highest priority has been to share best practices and that if entities can share their experiences and recognize consensus they will achieve economies of scale and help operationally define the meaning of the privacy rule.
Noting that HSS encouraged self-organization of the health care industry via the identification of best practices among peers, he requested that the Subcommittee recommend that units of HHS with available R&D funding support the discovery of best practices for implementing the privacy rule. He suggested professional societies were candidates for such funding. Dr. Rada clarified that he wasn't suggesting a new Congressional budget, but seed money to hold conferences so groups that want to comply with HIPAA could better share and publicize information.
Mr. Pyles encouraged the Subcommittee to broaden the request from OCR on first encounters to cover more than just pharmacies; medical equipment and suppliers with equipment for delivery to a patient's home often had to make determinations based on the medical record before they saw the patient. He noted that a patient might want to pay out-of-pocket for a prescription and not have that information in a database; if that information went into the system consent, the patient lost that option. He pointed out that every citizen has vested rights set forth in section 264(b) of HIPAA. He urged the Subcommittee to carefully consider changes in the regulations that would rescind these rights. Without the power to give or withhold consent, patients will withhold information needed for diagnosis, treatment and research. Mr. Pyles said it would be extraordinarily unfair to the public for the Subcommittee to make any recommendation on eliminating consent based on the testimony of less than a dozen witnesses when, according to the preamble to the final regulations, this was the issue "that drew the most comments overall."
Protections need to be certain. Patients need to know that the information won't be disclosed. The Supreme Court decided in considering this decision that free disclosure was so important, the patient had to feel confident that there would be no disclosure without his consent. He said the protection should apply to all communications, similar to the psychotherapy privilege. Exceptions should be clear and narrowly defined. APA asked for clarification on special protections intended for psychotherapy notes and that exceptions not be permitted.
Ms. Kaigh underscored that the common rule allows research to be done on patients without their consent, if an institutional review board decides this poses minimal risk to the patients. She countered that it should be up to patients to decide what poses a minimal risk to them. She said there was a fallacy in Genentech's presentation of de-identification. On the one hand, they said they needed all identifying information, if possible. On the other, they stated de-identified information was always reidentifiable.
She objected to the balance of the panelists. She said almost all the invited guests represented doctors' groups, hospitals, researchers and insurers that want maximum patient information. Where was the equal representation by those who only want minimum necessary information to pass and call for patient consent before information is used for patient research and other uses? According to the Subcommittee's discussion, it seemed there would be a "free for all" with insurers getting encounter information without the need for separate patient consent.
Ms. Kaigh told how her father, a physician wanting to help medical research and mankind, let a teaching hospital use his cancer cell slides, so long as he remained anonymous. However, his name appeared on a slide indicating the late stage of his cancer and colleagues called to say they were sorry he was dying. She said this was devastating to a private man fighting for his life. The patient should decide if he is willing to accept these risks.
Ms. Kaigh implored the Subcommittee to acknowledge that these discussions have been predominantly one-sided and, remembering the thousands of public comments wanting no access without patient consent, hold further hearings in which patients' rights groups can present views protective of every citizens' privacy.
Asked to clarify about a particular recommendation she objected to, Ms. Kaigh said she had confirmed that the recommendation to permit a provider to give information to a health plan for that plan's operations could include the substance of the entire encounter discussion. Members responded that there had been a misunderstanding and that they had been voting against something, which appeared more restrictive. They would revisit that issue in the next round of review.
Ms. Blevins said they'd heard a lot that afternoon from panelists representing academic medical centers and researchers who clearly want access to patients' medical records without getting patients' consent. Noting patients' voices weren't heard, she pointed out that the Gallup survey conducted in August, indicated 67 percent of Americans don't want researchers to have access to their medical records without their consent. Some 93 percent of Americans say researchers should first have to obtain permission before studying their genetic information. She requested that HHS make available to the public an accounting disclosure of the comments citizens made in December 2000 and this past March that greatly opposed research without their consent. She recalled that six people spent almost five days at HHS going through the comments and the public was strongly opposed.
Ms. McAndrew replied that they addressed the public comment received on the notice of proposed rulemaking when the final rule was issued. The additional public comment requested in March was on a final rule, not a notice of proposed rulemaking, and there was no APA provision for that kind of public comment. These comments were being dealt with on a less formal basis, as general guidance to the Secretary to inform his decision prior to the April decision to allow the rule to go into effect, and now in considering where guidance and modification to the rule might be needed. APA required that the comments be considered; it didn't require a count. But she assured that all comments were considered. One reason the preamble was so lengthy is that they made extensive responses to the comments and tried to summarize the major positions presented.
Mr. Rothstein noted, for the record, that the comment about the make-up of the panels not being representative of all interests was an accurate assessment. He reiterated that the purpose of the hearing was to get insights into the most efficient, effective strategies for implementing the privacy rule. It was not to do a total reconsideration of the philosophy or merits underlying the rule. In that regard, they invited those engaged in implementing the rule to find out about problem areas and where there were needs for clarification or additional guidance. Whether the Committee, in its deliberation, went beyond that scope in formulating recommendations was a separate question. This was a deliberate action to get to people dealing with the implementation issues and identify the practical problems.
Ms. Kaigh said her problem with that was the semantic difference between suggestions for implementation and clarification/modification, which were slight compared to the major change to the rule contemplated by those considering removing the consent provision. Talking about removing the provision was talking about changing the heart of the rule. She questioned how this could be called a privacy rule if, as contemplated yesterday, they removed the consent provision. She said it was only fair to have patients' rights groups testify, if they were contemplating that.
