Silver Spring, Maryland
The Subcommittee on Privacy and Confidentiality of the NCVHS was convened on November 19, 2003 at The Silver Spring Hilton Hotel in Silver Spring, Maryland. The meeting was open to the public. Present:
Panel 1: Public Health
Dr. Burt discussed how the HIPAA privacy rule impacts on the National Health Care Survey (NCHS). What, according to the rule, qualified as disclosures were problems but careful planning in developing materials and training field representatives kept response rates high.
Dr. Gibson focused on the effect of the rule on disease surveillance, noting concerns with HIPAA privacy caused obstruction or delay in disease reporting and severe problems. He recommended that OCR prepare and proactively disseminate a clear statement of policy. Specifically, OCR should respond promptly, clearly and publicly to specific questions about interpretation of the Privacy Rule, e.g., on details of acceptable methods of documenting routine disclosures without need for individual documentation of each disclosure. An authoritative statement from OCR is needed that will provide acceptable protection to hospital attorneys and risk managers considering simplified documentation of public health disease reporting.
Ms. Love urged CMS to work with state programs around data sharing and use and HHS to build additional guidance and models for federal, state and public health agencies, a comprehensive educational strategy and culture of data exchange and sharing within and across federal agencies.
Panel 2: Public Health
Ms. Horlick noted where the National Immunization Program (NIP) addressed concerns about sharing information with public health under HIPAA: disclosure to immunization registries; site visits to provider offices assessing vaccination coverage levels and accountability; disclosure of perinatal hepatitis-B case information, and disclosure of immunization information to schools.
Mr. Orren said the biggest problem was disclosure tracking and the disincentive it created for reporting which impacted voluntary immunization registries. He endorsed the National Association of Health Data Organizations’ (NAHDO) comments.
Dr. Larson said fear of noncompliance jeopardized the quality of newborn screening and best practices. She called for working models for integrating public health testing in a framework recognizing issues of individual privacy and making reasonable efforts to protect them.
Ms. Van Tosh discussed ways of guiding people with mental illness, many of whom were unfamiliar with their rights and perceived as incompetent and incapable of participating in their own care, through key aspects of the rule, noting successful implementation was measured by the extent consumers were informed and empowered.
Panel 3: Health Care Industry Representatives
Ms. Goldman noted reasons for initial misinformation, confusion and misinterpretation and emphasized that the notice could be conveyed as a benefit. She cautioned OCR not to rely on complaints received but to assess implementation and seek feedback. She said private right of action and scope as well as marketing and law enforcement sections had to be strengthened.
Mr. Hughes urged OCR to reconsider business associate (BA) agreements, provide operational-level information detailing requirements and best practices, build a certification process, and target audiences for specific purposes in a user-friendly way ensuring wide dissemination.
Mr. Hill noted challenges in “coming to grips with” the proposed and final rule and that various industries had no consensus on critical components of the rule. He called for guidance on when information could be shared between providers and carriers.
Dr. Kibbe said most family physicians took a practical approach to implementation, though they felt it was not helpful to them or their patients and complained of the cost. He noted the need for best practices for small and medium-sized medical practices and hospitals and questioned that the small practice should be guardian of all BA contracts.
Panel 4: Health Care Industry Representatives
Mr. Rode said accounting for disclosures was the main challenge. Conflict with the common rule and HIPAA impacted institutions doing research. Business associate agreements and preemption called for clarification. Conflict existed between HIPAA, federal and state behavioral health, substance abuse, drug and alcohol rules. Directory requirements and problems with law enforcement, court orders and subpoenas linked to the state HIPAA process were issues. Emphasizing clear rules and authoritative answers, he said people asked for a public document bearing HHS’s imprimatur that translated HIPAA into understandable English without the law’s “chapter and verse.”
Ms. Maassen discussed best practices for implementation of the privacy rule in long term care and the HIPAA Long Term Care Consortium. She urged coordinating analysis of variations in state and federal laws at a national level.
Mr. Dombi urged OCR to create an expedited process for defining a BA, clarify interagency communications, and coordinate with HHS on issues of compliance costs with the requirements.
Public comments
Ms. Levine described initiatives underway to design a standardized short-form notice that let consumers compare institutions’ practices.
Panel 5: Research
Ms. Gonzales noted research was a core mission and defining characteristic of most, if not all, academic medical centers. She presented a flow chart illustrating safeguards and discussed best practices and barriers. She noted the privacy rules focus on structure versus safeguards discouraged collaborative approaches to research NIH encouraged.
Shelley Bizila discussed recruitment issues between non-covered and covered entities. She proposed that: research team members be considered workforce members of the principal investigator’s covered entity; the institutional review board (IRB) confirm appropriate safeguards when a principal investigator utilized a third party for research-specific support, using criteria for business-associate agreements; and recruitment assistance with approved members of the research team be part of treatment and/or health-care operations. She asked that covered entities include future uses in the consent and/or authorization as determined by the IRB.
Ms. Ehringhaus conveyed Association of American Medical Colleges’ (AAMC) concerns directed at: accounting for disclosures, authorizations and waivers, the de-identification standard, and emphasis in HIPAA on organization versus function and structure versus safeguards. AAMC considered the waiver of authorization an unnecessary complexity and confusion, advocated eliminating the accounting of disclosures, and simplifying and adapting the de-identification standard for biomedical and health-sciences research.
Dr. Linet discussed the rule’s impact on participation rates, financial and legal issues, College’s plans to conduct ongoing assessment of the impact of HIPAA, and remediation measures.
Panel 6: Research
Dr. Roberts described experiences with research registries and proposed designating research as part of treatment and using the treatment payment, and operation (TPO) exclusion to enable research to use medical records without prior approval.
Mr. Lawniczak noted researchers’ ongoing difficulties conducting health services research and recommended that the Agency for Health Care Research and Quality (AHCRQ) and NIH collaborate on a method for the statistical de-identification of health information, HHS reexamine the preemption clause and identify state laws preempted, increase technical assistance and education to smaller covered entities, and that Congress increase funding for grants in recognition of the increased cost to researchers of the privacy requirements.
Dr. Boughman reiterated the difficulty in determining when researchers were members of covered entities in many complex academics institutions and the significance to geneticists of knowing the definition of limited data sets and recognizing intertwining and overlapping arenas of informed consent and HIPAA regulations, especially when doing multi-center studies. She noted issues with cross-sectional or longitudinal epidemiological studies and cautioned that HIPAA impeded research in many genetic disorders.
Subcommittee Discussion
Issues carried from the September 9 conference call include: FERPA/ HIPAA concerns with privacy and schools; treatment of law enforcement, subpoenas and certificates of confidentiality; banks as clearing houses and the Gramm-Leach-Bliley Act; and the payment chain. Members discussed determining if conditions were better or worse than anticipated pre-April 14. Priority topics included: offshore medical contracting, accounting for disclosures, employers and correctional facilities, and employer access to employee/applicant health information. Members considered a discussion about the Congress expanding HIPAA’s scope to effectively cover BAs.
A meeting might be held late January if issues arise. A conference call will be scheduled December 3, 4 or 5 to identify and draft a letter to the Secretary on public health, research and general issues (e.g., accounting for disclosures) prior to the February 18-19 Subcommittee meeting.
The details of all presentations and letters drafted can be found in the meeting transcript posted on the NCVHS Web site, www.ncvhs.hhs.gov
Panel 1: Public Health
Dr. Burt discussed how the HIPAA privacy rule impacts on NCHS that collects data from providers on patient encounters in order to make national estimates of utilization. NCHS comprises ambulatory, hospital/surgical, and long-term care. Data collection agencies include providers, sometimes collecting data, and provide feedback. A data use agreement covers surveys collecting limited data set information. NCHS is a public health authority collecting public health data. It also has IRB approval for research.
Accounting documents and data use agreements were modified or created. Introductory letters to hospitals, physicians and nursing homes were rewritten noting IRB approval. Frequently asked questions (FAQ) and answers were developed. Census Bureau field representatives were trained about HIPAA. Provider materials noted Web sites where physicians and hospital staff learn about the surveys, IRB approval letters and data use agreements. A presentation on the Web site helps physicians cooperate under the HIPAA privacy rule. The review and approval process involved discussions with OCR, NCHS' policy office, and CDC's Office of General Counsel.
When hospital physicians say they are too busy to abstract data, Dr. Burt explained that Bureau staff pull up the medical records for them, seeing, though not collecting, the patient's name. According to the rule, this qualifies as a disclosure and requires accounting practices. Another problem was accounting for multiple disclosures for the same purpose. NCHS developed complex charts so field representatives can ensure providers do all they need to be compliant.
Careful planning in developing materials and training of field representatives kept response rates high. Field staff said no hospitals refused because of HIPAA. Physician survey materials are available at www.cdc.gov/namcs; hospital survey materials at www.cdc.gov/nhamcs.
Panel 1: Public Health
Dr. Gibson shared experiences of both the South Carolina Department of Health and Environmental Control’s HIPAA working group assessing and addressing hospital confidentiality vulnerabilities and the Council of State and Territorial Epidemiologists (CSTE). HIPAA legislation strengthened security and confidentiality of state and local public health data. Uncertainty among covered entities about interpretation of the rule's exclusion of disclosures to public health agencies and the requirement that covered entities account for or track disclosures raised substantial concern about the effectiveness of disease surveillance.
Dr. Gibson discussed two e-mailed surveys of state and territorial public health epidemiologists and CDC bioterrorism grantees responsible for disease surveillance and response. The survey on syndromic surveillance systems yielded responses from 35 jurisdictions, including over half the states and cities known to have such systems. Some 35 percent of those with significant experience said concerns with HIPAA privacy caused obstruction or delay in disease reporting that required new regulatory or legislative actions.
The survey on confidentiality concerns for general surveillance yielded eight responses from state health departments. Seven indicated “somewhat severe” to severe problems. Several said the covered entity often asked for a patient’s signed release before it would disclose information, an impossibility for a public health agency. Two health district epidemiologists said HIPAA privacy concerns obstructed 20-30 percent of investigations.
Respondents said the rule led public health agencies to examine and strengthen confidentiality protections, though several questioned the need. Misunderstanding or ignorance of requirements was widespread among covered providers whose reaction at times was to reduce required disclosures to public health. Explanations, educational brochures and letters reduced refusals, but the burden on public health staff was substantial. It was unclear how to find an authoritative federal source to state thoroughly and publicly details of an acceptable process to satisfy the disclosure accounting requirement without specific documentation of each disclosure. CSTE recommended that OCR prepare and proactively disseminate to public health providers a clear statement of policy in areas of greatest uncertainty.
Panel 1: Public Health
Ms. Love said NAHDO was grateful to HHS for a modified rule that reflected their concerns, permitting use of a limited data set. NAHDO recommended that HHS develop additional guidance and provide sample models explaining how specific HIPAA privacy designations affected entities in which a public health agency was located in an organization that considered itself covered or hybrid.
Noting the most significant impact the regulations had on public health was the ability of agencies to continue collecting health information from covered entities, she said entities were understanding the rule better and taking a more rational approach to data release and disclosure. However, pockets of difficulty still persisted. NAHDO advised HHS to develop a comprehensive educational strategy, including case studies for specific public health data initiatives, targeting providers and plans on the importance of public health reporting and the ability of covered entities to continue reporting health information to public health agencies.
Reporting a chill in sharing of public health information between government agencies, NAHDO urged HHS to institute a culture of data exchange and sharing within and across federal agencies. Ms. Love called for messages and models, including case studies, for transparent and appropriate data sharing practices guidance to federal, state and local agencies. Noting CMS leadership is essential to state Medicaid programs in interpreting the rule and proper use of data by public health, she encouraged replicating CMS Medicaid office work with state programs around EDI and electronic data reporting for data sharing and use.
NAHDO encouraged HHS to develop additional guidance for federal and state agencies, clarifying when and how to disclose health information for other purposes. They advised HHS to evaluate the impact of accounting of disclosures on public health and related reporting, re-evaluating and considering an exception to the extent public entities were dissuaded from reporting important public health information. Ms. Love urged HHS to provide further guidance for public health agencies, simplifying and reducing the level and burden on covered entities.
Ms. Love noted a significant need for general education about HIPAA privacy and public health, and coordinated special technical assistance and guidance to help states and public health agencies implement regulations in an efficient and effective manner. NAHDO suggested that OCR develop a glossary of privacy terms applicable to public health data, expand CDC's work with states to define small cell-sized definitions and rules, and HHS undertake a formal, comprehensive assessment of the regulation’s impact.
Discussion
Asked about advantages or problems as migration between hard-copy and electronic reporting of epidemiological data rolled out from the field, Dr. Gibson said doing acute disease surveillance electronically was easier, faster, timely and secure. Six or seven states did this on their own for years. It was a slow process with the risks of a major IT project, and failed frequently, but there was progress. Three states used software and a system CDC funded.
Discussing covered entities concerns about liability in reporting, Dr. Gibson noted criteria and sanctions for violation of the privacy rule were not clearly interpreted. Hospital counsel’s and risk manager’s first responsibility was to protect against legal and financial risks. There was no clear, proactive statement about a simpler way and what to do legally; people assumed the worst. The response rate had not changed. Some physicians referred representatives to their attorneys, but field staff said they probably would not have participated, anyway. Ms. Love recommended a multi-pronged educational intervention emphasizing reporting is permitted under HIPAA and necessary for public health societal good. She called for leadership at the local level to discuss public health functions and their importance with covered entities. She added that lawyers in Medicaid agencies and other government agencies were also “closing the barn door.” It was easier to say “No” than develop a data exchange outside the agency. Ms. Love said she did not see a concerted backlash, but noted general public awareness was raised by HIPAA. Dr. Gibson said news media still demanded identified information which they had to refuse to release.