Members took a second look at amending the rule to provide that a health care provider without written authorization might disclose to a health plan PHI necessary for the plan's health care operation. Dr. Cohn commented that the provision meant the minimum necessary, whatever the intended purpose. He noted HEDIS measures required more than electronic encounter information with the intent of ensuring quality of care. Charts had to be looked at. That was the rationale and reality they knew. Mr. Rothstein said the proposal would continue the status quo and undo HIPAA in terms of these uses by health plans. Ms. McAndrew added they would have to modify the rule so that the consent the provider got from the individual allowed them to share information with the individual's plan. Mr. Rothstein asked whether there was any evidence that a substantial number of people would refuse to sign that authorization, resulting in an impairment of the ability to provide high quality care by following HEDIS measures. Ms. Greenberg questioned whether the plans had a practical way to get this consent. Dr. Zubeldia said they'd heard that the plan would get it at the time of enrollment. But they'd also heard that, under HIPAA, a plan could not revoke a beneficiary because of lack of consent. He suggested that the encounter information (which was otherwise not allowed, because it was not for payment) flow from the provider to the plan for the plan's operations.
Mr. Rothstein said if they were saying a plan couldn't operate without access to all the information, they could either presume patients consented or give both the patients and themselves a choice, de-certifying people who won't sign the authorization at enrollment. Ms. Greenberg noted that encounter information didn't include everything. Mr. Rothstein said he was trying to figure out a way to protect the patient's interest. With this, they wouldn't know what's being disclosed or have a choice. Given a choice, they might be able to find a provider and plan willing to take them without these disclosures. Mr. Scanlon asked if it wasn't part of the provider's informed consent procedure to indicate they were obligated to share information with the plans they were affiliated with and require written authorization as part of the notice. Ms. Greenberg commented on the disconnect between allowing to send to the plan for payment purposes, but not health care operation. Most health care operations were done by the plans. A remedy was needed.
The Subcommittee re-voted on both parts of the bullet. First: To amend the rule so a health care provider might, without individual written authorization, disclose to a health plan PHI necessary for the plan's health care operation. The recommendation was defeated. In favor, one. Opposed, two. Abstaining, 2.
Members discussed that the other half, Amend the rule to ensure that the privacy rule does not prevent plans from getting information from providers that they need for accreditation and other health care operations, was ambiguous. They wanted to support the need for this information to be shared within health plans, but needed a more specific list. Noting their limited time, Mr. Rothstein suggested tackling that in a conference call. Ms. Greenberg noted they had to have a quorum and provide notice so the public can participate. Notes on minimum necessary research and marketing will be distributed. A two-hour conference call to get through the rest of the issues in minimum necessary and research was scheduled for September 10th, 11:00 o'clock Eastern time. Ms. Greenberg suggested prioritizing what they'd get through in the next half hour and tomorrow, and then what was needed before the conference call. Whatever they had by then would go into the letter. On September 24 they could tell the full Committee what other issues they'd discussed, and the next day bring additional issues to the Subcommittee. Future plans could be deferred. Mr. Rothstein said they could view the purpose of the hearing process as providing OCR with an in-person opportunity to hear from various witnesses. Anything they came up with in addition was "gravy on the cake." The Subcommittee approved the proposal (3, 1, 1, 1) and put it on the agenda for the full Committee.
Patients should have the right to consent to--or refuse--participation in disease management programs. An individual's enrollment or costs should not be affected if he declines to participate in a plan's disease management program. We oppose any disclosures of health information for disease management activities without the coordination and cooperation of the individual's physician. There is no such requirement in the final rule. We believe "disease management" needs to be defined narrowly, to prevent inappropriate use and disclosure (e.g., for marketing purposes) of health information without the patient's consent. Noting they could ask witnesses from the Disease Management Association about this in the morning, the proposal was tabled.
The APA is concerned about the disclosure of medical records for judicial and administrative proceedings. Patients will lose some existing privacy protections because the current practice of hospitals and doctors, generally requiring patient consent before disclosure, will change as a result of the regulation. Ms. McAndrew noted that all section 164.512 disclosures, including the one for judicial proceedings, were permissive. Members requested additional clarification in a FAQ that everyone was able to have a stricter practice.
But the new regulation would allow providers to disclose medical records information in response to a subpoena, discovery request or other lawful process that is not accompanied by an order of the court or administrative tribunal, as long as reasonable efforts are made by the party seeking the information to give notice to the patient or to secure a qualified protective order. Members noted this was similar to the last proposal.
We believe that it is essential that the definition of psychotherapy notes needs to be expanded. While the APA is presently developing a formal policy position, an overwhelming consensus has already developed among our psychiatric physicians about the critical need to include the medication prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment furnished, results of clinical tests and any summary of diagnosis, functional status, treatment plans, symptoms, prognosis and progress. Mr. Rothstein noted that another proposal to extend the protection for psychotherapy notes to all communication with mental health professionals had been put forward by the American Psychoanalytic Association. Ms. Fyffe remarked that some of the treatment and diagnostic codes offered for payment purposes would be inadequate. Mr. Blair questioned why a payer needed to know more. They'd heard several times of patients' concerns about sharing information with doctors because of the consequences of being diagnosed with depression or bi-polar. Ms. Fyffe said she believed psychotherapy notes should be private. But she didn't believe it was unreasonable for a health plan to know information to adjudicate the claim: medication prescribed and monitored, counseling sessions with a beginning and ending time, results of clinical tests and the treatment plan. Members agreed to note that providers and plans are not currently in agreement with this broad issue of payment that is not relevant to the topic of consent.
Additional protections consistent with the Supreme Court's Jaffe v Redman decision are essential. Members agreed this was covered by their last set of comments.
We also believe that language needs to be added to clarify the privacy protections covering treatment modalities broader than psychotherapy and the patient's medical record. Mr. Rothstein noted that this was subsumed within the jurisdictional issue.
The APA also wants all Americans to be free from unreasonable police access to their most personal medical record information. Members noted this was beyond the scope of the hearing.
We believe that the protections of the Fourth Amendment probable cause standard including independent judicial review for all requests should apply to a person's medical history as it applies to their household possessions. This was considered another scope issue.
We are hopeful the commission will agree with the APA that marketing or fundraising endeavors have a patient opt-in before the activity occurs rather than the regulation authorizing the patient to opt-out of any further endeavors. Members tabled this until the panel on marketing.