Members will ask OCR if they fielded questions or complaints specifically related to public health reporting or similar activities. Asked if they tried to get assistance from OCR or other agencies and found it lacking, Dr. Burt said NCHS sought information in November 2002 to finalize survey procedures. OCR was still “trying to figure it out.” Every agency interpreted it differently. Dr. Gibson said OCR’s replies to questions about specific issues were couched in ways that limited their applicability. Ms. Love remarked on a firewall in CMS hindering data disclosure for Medicare and Medicaid.
Noting TPO disclosures do not have to be tracked under the rule, Dr. Gibson said several states questioned the need of accountability for public health disclosures, which were mandated by state law. He emphasized educating covered entities. Asked why they did not indicate that covered entities had to contact patients regarding HIV or therapies, Dr. Gibson explained that physicians “don't have time” to take on the public side of prevention that belongs to public health. He said the department would be happy to disseminate state public health, given a clear, unequivocal statement from OCR of an acceptable method for a general accounting of routine blocks of disclosures.
Dr. Gibson said one could argue against a requirement to account for disclosures to public health mandated by law, which was part of the notice of privacy practices disclosed to individuals. Noting one had the right to revoke, he acknowledged the value of notifying of disclosure pursuant to an authorization. Ms. Love concurred with globally identifying public health reporting mandated by law, which would suffice for the accounting of disclosures. Dr. Burt said no accounting of disclosures should be necessary for public health purposes.
Participants clarified that the fair information notice was an acknowledgement that the notice was provided and did not indicate it was read or agreed with. It was important when discussing disclosures to public health to realize they were discussing disclosures mandated by law, and that many disclosures that had to be tracked were voluntary. The issue of permissive disclosures for public health purposes still had to be addressed.
Mr. Localio asked testifiers to request that their members report specific cases that trigger a fear of liability. Dr. Burt said NCHS gave providers a notification of data abstracted to help in the accounting for disclosure; hospitals received a document indicating the number of records disclosed. Dr. Gibson said the problem was there were so many different data flows and that risk managers did “not have any evidence” that this would be provided when they had to account to a client. Participants said they had not heard of specific non-reporting of an outbreak due to HIPAA. Noting her experience with an IRB was that accounting procedures from public health ranged from putting a letter in the patient chart to batch reporting, Ms. Love asked for guidance.
Panel 2: Public Health
Ms. Horlick reported as point of contact on the privacy rule for NIP’s 64 immunization grantees, monitoring the rule’s potential impact on immunization activities. Through proactive efforts, CDC informed its partners (including state and local health officials and health care providers) that HIPAA permits disclosures to authorized public health authorities without individual written authorization. She said concerns largely, but not completely, dissipated.
She identified areas where NIP addressed providers' concerns about sharing information with public health under HIPAA: disclosure to immunization registries; site visits to provider offices to assess vaccination coverage levels and for accountability purposes; and provider disclosure of perinatal hepatitis-B case information to public health. She also discussed the disclosure of immunization information to schools.
A few states authorizing immunization registries mandate, others permit, reporting. Several state laws address sharing of immunization information without authorizing a registry. Even before the final privacy rule, providers questioned whether they could continue to report information to registries. Ms. Horlick addressed this concern at national conferences, hosted conference calls, prepared updated information for NIP’s Web site, and responded to inquiries, referring to OCR’s guidance documents and FAQ. She said providers no longer refuse to disclose information to registries because of HIPAA.
Since 1993, public health department staff or agents conducted site visits to provider offices to perform Assessment, Feedback, Incentives and Exchange (AFIX), a public health strategy to raise vaccination coverage levels and improve standards of practice at the provider level. Vaccines for Children (VFC) is a federal entitlement program that provides free vaccines for eligible children. In a number of states, due to confusion about HIPAA, some providers would not permit review of their records for an AFIX or VFC site visit. CDC developed a HIPAA fact sheet and memo on HIPAA and public health site visits clarifying that covered entities may disclose protected health information (PHI) without authorization to public health authorities authorized by law to collect such information for public health purposes. Other documents sent to immunization grantees and the Association of State and Territorial Health Officials, the American Academy of Pediatrics (AAP), and the American Academy of Family Practitioners corrected misinformation and insured the continuity of AFIX and VFC site visits to provider offices. Ms. Horlick noted concern about access to non-immunization-related information during site visits. Several states report providers are unclear whether PHI needed for perinatal hepatitis-B surveillance and follow-up of case contacts can be disclosed. Efforts to educate providers about permissible disclosures under HIPAA have largely been successful.
Some states expressed concern about the impact of HIPAA on disclosure of immunization information to schools. Parents must obtain this information when the school can no longer access the child's immunization record without authorization, but often don't know who has the history or can not get the provider to sign the authorization. Some children receive duplicate immunizations; others are excluded until their vaccination status is up to date. Ms. Horlick expressed concern about a perceived additional barrier for overtaxed parents with limited resources or access to health care. NIP staff refers practitioners to legal counsel for interpretation of HIPAA and state law. Lacking a legal interpretation supporting disclosure to schools without authorization, NIP advises obtaining a HIPAA compliant authorization. CDC looks forward to collaborating with OCR to develop additional guidance for immunization grantees and partners on the disclosure of immunization information to schools.
Panel 2: Public Health
Mr. Orren quoted the Congressional mandate about public health and HIPAA. Even though Minnesota Department of Health is not a covered entity under HIPAA, he said HIPAA indirectly but significantly affected their public health practice. Noting Minnesota had strong patient privacy laws and patient rights of access for years, he said HIPAA would not make much difference beyond a “huge load of paper.” However, he noted attention to privacy had led to additional training and better awareness. The biggest problem was disclosure tracking and the disincentive it created for reporting. Some providers and plans interpreted disclosure tracking to mean they must annotate each patient record, whenever a public health disclosure was made.
The requirement to track disclosures impacted voluntary immunization registries. In Minnesota, the law permits voluntary sharing of immunization data between the provider, public health, schools and others. Some providers ask patients to sign authorizations as a way to avoid disclosure tracking. Mr. Orren said this was “one more hassle for a parent” and reduced information flowing into registries because many did not do it. He said Minnesota already had an excellent record protecting privacy and signing an authorization would not protect privacy better.
Mr. Orren said the department worked on public health studies where health plans asked to use a limited data set and data use agreement as a way to avoid disclosure tracking. He did not see how a limited data set would protect privacy better than practices and laws public health already operated under, but stressed it reduced the amount of data they could analyze and increased the burden of getting data by requiring the procedure of promising not to disclose. He cautioned that disclosure tracking interpreted to mean annotating each patient record would seriously limit provider and plan participation in voluntary hospital discharge and health care billing databases.