The AMA believes that to obtain consent before any use of disclosure of individually identifiable health information honors the rights of the individuals and the primacy of patient consent. Mere notification does not rise to the level of respecting the autonomy of the patient. We believe that a consent requirement that accommodates the needs of patient care and is workable for providers is preferable to abdicating the principle of patient autonomy in the name of convenience. Members observed this was the other side of an issue they'd deferred.
The rule should allow reasonable and limited uses or disclosures to carry out TOP before obtaining patient consent. Members noted that the first encounter, pharmacy, and referral were already addressed in pharmacy.
Uses and disclosures of PHI created or received prior to the compliance date of the privacy rule should be allowed to continue as prior to the effective date without regard to content. Thus, many physicians would not have a written authorization on file for their patients. The AMA would urge HHS to treat all covered entities in the same manner with respect to this issue. This was another repetition.
The rule should qualify the right for patients to request restrictions on uses and disclosures of PHI and to revoke consent with a good faith standard for compliance and enforcement purposes. The Subcommittee noted it had already addressed the issue of restrictions and revocations and that the concept of a good faith standard went with the next proposal. The right to revoke consent should also be qualified with a good faith standard. Members decided to mention this testimony in the body of the letter and raise the issue with the full Committee, but table the proposals on revocation and restriction until the enforcement rule came out.
The following three recommendations were tabled until the next day, along with other management and marketing activities: (1) Therefore, the current definition must be narrowed to only include necessary and critical business operations, especially if some covered entities are not even required to obtain consent; (2) The definition of health care operations must be narrowed; (3) It is clear that a patient's enrollment in a health care plan or treatment by a provider.
Members noted the next two proposals anticipated certain non-routine elements would be dropped out of health care operation and wind up in an individual authorization mode. That hadn't happened: (1) Authorization should be required for non-routine, non-critical uses and disclosures of protected hearth information, (2) The AMA believes that covered entities should have to obtain authorization for non-routine, non-critical uses and disclosures separate and apart from the consent required under the privacy rule.
If the requirement to obtain consent is removed from the regulation… It wasn't.
Health plans should be required to obtain patient consent for payment and health care operations. Dr. Zubeldia remarked that if the plan had to require consent, then it also had to disclose health information practices. It all tied together. Noting they could not review this proposal in the few minutes remaining, the recommendation was deferred.
Most health plans require signed paperwork by enrollees and the privacy rule requires that they provide a notice of privacy practices. Consent can easily be included. The group had already deferred on the issue.
The AMA urges HHS to incorporate all possible improvement so it will not impede patient care or health care delivery. OCR would be doing that.
To this end, the rule should allow reasonable and limited uses or disclosures to carry out TPO before obtaining consent… Members had been through that.
Moreover, to further protect patient privacy, the definition of health care operations should be narrowed so that patients will not be forced to consent to non-routine, non-critical uses of their confidential information, especially when de-identified information could be used. Members noted they'd already recommended an expansion of the protection beyond psychotherapy notes. Ms. McAndrew clarified that the definition in the rule referred to notes recorded by the health care provider, documenting or analyzing the content of conversations during private or group family counseling sessions kept separate from the medical record. In addition, a request was noted for OCR to define the exceptions so the patients will know what's in them. The consensus of the group was to request further clarification of the exceptions and the process notes. The Subcommittee adjourned at 6:05pm until the following morning.
Mr. Rothstein welcomed everyone to the last day of the Subcommittee on Privacy and Confidentiality's three-day hearings on implementation strategies and other issues related to the privacy rule and reiterated the purpose and rules.
Ms. Hustead said HPP was thrilled that the Department allowed this regulation to go into effect, despite intense pressure from some in the health care industry. HPP was relieved that the guidance reaffirms the major concepts in this privacy regulation and pleased the Department joined them in rebutting myths and misstatements. She expressed hope that the guidance would calm industry fears, lead to greater acceptance of the regulation, and foster compliance--though she said she wasn't sure, given some of the testimony, it entirely accomplished those objectives.
Ms. Hustead spoke briefly about other topics covered at the hearing, noting HPP's detailed written testimony. HPP agreed that modifications needed to be made to the consent requirement to address operational glitches, but emphasized it should not be eliminated; she was pleased to hear the recommendation to eliminate the requirement was deferred. HPP fully supported the minimum necessary standard and viewed it as a cornerstone of this and any effort to protect privacy. She echoed yesterday's testimony from both the American Nurses Association and the American Civil Liberties Union about the importance and workability of the concept. She said HPP believed the research provisions were a major improvement over the status quo that would make people more comfortable about participating in medical research.
Despite general enthusiasm for the regulation, Ms. Hustead noted weaknesses needed to be addressed by the Department, especially the regulation's approach to law enforcement access, marketing and fundraising. A 1999 California HealthCare Foundation poll confirmed that the public opposed the use of medical information for marketing purposes without consent. Seventy percent of those surveyed said they would not give permission for a drug company to use their medical information to inform them about new drugs or other health care products. Some 66 percent of the people in a 1993 Harris survey said it was unacceptable for hospitals to use their patient records to solicit donations. There was an overwhelming public outcry over the disclosure in 1998 of a marketing arrangement between chain drug stores and a marketing company under contract with pharmaceutical companies. Due to public opposition, the companies ran ads announcing they were ceasing the program. Ms. Hustead said she was especially troubled that the regulation authorized precisely the marketing activities the public resisted so vehemently.
Noting marketing and fundraising were "literally buried" in the definition of "health care operations," Ms. Hustead said these activities were not among the core health purposes that belonged in this TPO category. But because the regulation treated them as part of health care operations, providers would be able to engage in certain marketing and fundraising activities, once patients signed consent. Ms. Hustead said the after-the-fact opt-out in the final regulation was totally insufficient: the privacy "reg" provided greater protection against unwanted disclosures of facility directory information (where individuals were given an opportunity to opt-out before disclosure) then it provided for certain commercial uses and disclosures of PHI.
HPP appreciated the Department's effort in the regulation to limit the type of marketing and fundraising communications permissible without a separate authorization. While the safeguards made these provisions less objectionable, Ms. Hustead said the approach remained unacceptable. Covered entities should not be allowed to use or disclose PHI for these purposes without an explicit and separate authorization highlighting the marketing or fundraising use or disclosure.
Ms. Hustead observed that defining precisely what constitutes marketing, and thus in HPP's view required a specific and separate authorization, presented a difficult challenge. She noted the regulation's attempts to define marketing (section 164.501) by saying what it was not raised as many questions as it answered. And the July guidance hadn't shed much more light. She pointed out that many of the letters produced under the marketing arrangement that came under fire in 1998 suggested alternative drugs or therapies (e.g., smoking cessation products). And she asked if this controversial arrangement would be permissible under the regulation, as long as the pharmacy, itself, did not receive direct or indirect remuneration. She noted the July guidance explicitly states that informing smokers about effective cessation programs isn't marketing. She queried whether a business associate's assumption of the cost of sending that communication constituted indirect remuneration to the covered entity? How tailored to an individual patient's circumstances did treatment recommendations need to be for the communication to constitute treatment rather than marketing? Was the recommendation sufficiently individualized if all the drugstore's clients using a particular medication got an identical letter suggesting alternative treatment? Ms. Hustead urged the Department to provide guidance with concrete examples illustrating the lines drawn between marketing and non-marketing.
Dr. Villagra conveyed DMMA's belief that, pursuant to the privacy rules, disease managers who encourage patients to utilize disease management services are engaging in health promotion on behalf of patients, not marketing, and he urged the Committee to seek confirmation of this interpretation by HHS.
He noted the guidance indicates that a covered entity is not marketing when it uses an individual's PHI to tailor the health-related communication to that individual when the communication is "made in the course of managing the individual's treatment or recommending alternative treatment." Dr. Villagra said the privacy rules need to clarify that disease management companies, as business associates of other entities, are not engaged in marketing when they communicate about a product or service directly related to the patient's or population's plan of treatment.
Dr. Villagra said disease management services, by definition, manage or support treatments and health care operations. HHS has recognized in extensive preambular discussions that all disease management activities within the DMAA definition of disease management fall within the treatment or health care operations exception. Indeed, the exception explicitly includes notification of providers and patients of alternative treatment methods.
In summary, Dr. Villagra said the privacy rules should confirm that all legitimate disease management services and related communications with providers and patients fall outside of marketing, unless their primary purpose is to sell a particular product, service, drug or device.
Dr. Villagra stated that DMAA, which has a broad industry membership including health plans, disease management organizations, provider groups and individual physicians, has developed a carefully considered definition of disease management that is referenced on Page 82627 of the commentary to the privacy rules. He said DMAA continues to refine this definition and plans to have an accompanying definitional process in place by October.
Responding to a query, Dr. Villagra said the way the privacy rule defines marketing is satisfactory, provided some of the possible ambiguity in its interpretation is clarified. Dr. Villagra said the definition was workable for DMAA; the trick, going forward, was to correctly identify disease management programs and services, both within and outside of that context.
Ms. Pellow recalled NAIC long recognized HHS's efforts to establish standards that protect the privacy of consumers' health information and had noted similarities between the proposed regulation and NAIC's own model laws when they first submitted comments in February 2000 on the HHS proposed privacy rule. While they raised concerns about the preemption of state laws and interference with state insurance departments' responsibilities, overall NAIC had supported HHS' approach. However, Ms. Pellow conveyed NAIC's concern that the final regulation is a significant and unfortunate change from the proposed regulation that allows covered entities to disclose PHI for certain marketing purposes, without the individual's authorization.
Ms. Pellow expressed concerns that exceptions will swallow the general rule. NAIC supports the establishment of exceptions for certain legitimate business exceptions and transactions, but she emphasized NAIC's belief that this exception guts the purpose of the regulation: protecting consumer's health information. She said she wasn't aware of any other provision in the regulation that required a marketing exception in order for a provider to talk to the patient about treatment options or a health plan to tell enrollees what benefits were covered under their plan. She noted that offering consumers a way to opt-out of future marketing wasn't the same as giving them the right to make the initial decision, up front. And she expressed NAIC's concern that, once an individual's information was disclosed for marketing purposes, the ability to keep it from further disclosure was speculative. Noting the assumption behind the HHS regulation is that health information deserves a higher level of protection than other information, Ms. Pellow said NAIC believes the marketing exception in the final regulation is a giant step backwards for consumers. NAIC urged that the exception be removed in favor of the approach in the proposed regulation.
Ms. Pellow clarified her beliefs that: prior individual authorization should be required for all marketing, that the final rule was better than the status quo, and the notice of proposed rule making was best because it had required opt-in authorization for all marketing.
Mr. Rothstein revisited the question tabled yesterday, reading the recommendation to Dr. Villagra and asking for comment: Patients should have the right to consent to--or refuse--participation in disease management programs. An individual's enrollment or costs should not be affected if he declines to participate in a plan's disease management program. We oppose any disclosures of health information for disease management activities without the coordination and cooperation of the individual's physician. There is no such requirement in the final rule. We believe "disease management" needs to be defined narrowly, to prevent inappropriate use and disclosure (e.g., for marketing purposes) of health information without the patient's consent.
Dr. Villagra concurred. Any activity was marketing that, under the guise of disease management, sold products as its primary purpose. He noted the concept that large groups of patients participating in disease management ought to have explicit authorization from physicians had been tested and approved in California. CIGNA HealthCare sent over 10,000 letters to physicians caring for large populations of patients with diabetes, asking for their permission, prior to enrollment in their patient educational and health promotional activities. They received some 125 replies from physicians: some stated they didn't want their patients participating--but the majority had not explicitly opposed enrollment. Because of administrative problems this created, the burden of cost, and potential delay, Cigna introduced a proposal to allow disease management companies to, instead, inform physicians of such activities. The physician could request that the patient not participate. The original legislation included consent from the patient or confirmation that the patient had been informed of their option to participate or opt-out.
Dr. Villagra disagreed with any requirement for patients to participate in the disease management program. He supported the notion that physicians were an integral part of disease management programs; the entire philosophy of these programs centers on supporting the patient-physician relationship. And he said there should be a provision that allows information and services as support tools to patients, channeled in the context of legitimate disease management programs, to be accepted and covered as stated in the current rules.