The department developed brochures on communicable disease reporting in HIPAA and FAQ on sexually transmitted disease reporting including information about general disclosure tracking. Mr. Orren displayed a notice of patient rights (a one-page “Cliff Notes version” of how patients' records can be disclosed without their consent) and a link to the department’s Web site with a “mature but not final” nine-page listing of statutes that allow non-consent disclosure release of patient health records, noting this would be enough to inform patients if OCR advised making a clear statement of the general disclosures.
Discussing most states mandatory student immunization laws, he noted the federal Family Educational Rights and Privacy Act (FERPA) allows data to go to the school, but does not let enough data from the school into the registry. Mr. Orren said disclosure tracking was “a structural thing” that needed a clear interpretation by OCR and involved education. He reported that a hospital would not report a hepatitis-B pregnant women who gave birth until “we twisted some arms” because the baby had to get prophylaxis within 24 hours to prevent the chronic disease’s transmission. The department endorsed NAHDO’s comments.
Panel 2: Public Health
Dr. Larson explained that the New England Newborn Screening Program (NENSP), considered a hybrid covered entity, provides state-mandated newborn screening and testing services for some 150,000 newborns annually. A comprehensive program for babies born in Massachusetts also includes testing, reporting screening results and tracking. Mothers of all newborns are offered newborn medical screening, though conditions screened vary state-to-state. The growing list of target disorders includes many that can have adverse outcomes in the first-days-to-weeks of life, if not promptly recognized and treated. Insuring an efficient mechanism for collecting specimens from all newborns, promptly transporting them to a laboratory, insuring feedback on test results and appropriate early treatment interventions require systems for tracking incoming specimens, outgoing results, and treatment.
Dr. Larson said fear of noncompliance led to over compliance, which jeopardized the quality of newborn screening and impeded best practices. She recommended developing working models for integration of public health testing within a framework that recognized issues of individual privacy and made reasonable efforts to protect them.
Some of NENSP’s strategies were aimed at improving understanding about privacy rules relating to best medical practices. Commonly encountered scenarios relate to verifying the appropriate medical provider promptly receives an out-of-range result and obtaining information from the provider about diagnostic confirmatory test results and other information directly related to tracking and outcome measures. Some providers refused to accept out-of -range screening results when providing cross coverage and the primary care provider was not available.
NENSP utilizes a medical model for its screening program, employing physicians who give consultative guidance in interpreting results and recommendations for next steps in testing and evaluation. While many providers continued to provide necessary follow-up, some questioned whether individual consent was needed. NENSP in collaboration with the Massachusetts Department of Public Health prepared a memorandum to educate providers.
Inconsistency between written and oral disclosure suggested providers of medical care could be conflicted about balancing privacy issues and best medical practice. Most providers with additional education complied with the public health reporting. Dr. Larson expressed hope that, as providers and individuals became more educated about the implications of this “landmark” privacy rule, efficiencies of public health newborn screening would enhance.
Panel 2: Public Health
Ms. Van Tosh discussed the needs of people with mental illness, many of whom were unfamiliar with their rights and had been perceived as incompetent, incapable of participating in the process to determine their treatment, and frequently shuffled between programs to meet basic needs. Stigma within and outside the mental health system perpetuated these misconceptions, keeping consumers shrouded in compliance and passive roles.
Consumers said they had to sign the “new” forms in order to be seen by a therapist or doctor; none were given much explanation. Most did not know they could examine or amend their records or how this could enhance their empowerment and improve mental health outcomes.
Ms. Van Tosh said people with mental illness could become empowered by using HIPAA to increase their knowledge of mental health services. She noted that being able to look at her health record and participate in determining her care was basic and intrinsic to her own recovery.
She expressed pleasure that the Federal Center for Mental Health Services (CMHS) at SAMHSA identified HIPAA consumer education activities and embarked on a program to inform consumers of their rights and responsibilities. CMHS developed an education card that succinctly summarizes key aspects of HIPAA in lay terms. The card provides clear, relevant information for people with mental illness and is designed to accommodate persons with basic reading skills. SAMHSA is reviewing the card, which might be distributed early in 2004 to waiting rooms and public sector mental health programs. Ms. Van Tosh said the card was a template for inpatient consumer training provided by existing statewide consumer organizations.
Ms. Van Tosh worked with CMHS to design an interactive training module guiding mental health consumers through key aspects of the rule. Statewide training is planned in January for consumer members of On Our Own of Maryland, a Baltimore consumer organization. One-time training programs encourage consumers to be better informed about HIPAA and benefits of consumer and patient involvement, but she emphasized that a larger investment was needed to insure consumers new to the mental health system know their rights. She emphasized more education and monitoring of consumer needs for evaluation, noting successful implementation was measured by the extent consumers were informed and empowered.
Discussion
Mr. Orren said it would be easy for the department of health at the state level and most county public health departments to develop a certification process and list organizations that information could go to without violating HIPAA. Mr. Orren said a certification program and understanding that the accounting requirement might be alleviated, so long as there was certification, could deal with the disclosure tracing requirement.
Dr. Larson reported NENSP received no patient complaints from explicitly documenting where disclosures were going and identifying specialists that see parents and the child. NENSP did their own internal privacy training and kept staff informed of best practices. Privacy officers share concerns at a Massachusetts mental health data consortium. She noted OCR considered early violations an opportunity for education.
Dr. Harding suggested a consumer education card could help others. Ms. Van Tosh said being able to participate in determining one's mental health treatment was key and seldom done; people with mental illness were treated differently. She told how her physician's office clipped her psychiatric diagnosis to her record for “all to see,” even though her appointment was for blood pressure screening. She told them it was humiliating, but the practice continued until HIPAA.
Ms. Van Tosh said layering another privacy level on top of what existed in terms of professional ethics might encourage people to seek professional help for mental illness and be less concerned about privacy. Noting the President's Commission’s and Surgeon General's reports on mental health indicated many did not seek treatment because of stigma, she predicted benefits for all patients in being engaged in developing a treatment plan as required under managed care.
Dr. Larson said most “HIPAA-fear” outbursts came from the metabolic group. Noting different philosophies could be found even in northern and southern Maine, she encouraged AAP and others to cooperate in their newsletters and other mailings.
Stressing the stigma around mental illness and lack of parity of access treatment, Ms. Van Tosh said most patients with mental illness would support coordination with care and ability to share information that would be appropriately stored and utilized. Ms. Van Tosh said, as a patient, she was most concerned about who would use the information, purpose, benefit, and impacts.
Mr. Orren said voluntary disclosures were as or more important than mandated ones. In 2003, SARS was not a mandatory reporting disease, but voluntary reporting was good. A commissioner's order now provides cover for providers to give information about SARS. Minnesota encouraged voluntary reporting of “odd things that happen” because these could be first signs of a new disease. Ms. Horlick recommended a sample BA agreement and specific guidance.