Mr. Blair asked if the disease management entity had the right, within a narrow definition of disease management, to directly inform the patient of an alternative drug or therapy without the consent of the physician. Dr. Villagra said it did in the context that disease management program information offering broad, alternative choices empowered informed consumers. He said he was resubmitting DMAA's definition of disease management for the Subcommittee's consideration.
Noting she recommended deleting marketing from the definition of TPO, Mr. Rothstein asked what Ms. Hustead's position would be if they took other marketing out, but included disease management narrowly defined within TPO. Ms. Hustead said she shared HHS's concern and skepticism about disease management and urged them to question: Whose idea was it? Who bore the cost? Who got paid? Who benefited? She recommended against using the term undefined and without consensus. Ms. Hustead noted a lot of innovative, interesting things were being done by health plans to monitor patient care. She didn't think the way the regulation defines treatment payment or health care operations had to be changed in order for those activities to continue.
Ms. Pellow agreed the marketing provision opened the door to gray areas and the definition of TPO was broad enough to address legitimate uses. NAIC's position was to get authorization from the consumer. Dr. Villagra said omission of disease management from the TPO would create greater confusion and lumping these programs with a variety of administrative activities would be taking an enormous step backwards. He urged the Subcommittee to root their definition on the DMAA's definition of disease management and explicitly mention it under the treatment and health plan operation. Ms. Hustead noted the preamble to the regulation observed that a consensus definition had not yet evolved from the field and, rather than rely on the label, it had been deleted and functions often discussed as disease management activities included instead in the treatment and health care operations definitions.
Ms. Fyffe asked Ms. Hustead to elaborate on a point in her written testimony about access to personal medical records by law enforcement officials. Ms. Hustead noted this was one area where the consumer community and the industry seemed to agree. Access should be circumscribed, with law enforcement officials going to a judge or a neutral magistrate who weighed the appropriateness of access to those medical records in that circumstance.
Mr. Fanning asked about the application of disease management in a product-oriented or fee-for-service context. Dr. Villagra replied that the largest component of disease management involved patient education and physician feedback; experience in the industry demonstrated that the sale of goods was not a central activity. He noted the progress made with the DMAA's definition of disease management, the creation of a registry, and NCQA's development of accreditation and certification requirements for disease management programs. Dr. Villagra urged the Subcommittee to include this as part of the definition of treatment health plan operations.
Dr. Villagra explained that before his company engages patients they inform the physicians that patients under their care with a particular disease are going to be invited to participate in a disease management program. Materials that will be shared with the patients are submitted to the physicians for their review and the insurance company contacts patients informing them that as members of the plan they are entitled to participate in this program unless they opt-out. If they don't opt-out, information is transmitted to the disease management program so that it can begin. He said the option to opt-in didn't work with population-based programs. A key success element of disease management programs based on claim-based identification of eligible patients is that large populations of patients with chronic diseases (e.g., 3000 patients with diabetes in the Houston area) can be identified at a given time. An opt-in option creates a staggered enrollment process and dilutes the effort into a largely individual-based program.
Asked how topics that have special sensitivities were handled, Dr. Villagra said the disease management program could screen patients with chronic conditions (e.g., diabetes, cardiac disease) who bore a priori probabilities of depression significantly higher than the rest of the population and pass that information on to the primary care physician. The ability of disease management programs to identify these populations and refer them to primary care physicians or behavioral health specialists was part of the program.
Asked if DMAA had guidelines about relationships with companies selling products, Dr. Villagra said it didn't have an explicit directive but felt that business had been abundantly covered since the FDA Modernization Act. Members took care not to contaminate this movement's ethical backbone rooted in better-informed patients by engaging in the promotion of specific products.
Dr. Zubeldia posed the example of wanting to notify a population of patients having a compliance problem with a relatively high-cost drug that a more affordable generic equivalent has come on the market. The difference in price will reduce the compliance problem and lower costs for the health plan. Was that disease management or marketing? Dr. Villagra replied that health plans had ongoing communication with treating physicians about the management of pharmacy benefits, but disease management programs were not designed, empowered or chartered with telling patients specifically about the switch of a particular product with its generic counterpart.
Asked how, under the new privacy law, the plan could get the list of names to do disease management, Ms. McAndrew clarified that plans have regulatory authority and are not required to obtain consent to do TPO; disease management would be a health care operation. The plan already knew which of their membership had a particular condition and might ask the physician for additional information. To the extent that the disease management program could be viewed as coordinating or assisting in the treatment, the provider could provide information to the plan for disease management purposes. From the provider's perspective, it would be viewed as treatment. Ms. Hustead pointed out that that yesterday's conversation about accreditation, HEDIS and concern about information going from the provider to the plan was a slightly different issue. As Dr. Blevins explained, a disease management program is either a treatment or a health care function of the provider itself, so that information can go to the plan or directly to the disease management people. But the accreditation or HEDIS data is not a treatment or health care operation function of the provider, and so the provider cannot disclose it.
Dr. Cohn noted that Ms. Hustead had expressed concern about fundraising as well as marketing. She said HPP's concern about marketing was more serious for two reasons: (1) the regulation limits the purpose of fundraising to acquiring money for the covered entity; commercial interests outside of the covered entity didn't have a stake and (2) for fundraising purposes one can only disclose or use demographic information--nothing about the patient's medical situation. Nonetheless, HPP's position was that fundraising should only be engaged in after the patient had given authorization. Ms. Hustead also clarified that the regulation would allow a covered entity to disclose information to a business associate or an institutionally related foundation in order for that outside entity to send a fundraising communication, but the purpose had to be to raise money "for the benefit of the covered entity."
Mr. Blair noted everyone they'd heard recommended not including marketing within TPO for consent. He also heard possible consensus on a narrow definition of disease management, and both Dr. Villagra and Ms. Hustead seemed to indicate that they could define disease management narrowly by defining the list of functions where there was agreement. Defining it in terms of uses, they could get specific, eliminate ambiguities and the possibility or perception of abuse.