Dr. Larson suggested working towards mandatory reporting, noting terminology was always problematic, especially when new and used in different ways. In Massachusetts, mandatory disclosures fell into routine practices for tracking and follow-up. Parents could opt out of testing services for other conditions. There was IRB protocol; IRB status had to be maintained. She advocated periodical review and mandatory reporting of unexpected and unexplained patient deaths.
Panel 3: Health Care Industry Representatives
Ms. Goldman said the way the administrative simplification section of HIPAA was designed the privacy standards and security regulations were meant to be developed and go into effect together. Implementation had been staggered, but there still was an opportunity to do them together. She noted reasons for initial misinformation, confusion and misinterpretation. OCR might have been more aggressive in providing information, technical assistance and resources to covered entities. Professional and trade associations could have played a more aggressive, helpful and useful role. Consultants and lawyers gave conflicting information and “over interpretations.” She noted the Health Privacy Project (HPP) posted an instant facts document on their Web site countering misinterpretations using language from the regulation, preamble and OCR's FAQ. HPP also posted and printed a know-your-rights document.
Pointing out that doctor's office, hospitals and plans present the notice of privacy practices as contentious and a source of conflict in the doctor-patient relationship, she pointed out it be could conveyed as a benefit. HPP is developing a brochure for providers explaining the notice details peoples' rights. She encouraged OCR and professional and trade associations to be aggressive in providing guidance on the Web site, technical assistance and resources.
Noting OCR declared it would rely largely, if not solely, on complaints received, Ms. Goldman cautioned that many did not know they could file a complaint or what would happen if they did. She urged OCR to assess implementation and get feedback. She pointed out that a recent Phoenix Health Systems survey indicating the 76 percent of covered entities reporting full compliance with the privacy regulation fell to 55 percent when asked about BA agreements or other specifics. She called for OCR to publicize the number and nature of complaints received, including referrals to the Department of Justice.
Although this law took steps to protect privacy and provide people with greater access to their records, Ms. Goldman noted it did not cover employers and others directly collecting information from individuals delivering care. People should have the right to sue if they felt their rights were violated. Private right of action and scope were within Congressional purview. The executive branch could - and Ms. Goldman said must - strengthen the marketing section. Safeguards informing people that material received was generated by a third party and providing a chance to opt out should be reinstated in the law. The law enforcement section also had to be strengthened, including addition of a Fourth Amendment-like standard for access to medical records.
Panel 3: Health Care Industry Representatives
Mr. Hughes noted the August 2002 changes balance strong privacy protections for patients with reductions in unnecessary paperwork. AHA’s experience suggested the rule continued to confuse the field and created unnecessary burdens with little benefit.
Accounting of disclosures required even hospitals that had not received requests for accounting to create a “burdensome” paperwork system. AHA contended there were easier, less burdensome ways to get a level of information beneficial to patients. AHA had discussed a proposal to reduce the paperwork burden with HHS and OCR. Detailed information would be available to patients about the kind of disclosures that affect their interests. Patients could be told up front in the notice about more general public health disclosures required under state law or as part of vital public health surveillance systems, without details about the date or specifics.
Negotiating with those needing OCR’s guidance and official sanction who sought to become BAs because they thought that would let them use information in ways the rule prohibited was a burden. Mr. Hughes asked OCR to reconsider the need for BA agreements among and between covered entities, already subject to rule. He encouraged OCR to develop a certification process and urged them to reconsider AHA’s proposal to eliminate the requirement for BA agreements between covered entities themselves.
He reported that conflicts between hospitals and other providers' obligations to protect patients' privacy and meet other goals (e.g., improving patient safety) created confusion. He urged OCR to provide specific operational-level information detailing what was required and best practices.
Mr. Hughes said FAQs were useful. He suggested targeting specific audiences for specific purposes in a more user-friendly way and ensuring wide dissemination.
Asked about relationships as BAs between covered entities, Pam Lomesselli, Vice President and Chief Privacy Officer, Emerson Hospital, a 145-bed community hospital in Massachusetts, said they had about 800 BA agreements. Each took about four hours or two years in total. She emphasized that it was convoluted and clarification would help.
Panel 3: Health Care Industry Representatives
Mr. Hill noted the challenge in “coming to grips with” the proposed and final rule and modifications taking up 648 pages of the Federal Register and 214 questions and answers from OCR. Various industries had no consensus on critical components of the rule.
Principal inventoried where they received and how they used PHI and developed detailed implementation policies and procedures. Principal is amending tens of thousands of BA agreements. All authorizations (even those used by non-covered lines of business) had to be changed. Developing training was particularly difficult on the line level. Tens of millions of privacy notices were sent by represented covered entities. Principal alone sent 1.6 million notices. One AAHP member estimated spending $2.5 million on notices.
Principal did business in 50 jurisdictions. Their main challenge in implementing HIPAA was determining what law affected them in each jurisdiction. Laws involved guardianship, personal representatives and rights of parents as well as privacy, which were all modified by the courts in states sitting at law and equity. The group insurance business also had to determine if each state law had resident or contract-state applicability. In some cases, federal and two state laws might have applicability requiring pre-emption analysis across all three. Mr. Hill also noted state laws were changing. In 2002, 232 proposed laws were introduced in 43 states; 43 were enacted. AAHP and HIA contend consumers would be best served by one coherent, well-conceived law.
Noting OCR opined that privacy notices must include information about state or federal laws that prohibit or limit sharing or use HIPAA without authorization, Mr. Hill said this was a cumbersome analysis requiring complex authorizations, and notices would change along with state laws. Principal would have to send out 1,600,000 notices yearly. AAHP and HIA recommended the interpretation either be changed or the notice state, “Use and disclosure of health information and your rights might be affected by other federal laws or state laws,” and list a contact number for further information.
Mr. Hill asked for guidance on when providers and carriers could share information. He noted ERISA health plans had to be in compliance, lacked resources, were “woefully behind the curve,” and needed assistance from OCR. He suggested technical requirements be relaxed when some one asked for their information to be released to a third party.
Panel 3: Health Care Industry Representatives
Dr. Kibbe said family physicians were more aware of privacy issues and small and medium-sized practices made significant improvements in privacy and security. American Academy of Family Physicians (AAFP) received less than 20 e-mails about problems with privacy since implementation, compared to over 8,000 e-mails about electronic health records. The few relatively minor problems mostly concerned other entities’ over-interpretation of which small providers had to be included. AAFP coordinated communications with other medical specialty societies to get details about implementing the rule to medical practices.
He said most family physicians took a practical approach to implementation, though they felt it was not helpful to them or their patients and complained about the cost. A reason physicians in small practices were apologetic about the notice was that patients “didn't know much about it” and weren't prepared to deal with the rule. Some saw it as a violation of their privacy and wouldn't sign. Overall, he said problems were fairly minor and went away quickly.
Dr. Kibbe cited the need for best practices for small/medium-sized practices and hospitals. Cautioning that doctors could face problems with BA contracts, he said CHIT did not believe the small medical practice, should be guardian of BA contracts.
Discussion
Recalling that the archdiocese of Philadelphia announced that anyone entering a hospital must notify the church in advance if a priest was to be able to visit, Mr. Localio asked what went wrong that an organization that large with its own health care institutions became so confused. Ms. Goldman noted many found the directory of information in the next of kin sections of the regulation misinterpreted as an “opt-out required” rather than an “opt-in.” Mr. Rothstein said these incidents took on urban legend dimensions. Participants observed the rule was complicated, with many interpretations, and OCR had to “step up to the plate and help straighten this out.”
Mr. Hughes clarified he was not saying that, prior to HIPAA, patient care information routinely commingled with employer information, but that some conflicts were heightened by changes in the privacy rule. These issues arose in trying to determine how things fit together. The issue required additional information and guidance, not necessarily a rule change.
Given how the rule is written and interpreted, Mr. Hughes said preparing to respond to requests involved making individual notations in patient records and required an enormous amount of paperwork - even if none came. AHA’s proposal provided that information to patients, but eliminated the paperwork burden for hospitals and others.
Noting the public health community suggested not requiring an accounting for some public health disclosures, Dr. Cohn said Mr. Hughes’ proposal included individually identifiable, which were the bulk of public health disclosures. Mr. Hughes explained that AHA was talking about carving out types of disclosures that affect the individual's position, legal rights or obligations (e.g., a detailed accounting would be made of disclosure regarding suspected child abuse, but patients could easily be told up front about disclosures made on a mass basis).
Mr. Hughes said the view that a notice was sufficient, in lieu of the disclosure, for legally mandated disclosures, was “fairly consistent” with AHA’s approach. Ms. Goldman pointed out that the accounting for treatment, payment and health care operations already were removed: what mattered was that the patient’s record note information disclosed in identifiable form. She expressed concern that accounting for disclosure usually did not relate to public health departments, law enforcement and researchers that were not covered entities or bound by the rule. Mr. Houston noted hospitals felt the burden of documenting accounting and found there “hadn't been much of a call.” In terms of integrity, larger institutions were not as concerned about where information went as much as where it came from. Accounting already existed in another format in everyone’s record. Rather than disclosures pursuant to authorization, Ms. Goldman advocated signed authorizations for particular purposes and entities.
Dr. Kibbe said different classes of obligations made underlying problem. He doubted that health care providers should be responsible for guarding all this in an increasingly connected world where copies of health information exist in multiple servers and caches, or that finessing BA contracts was a solution. He said, instead, a single law protecting health information should apply to everyone. In this regard, he said AAFP supported expanding HIPAA’s scope.
Ms. Goldman said HPP set up complaint monitoring with a template of a form that could be downloaded and sent to OCR. Complaints were “all over the place.” She said the regulation was “inexcusable” and did “almost nothing” to prohibit drug company access to prescription data. Noting compliance was relatively comprehensive with a good faith effort to comply and that consumers did not know what the law entitled, she contended that filing a complaint was an ineffective way to monitor compliance and breaches. Thousands of complaints filed within seven months indicated it was serious.
Noting they often heard that the rule would be the basis for thousands of common law invasion-of-privacy lawsuits, Mr. Rothstein asked what happened. Panelists said it was too soon to know. Mr. Hughes reported some lawsuits were working through the system to test theories, but there had not been a flood of them. Asked how OCR might conduct a survey to see what programs “were out there” without being on the front cover of the Wall Street Journal, Ms. Goldman said IG offices in many agencies regularly oversaw Medicare, Medicaid and other arrangements without suggesting any one did wrong or attracting media attention. HHS would be doing what it is authorized to do under law - seeing how compliance preceded and doing random audits.
Dr. Kibbe sensed that physicians complied at a minimalist level. Notices and acknowledgments were done along with translations that made sense for the practice. Anecdotal information suggested that many members in small practices still did not understand BA contracts. There was heightened awareness of the importance of privacy and protecting it. Physicians did not get a lot of complaints or complaining about being hassled most the time.
Panel 4: Health Care Industry Representatives
Noting it was early to gauge the state of privacy and the prevalence of the HIPAA myth, Mr. Rode shared American Health Information and Management Association’s (AHIMA) snapshot of where members, many who are privacy officers, stood in terms of privacy and the law. A number of implementations and processes had gone, “not perfect,” but well. PHI use and disclosure were being limited, staff and volunteers trained, and recognizing privacy’s importance. Data was being dealt with in home offices and some larger institutions were limiting circulation or eliminating reports not needed as much as previously thought. The way members did business changed as they implemented privacy and tangential benefits were realized. He promised an extensive report in the spring.
The main challenge was accounting for disclosures. This especially impacted larger organizations. Some states have over 30 laws requiring mandated reporting; and some reports were not released out of a central medical record department. Triggering events could not be used to record reporting. Professionals demanded some; facilities others. Combinations “didn't necessarily match.” Some areas of accounting created problems.
AHIMA proposed changing the accounting requirement so that releases of information required by law were not accounted for, but the notice of privacy practices would indicate that the organization would report as required by law and a posted list or attachment would indicate laws and state requirements for reporting “in English,” rather than “section-and-number.”
Mr. Rode noted conflict with the common rule and HIPAA made problems for institutions that did research. He encouraged bringing everyone together for education and drawing more testimony from national groups in order to evolve a solution.
Business associate agreements called for clarification. Mr. Rode suggested it took time to clarify issues and gain a clearer sense of who required such agreements. AHIMA will issue a practice brief on outsourcing, detailing potential risks when it is not known if something will be placed overseas.
He noted the more stringent rule took on “unexpected life” and members were caught between various agencies interpretations of state and federal law. Some states had laws about who could receive information that conflicted with HIPAA. NCVHS could not deal with Congressional law, but he expressed hope that, with experience, they could single out major issues such as with preemption and make recommendations for Congressional action.
Mr. Rode noted conflict between HIPAA, federal and state behavioral health, substance abuse, drug and alcohol rules. Problems with law enforcement, court orders and subpoenas were linked to the state HIPAA preemption process. Directory requirements were another issue. He emphasized the need for clear rules and authoritative answers and congratulated OCR on their FAQ, noting people were asking for a public, easy to understand document bearing the Department's imprimatur that translated HIPAA into understandable English without the law’s “chapter and verse.”
Panel 4: Health Care Industry Representatives
Providers in the HIPAA Long-Term Care Consortium developed tools available free to American Health Care Association (AHCA) and National Centers for Assisted Living members. Facilities have a HIPAA policy and procedure manual, sample forms and notice of privacy practices. A model business associate (BA) contract and decision tree help identify business associates and whether they need a BA contract or addendum. BA and family brochures help educate consumers about the privacy rule. The privacy training video is specific to the industry.