Ms. Hustead agreed one could look at the functions a disease management program performed. Those functions were listed in the definition of health care operations; that didn't need to be changed in order to be permissible. But the activity also had to be evaluated against the regulation's definition of marketing, before deciding it could be conducted without a patient's explicit authorization. Even if the function was to promote health, there could be significant commercial motives.
Mr. Blair noted he heard concern that disease management organizations could be corrupted by these abuses, and he said it sounded as if there might be a group that could offer a list of the functions and work with other advocates to protect against abuses. Ms. McAndrew clarified that the current rule allows all of the legitimate activities described. Disease management wasn't specifically named, but its components were broken out functionally and included in either the definition of treatment and/or health care operations. Ms. Greenberg said she respected the request that disease management be included, but noted she hadn't heard that anything in the current rule, even with marketing removed, would hinder disease management activities. Dr. Villagra agreed with Mr. Blair's summary, adding that a narrow, operational definition of disease management would clarify things. He encouraged the Subcommittee to work with DMAA, utilizing that definition of disease management to create a procedural operational tool that would separate activities Ms. Hustead would like removed from that interpretation.
Ms. McAndrew concurred with Ms. Hustead; the difficulty was not in disease management. Taking marketing out of health care operations, leaving the disease management function, still didn't determine, by their definition, that an activity was a legitimate health care operation. A marketing definition had to be overlaid on those permissible health care operation's activities and two questions had to be asked. Was it a health care operation? If so, was it also marketing--was a marketing filter needed to distill those activities?
Retabling the first day's issue about disease management that they just clarified until their discussion on marketing, members raised the concern of Robin Kaigh, one of the public witnesses, that the free flow of records allowed information from a bad doctor-patient relationship to follow the patient indefinitely. Mr. Blair said he understood patients now had the right to view their records and add their own comment to statements they felt uncomfortable about. He suggested considering what else they might do, realizing that the patient does have some rights to mitigate the impact of a negative comment. Mr. Rothstein observed that, while the frequency with which physicians made such comments might not decline, with state legislation allowing patients right of access, they probably would be more balanced.
Members noted the following opinion was reflected: Access under the rule is too broad and that is a very sort of broad recommendation.
Give patients the opportunity to restrict disclosure, not just request it.
Two more proposals were tabled for the discussion on marketing: (1) To create a special exemption for disease management, and (2) To include disease management in the definition of treatment.
The Subcommittee noted that the last three proposals on consent were addressed yesterday: (1) Allow a provider, pursuant to a consent, to disclose PHI to a health plan that will use it for TPO, (2) Covered entities should be allowed to use or disclose PHI collected before the compliance date of the rule even if no written permission to use or disclose information has been obtained, and (3) Revocations of consent should apply only to PHI collected or generated by a covered entity. After it has received a notice of the revocation, PHI that was generated or collected prior to revocation still may be used for health care operations, without the entity first demonstrating that it has relied on the information being available.
Mr. Rothstein reminded everyone that they were only closing their discussion that day; the process remained open to receive additional public recommendations dealing with consent until close of business on August 27. These would be circulated so members could review the consent issue and, hopefully, the minimum necessary and e-mail Ms. Horlick any additional points they wanted to include. Anytime through the approval process of the full Committee, Subcommittee members could bring forward recommendations. Mr. Rothstein noted they had tabled the issue of the disease management programs and other proposals beyond the scope of consent and deferred some so broad they reopened the basic philosophy. They would review the marketing proposals once they had the printout of the total recommendations package. As they began to see drafts, discussion, clarification and further work would resume. Today's goal was to get through minimum necessary. They'd do research and marketing on their September 10 conference call; there would be a Federal Register notice and an opportunity for people to call in.
Dr. Cohn reflected that virtually everyone was in favor of the minimum necessary concept, with a tremendous amount of clarification about what exactly it meant to make it implementable. Dr. Harding remarked on the debate about whether the requestor or responder decided minimum necessary; he suggested this should be addressed in the definition.
The following proposals were noted: (1) Favors national legislation, (2) Much legal uncertainty leads to defensive restrictions on the flow of information, (3) Only the requesting entity can determine if the requested information is the minimum necessary, (4) Minimum necessary could lead to shielding information for detecting broadened views, (5) Health plans need PHI to assess risk and to underwrite, (6) Need a final security rule, (7) Minimum necessary will be costly, (8) Speed is essential to keep the implementation costs down.
Members discussed that, "Only the requesting entity can determine that the requested information is the minimum necessary," would be a major change from the current rule, which states a covered entity is obligated to request only the minimum necessary and the responder is also obligated to make a minimum necessary determination. If the request comes from a covered entity, the rule permits the disclosing covered entity to rely on the minimum necessary determination of the requesting entity, provided that reliance is reasonable. The requestor and requestee must negotiate with each other, if they are within a covered entity. If there is no agreement, the entity that has the information controls what is disclosed. The recommendation would shift the balance of power to the requestor. Dr. Zubeldia noted they'd heard that NACD didn't want to have any liability in making the determination of minimum necessary. They'd also heard the payers wanted to know more than the pharmacies wanted to give.
Ms. McAndrew said concern about what happened if covered entities couldn't come to an agreement involved an unlikely scenario. Treatment communications weren't "on the table." The situations they'd heard about were basically plans versus providers struggling over how much information was needed for various plan operations and/or payment needs or fraud detection. Plans had other ways to leverage against providers and, ultimately, the individual. A proactive provider had the ability, under the rule, to make their own minimum necessary determination and open negotiations. The ultimate resolution was up to the parties. Noting they'd heard a lot of anxiety about how this played out, Dr. Cohn suggested a recommendation that the Secretary provide additional clarification in the form of a Q&A or guidance.
Mr. Rothstein took up the second proposal: Much legal uncertainty leads to defensive restrictions on the flow of information. He noted they'd heard concern for three days that providers and others fearful of liability would err on the side of keeping things undisclosed, resulting in a diminution of quality of care and interference with payment and operations. He suggested putting in the letter a strong recommendation that OCR's educational efforts specifically address the concern about the defensive maneuvering several witnesses described. Dr. Harding remarked that, so long as there is ten years in prison and a quarter million-dollar-penalty, people would be paranoid and dump liability. Making people feel comfortable was going to be a real educational job. Mr. Rothstein suggested that enforcement rules with examples of conduct that led to prosecution might increase the comfort level around good-faith errors in implementing.