Ms. Maassen emphasized that the rule needs industry-specific settings and information. A long-term care setting’s environment is unique: e.g., a resident’s date of birth is PHI, but nursing homes treat residents as family and recognize birthdays in newsletters and on birthday boards.
Participation requirements governing operations in long-term care are based on the Omnibus Budget Reconciliation Act of 1987 and surveyed by CMS. OBRA and HIPAA conflict in many ways. HIPAA speaks to pre-emption and the conflict between state laws and HIPAA Privacy rules, but not to the conflict between federal rules, other than in the preamble. She stressed that the regulatory process to comply with OBRA is comprehensive and thorough. Facilities are surveyed annually. Any instance of non-compliance can result in termination from Medicare and Medicaid. AHCA had little experience with what the HIPAA compliance process would be and, in determining which federal rule to comply with, AHCA leans towards OBRA.
Ms. Maassen noted conflicts between OBRA and HIPAA. OBRA requires that survey results be available to residents, but CMS guidance states results must be posted, making them and PHI available to anyone entering a nursing home. If the survey is not posted, the home is in direct noncompliance with OBRA and will be cited. OCR committed in March to working with CMS, but ACHA received only limited and conflicting guidance from CMS and no feedback from OCR. The Consortium welcomed partnering to define best practices and reduce barriers to implementing privacy and the security rule. Another example of an area of conflict is the tracking of State Surveys. The most recent CMS FAQ, 2448, indicated health care operations include conducting accreditation, certification, licensing or credentialing activities. This determination removes the requirement to track PHI disclosed during State Surveys. However, in previous HIPAA Roundtable Conference Calls, OCR has indicated that State Surveys fall under the definition of Health Care Oversight and therefore PHI disclosed is trackable. The Consortium agreess with CMS, but noted OCR was the enforcer.
AHCA partnered with other provider organizations who have collaboratively spent nearly a million dollars on a pre-emption analysis. At this time, ACHA still has no clarity on pre-emption and urged coordinating analysis of variations in state and federal laws at a national level.
Panel 4: Health Care Industry Representatives
Mr. Dombi noted the home health side of health care was deluged with change; Medicare-certified home health agencies dropped from 10,400 to under 7,000. Calling himself a cynic about how regulations were interpreted and applied by administrative agencies; he said OCR, HHS and the Administration added flexibility, reason and practicality in implementing HIPAA that led to clarity, practicality and support unseen in 25 years. He emphasized achieving balance.
He considered the model for disclosing information to families helpful, but doubted it was used. Mr. Dombi urged OCR to create an expedited process for defining a business associate. He said provider misunderstandings of what could be released under the privacy rules were diminished, but cautioned that some providers used HIPAA as a way to restrain competition. He asked that OCR clarify interagency communications and that all clarifications extend beyond a Web site.
Mr. Dombi said NAHC was waiting “well over a year” for OCR to say if the notice had to be used for hundreds of thousands of flu vaccines home health agencies provide annually. He asked OCR and HHS to coordinate on issues of compliance costs with HIPAA requirements and build a foundation for discussions on rate adjustments that accommodate these new costs.
Discussion
Ms. Maassen said anyone who did not want to be mentioned on the birthday board or in the newsletter would be respected. Mr. Rothstein said OCR’s analysis and guidance is helpful. Mr. Rode suggested posting a simple statement of the rule with a link to FAQ associated with subheading. It was noted that NCVHS had recommended being able to access FAQs and guidance documents by clicking on an industry segment or state.
Asked who was the final arbiter when faced with a conflict of federal law and other authorities, Ms. Maassen said AHCA had asked OCR, as enforcer of HIPAA, to talk with CMS about the AHCA/OBRA conflict. AHCA was still in the middle. Mr. Rode said the court will be the final arbiter. He imagined an arbitrator could be found in HHS for AHCA/OCR, but the question of state-federal law and “more stringent” became “more stringent in whose opinion.” In time, they would know where the problems came up. Mr. Dombi said NAHC advised members to defer to whoever “carries the biggest stick.” If members did not follow CMS guidance they could be in immediate jeopardy of termination without due process rights until after termination took effect.
Mr. Rode reported that there are few requests for accounting disclosures. Tracking paper documents required an expensive process. AHIMA estimated that, setting aside information currently covered by TPO or already required to be released, less than five percent of patients would ask for an accounting. He heard attorney, not patient, complaints over using Section 508 to write an authorization so patients could release their record to an attorney. Noting battles over whose authorization form to use left patients in the middle. Other parts of the HIPAA law required acceptance of a patient request if you were a health plan, or provider, he recommended that a patient-initiated authorization not be required to follow Section 508 and be accepted unless it had some other violation. Mr. Houston noted that often counties controlled the form of court orders.
Mr. Rode said subpoenas and court orders had long been issues for the release of information; only the pre-emption issue was new. Attorneys who had no understanding of HIPAA initiated many of the court orders and subpoenas. Members rejected them, informing senders how to respond correctly. Ms. Maassen used Section 508 and her own checklist to highlight for attorneys what was missing.
Public comments
Ms. Levine noted the Gramm-Leach-Bliley Act, effective July 2001, required financial institutions to protect the privacy of consumers' financial information and provide notices identifying information collected, with whom it could be shared, and consumers’ rights to limit sharing, similar to HIPAA. Eight federal agencies were responsible for enforcing the act.
In December 2001, those agencies held a workshop on how to better communicate financial privacy to consumers (e.g., notices must be written in plain language and consumer tested).
While GLB notices improved, she said many were still too long, complex and confusing. Industry initiatives were underway to design a standardized short-form notice that let consumers compare institutions’ practices. Readable short-form notices could be layered on top of the full compliance or made available upon request. GLB Staff recommended that the agencies consider engaging in rulemaking to develop the notice. The transcript and presentations are available by clicking the Data Council link on the NCVHS Web site and going to the Privacy Subcommittee.
Discussion
Ms. Levine said mailed notices made consumers confused and cynical; FTC layered education over time with its Web site and materials focused on why consumers received notices and their context. Noting it took years of providing information on seatbelts before consumers accepted them, she emphasized a familiar format and form for notices. She reported joint discussions on HIPAA issues in GLB and interrelations between the two agencies. Often, FTC deferred to HIPAA protections if the HIPAA regulation was specific and more protective.
Panel 5: Research
Ms. Gonzales noted research was a core mission and defining characteristic of most, if not all, academic medical centers and that the research community at Indiana /Purdue Universities, Indianapolis (IUPU) included covered and non-covered entities. IU was considered a hybrid entity. The School of Medicine, the nation’s second-largest medical school, did not meet the definition of a health-care component. It controlled or was affiliated with 25 campus research centers; some not part of a covered entity. Research at the IU Medical Center campus was governed by the federal-wide assurance with IU and affiliated hospitals. Five IRBs oversaw some 3,500 research studies annually. Eighty percent of these studies were conducted by a faculty member or individual affiliated with the School of Medicine.