Ms. Greenberg remarked that, hearing and reading the first set of testimonies, bottom line was the minimum necessary provision wasn't necessary. Mr. Rothstein proposed they incorporate into their discussion of minimum necessary a reaffirmation from the Subcommittee and Committee of the minimum necessary principle.
NCPDP needs to get consensus on the optional 837 variables to make them mandatory, situational or dropped.
Wants a person code to be assigned to individuals by HHS or by drug claims processors to avoid putting the patient's name on the claim. Members noted they'd heard that, at least from HHS' standpoint, the individual identifier wasn't in the cards at the moment. Dr. Cohn mentioned a problem in relationship to the NCPDP standards. Patient name was optional, therefore not covered, and anything optional had to be examined on a case-by-case basis. NCPDP was having difficulty resolving this. Given the implementation deadline, unless there was an emergency fix to the standard, it would remain optional. Dr. Zubeldia clarified that the 837 standard was required. The next 12 standards have no optional fields, only required or situational, with the situational well defined. The NCPDP standard had many optional fields, which opened them up to this minimum necessary elaboration in every case. He suggested that NCPDP quickly revise their standards, reducing or eliminating the optional fields, and produce implementation guides that specify situations in which those fields need to be used. If the standard was going to be adopted by the Secretary in time for the October 16, 2002 deadline, it needed to go through NPRN process and an additional process to fast track again. He urged NCPDP to get together as an industry and define situational elements for pharmacy.
Dr. Cohn called for two things: a recommendation to NCPDP to get this fixed, and a signal to HHS that this would be implemented on schedule and, if things hadn't been changed by then, there needed to be a way to cover parties using NCPDP transactions until changes were in. Dr. Zubeldia noted the final rule stated the optional fields were subject to name and necessary determination. He advised recommending that, as soon as possible, NCPDP fix the problem in the next version of the implementation guide. In the interim, they might come out with a pharmacy industry consensus or best practice as to what constitutes minimum necessary.
Mr. Rothstein proposed putting this on the agenda for the September 25 meeting. The full Committee could decide whether it should be within the letter to the Secretary or a separate letter to NCPDP from NCVHS. Mr. Bussewitz, a board member of NCPDP, said he didn't believe they'd meet the deadline. For six months they had failed to reach consensus; attorneys from both sides met next month. He said the biggest problem was that version 5.1 wasn't ready to be implemented. HHS adopted it, but with all the optional fields pointed out in the Federal Register on December 28, the privacy regulation, and the minimum necessary requirement, the industry wasn't using it. Mr. Rothstein suggested including in the letter to the Secretary that they'd heard testimony about this problem that NCPDP had to work out, and that the Department should be alerted to the possible need to react to this stalemate. Mr. Bussewitz said the most contentious issue was the name. The providers and plans had developed protocol documents of version 5.1 that didn't "look alike." Dr. Zubeldia said what he heard underlying the comments was that version 5.1 wasn't ready for adoption and should be retracted. Version 3.2 was operational today; pharmacies wouldn't be affected much. Members proposed referring the issue to the Subcommittee on Standards and Security, asking to be informed about the privacy implications of whatever they developed. The letter from the full Committee would note that a Subcommittee was continuing to work on this issue they raised.
Pathologists must be able to communicate with surgeons, avoids confirmatory testing when the diagnosis is already known and the information shared with the pathologist.
Too much ambiguity with the minimum necessary standard with so much discretion the guidance document is not necessarily needed at all within institutions
The cost of determining and carrying out minimum necessary determinations prior to access to the medical record. Ms. McAndrew remarked that this reflected what they'd heard in the March round of comments: while minimum necessary did not apply to disclosures, they had a minimum necessary standard even for treatment for use within a covered entity. Ms. Horlick recalled Dr. Baillie's concern that information wouldn't be shared with the pathologist. Ms. McAndrew said she envisioned that the policies and procedures a covered entity would define for treatment uses would permit free flow of information within the institution among treating physicians and treatment teams. Ms. Greenberg added that medical students and residents involved with the care of the patient could be included in that policy. Members noted that the July guidance clarified that medical students and residents had access to the complete medical file. Mr. Rothstein remarked that this might be one of those areas where they had defensive restrictions.
HHS should provide guidance making it clear that entities may develop policies and procedures that broadly describe the types of PHI necessary for categories of operations such as claim processing or grievance processing. It was noted the Department had already begun this.
Ideally the privacy rule should be modified so that the recipient of a request for information made by another covered entity automatically relies on that request unless it clearly is inappropriate. Absent that change HHS can help to prevent disagreements between the entities by issuing guidance, emphasizing that the privacy rule currently allows the covered entity to rely upon the request. Noting they had already considered a recommendation to provide additional clarification that this was the current state of the rule, members commented that the guide could specifically enumerate appropriate disclosures (e.g., the request for HEDIS data made by health plans subject to NCQA accreditation that they dealt with yesterday).
The next one, HHS should issue guidance clarifying that covered entities likely will develop different criteria for minimum necessary information and that a covered entity's organization procedures and information infrastructure will be factors in determining what information is necessary. The guidance also should clarify that the standard is satisfied so long as the covered entity reasonably believes that the information is necessary to perform the task at hand. The group noted this statement of support for the current rule.
HHS should issue guidance that establishes that the minimum necessary requirement does not apply to a covered entity's internal use of PHI if the information used has been obtained from another covered entity. Members observed that this was a major shift, taking the opposite position from the rule. They recalled Mr. Fody's comments: the burden should be on the requestor who knew the business needs better--and the standard should be reasonable efforts, which varied between institutions. Ms. Greenberg noted they had addressed what they recommended yesterday, amending the rule to assure that the privacy regulation did not prevent plans from getting information from providers needed for accreditation and health care quality purposes.
The Subcommittee agreed that the letter should give a brief summary of the diverging points of view and state that the Committee reaffirmed the need for the minimum necessary standard. Because they were addressing the NCPDP issue separately, it might not be mentioned. They would ask for reiteration and guidance regarding reasonable reliance and the educational effort. The consensus of the group was that policies and procedures cover routine use, case-by-case determinations were only for non-routine use. The guidance said these were reasonable determinations and, in some circumstances, reasonableness would be based on the judgment of the prudent professional. The primacy in making the determination was in the hands of the custodians of the information, who could exercise their own judgment, reasonably relying on the requestor's determination of what was minimally necessary, unless it was clearly inappropriate.
Minimum necessary bolsters the patient's control of the PHI. The benefits of minimum necessary justify the cost. Concluding review of the first panel's recommendations, members noted they began their discussion reaffirming general support for minimum necessary.
Considering next proposals that emerged from the Q&A, members noted that, at some point, the health care industry needed to address the long-term issue of the demand for additional health care information, mentioned in the first proposal.
Secondly there is also a minor legal question as to whether this rule precedes exchange of information or PHI between professionals engaged in treatment when one of the professionals or organizations is a covered entity and the other party is one of the rare groups not covered by the HIPAA electronic transaction requirements and an authorization does not exist. AHIMA does not believe that any conscientious professional will let this question stand in the way of treatment, but it would behoove the Secretary and perhaps Congress to address this point and assure that these privacy standards apply to all health care providers. Ms. McAndrew clarified that the statute limited coverage to health care providers engaged in HIPAA electronic transactions, but it did not prevent these communications. A covered entity could disclose for treatment purposes, even though it was disclosing to a non-covered physician. Members agreed not to consider this issue: it was beyond the scope of the requested testimony and they hadn't heard from a full range of witnesses.
For years AHIMA has advocated that all release of information, communications and correspondence outside of the payment or normal claims in the patient accounting process should come from the health information management or medical records department or function. Obviously this really relates to an institution of some type or from the health care professional in charge of the patient's care or his or her HIM function. By centralizing the location or person where an outsider must go to get PHI information and identify where information will be released within the organization a mechanism is provided through policy, procedure and practice to narrow the gate of information flow and to assure that the information release is according to the rules, consent and authorizations involved. Members saw this as an internal management issue.
AHIMA did recommend that one of the privacy regulation rights be modified, namely, the right to request privacy protection for PHI. AHIMA did not suggest that this right could not be granted. In making our recommendation we pointed out that all health information should be accorded maximum privacy protection and security; segregating or requiring special procedures for certain subsets of the individual health record is both clinically and administratively ill advised. The Subcommittee decided this was beyond the scope of the hearing.
AHIMA indicated to the Secretary that it does not support this right to restrictions and recommended that it either be deleted from the rule or that it be optional for the covered entity to extend this particular right. Members had addressed the restriction issue the day before.
AHIMA recommended that the covered entity should be permitted to use its professional judgment and request additional justification for the amount of PHI requested by another covered entity. Members already noted that professionals should have the right to their judgment.
AHIMA recommended that the responsibility for disclosure of health information be centralized under the direction…. The group had also discussed this.
AHI may recommend that the requestor of PHI present or sign a statement stipulating that the requested information is limited to the minimum necessary for the stated purpose. Patently it must be understood we are not talking about situations related to emergent and urgent treatment or the customary exchange of information in the HIPAA transaction.
AHIMA recommended that a statement prohibiting use of the information for other than the stated purpose and requiring destruction of the information after the stated need has been fulfilled should accompany any disclosure of health information to external requestors. Ms. McAndrew commented that this would not only be disclosed pursuant to individual authorization, but would likely also apply to disclosures under section 164.512 of the privacy rule (e.g., law enforcement, public health). The information would have to be destroyed or returned by a certain date, unless it was incorporated into other data that limited its identifiability.
What information should be released to the employer of liver disease? The group discussed that HHS should develop a standard protocol for use by occupational physicians in implementing minimum necessary for work-related PHI.
Next grouping of six bullets: (1) Minimum necessary is undefined and therefore unenforceable, (2) Minimum necessary is unintelligible, (3) No evidence that minimum necessary can prevent the widespread dissemination of sensitive information, (4) Minimum necessary might lead to the omission of critical patient care information from a copy of the chart. (5) Proposed excluding small entities, (6) Do not apply minimum necessary internally to an institution. Aim for optimum performance of its services. Members noted that in supporting minimum necessary, they had recognized the opposite view of the first two proposals and previously evidenced concern for the next two. Proposal number six, on internal uses, had also been addressed.
Require a warrant for law enforcement access. Members noted they couldn't make a recommendation without hearing from law enforcement people. But, although this wasn't related to minimum necessary, they agreed to convey concern they'd heard about the breadth of the law enforcement exemption for the full Committee's consideration. Members considered inviting the FBI, ACLU, the national chiefs of police and others to a full-day hearing in John Fanning's office sometime after the September meeting. Noting his impression of strong special interest groups on all sides and a magnitude that suggested Congress might have to deal with this, Mr. Blair questioned putting it on the agenda. Mr. Rothstein proposed giving a complete report to the full Committee in September, indicating what they'd heard and their recommendations.
Dr. Serkes added to the list two recommendations from her written statement asking OCR to: (1) issue advisory opinions on the minimum necessary standard (as the Department of Justice has done on the fraud and abuse issues) and (2) make available sample lists and minimum necessary disclosure forms. Members agreed advisory opinions could reduce tension in this risk-adverse environment, but questioned whether this was appropriate for OCR, which will do the enforcement. They will make their recommendation to the Secretary and he can decide who should have the responsibility. Members also discussed collecting best practices. The first proposal, HHS should issue advisory opinions, was approved, four to zero. HHS should make available sample lists of minimum necessary including best practices documents also passed, four to zero.
Noting that they would finish up minimum necessary and do research and marketing during their conference call on September 10, Mr. Rothstein adjourned the meeting at 12:11 p.m.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/s/
Chair Date