IUPU Office of Research Compliance administered the IRBs. The School of Medicine enlisted a HIPAA consultant and convened a HIPAA research task force. Since mid 2002, over a quarter of a million dollars and more than 700 hours were spent evaluating HIPAA’s impact on research.
Ms. Gonzales showed layers of safeguards affecting research at the School of Medicine, noting increased protection is largely attributable to many hours of face-to-face training done before the rule’s effective date. Existing IRB forms were modified and a recruitment checklist helped researchers and providers determine the appropriateness of use, access or disclosure of PHI.
Best practices included (1) training tailored to address specific needs and conducted in small groups to address individual questions; institution-specific ethics were created from questions posed and (2) early and specific communications; researchers were informed of compliance expectations and provided with specific directions and tools to guide them towards compliance.
Ms. Gonzales focused on barriers to collaboration for research and future uses of research or PHI. A NIH goal was “expansion of the knowledge base in medical and associated sciences in order to ensure continued high return on public investment in research.” Millions of dollars were invested annually by public and private resources to further research at academic institutions. To maximize these investments, NIH encouraged collaborative approaches to research, emphasizing that the “scale and complexity of today’s biomedical research problems increasingly demanded that scientists move beyond the confines of their own discipline and explore new organizational models for team science.” Reviewing a comparison of the access to PHI for research purposes, she noted the privacy rules focused on structure versus safeguards and discouraged this model.
She noted how compliance with the rule resulted in inconsistencies with NIH goals. Recruitment problems arose when members of a research team were not considered part of the same covered entity, a distinction neither consistent with patient perceptions or how research was conducted. IUPU’s lung-cancer clinic might include a pulmonologist, oncologist, radiation oncologist and cardio-thoracic surgeon. Not all were providers; the patient only saw one provider team or entity. Providers shared a research coordinator and had collaborative discussions regarding treatment; but neither a research coordinator nor non-treating provider could review patient records to identify or contact potential candidates for research purposes without an authorization or waiver of authorization. Concerned about HIPAA, treating providers were reticent to send information to principal investigators regarding potential candidates’ research or treatment alternative.
Panel 5: Research
An NIH-funded general clinical research center (GCRC) at IU is not part of a covered entity but aids principal investigators with research-related tasks. Usually a principal investigator is part of a covered entity (not the research coordinator). At least two waivers and/or authorizations must be obtained (to access data and enroll subjects) before the coordinator can assist. The principal investigator must track disclosures to the coordinator, who is considered part of their workforce. Ms. Bizila said the IRB waiver process unnecessarily delayed research.
A multi-center genetic study involving research centers from around the country recently discussed how recruitment and data collection would occur. Each center presented different interpretations for conducting recruitment and data collection, based on their institutional structure and interpretation of the privacy rule. Even if each had similar safeguards, recruitment and data collection would be inconsistent because the privacy rule is driven by the structure of the organizations. Noting that compliance creates barriers toward advancing research and is fundamentally at odds with NIH’s goals for advancing health and research, she offered solutions.
Allowing research team members to be considered workforce members of the principal investigator’s covered entity would alleviate both the IRB and the principal investigator from the authorization and/or waiver process, as well as having to account for disclosures. The research staff was already subject to internal HIPAA policies and research standard operating procedures.
The IRB should determine that appropriate safeguards are in place when a principal investigator utilized a third party for research-specific support, using criteria for business-associate agreements. This would alleviate repeated need for waivers of authorization in accounting for disclosures among research team members affiliated and working in the same academic and research community.
Recruitment assistance with approved members of the research team could also be part of treatment and/or health-care operations. Research involved treatment, quality assessment and population-based activities and was a health-care operation at an academic medical center. Patients came with the hope and understanding of having access to latest innovations in health care, due to research endeavors. If adequate safeguards were present and institutional privacy requirements met as approved by the IRB, recruitment should be permitted by approved members of the research team without an authorization or waiver of authorization.
Ms. Bizila said the final rule let covered entities rely on express legal permission, informed consent or IRB-approved waiver of informed consent for future unspecified research obtained before the compliance data. Since then, more safeguards exist but the rule prevents future uses of data collected afterwards by requiring research-study specific authorization. Access to data for future research is beneficial in performing similar or related and population-based studies in genetic research. With discoveries, opportunities arose for reviewing existing databases and/or samples containing PHI. She noted ways in which compliance created barriers to utilizing existing research data for future purposes and asked that covered entities include future uses in the consent and/or authorization as determined by the IRB. Otherwise, she requested clarification and guidance regarding use of existing research data for related future studies.
Panel 5: Research
Ms. Ehringhaus conveyed AAMC’s concerns directed at: accounting for disclosures, authorizations in waivers, the identification standard, and emphasis in HIPAA on organization versus function and structure versus safeguards.
AAMC noted negative consequences for research: (1) adding the authorization requirement to established informed-consent protections confused the informed-consent process for patients and researchers; (2) research management and oversight were burdened with expensive privacy-rule requirements; (3) disclosure documentation and accounting liabilities created research-related burdens many could not accept, diminishing the subject base, slowing research, and impeding patients’ access to research; (4) new burdens increased disincentives to engage in biomedical and health-sciences research. AAMC created a database of case reports documenting research affected, delayed, hindered, benefited, abandoned or forgone to monitor and document effects of the rule on biomedical and health-sciences research. AAMC noted the rule’s adverse effects on key areas of research. Some 72 percent of the respondents said clinical research was affected, particularly in terms of recruitment and data access, acquisition and retention.
Community providers and hospitals did not view research as primary, were reluctant to assume the burden and unwilling to make records available. Contending the burden was unreasonable and incremental privacy protection minimal to non-existent, AAMC advocated eliminating the accounting of disclosures. In addition to technical and legal ambiguities, Ms. Ehringhaus said the impact of authorizations and waivers requirements demonstrated their uselessness. Contending it was “practically inconceivable” that a researcher with good-faith justification would be turned down, she said the requirement should be eliminated for research uses.
AAMC believed human subjects were fully and appropriately covered under federal regulations governing human subjects research and that waiver of authorization was an unnecessary complexity and confusion. Ms. Ehringhaus said the de-identification standard placed disproportionate burden on research in terms of additional privacy protections. She advocated simplifying and adapting it for biomedical and health-sciences research. “Extreme cases of misuse of medical information” were better addressed with other regulatory mechanisms. AAMC concurred with concern about structure versus safeguards. She said text and interpretations of HIPAA’s research provisions must shift from organizational form to function served.
Panel 5: Research
Noting these were “early days” in terms of epidemiologic studies, which often take a decade from conception to final papers, Dr. Linet noted mixed reports. Ongoing studies appeared less influenced, industry less impacted; new studies encountered difficulties. Variable interpretations by IRBs were a problem in hospitals. Access was denied to the CMS database and hospital records for control selection without a waiver. HIPAA brought variable access to records; notable complexity of release forms; and increased requirements for subjects to designate specific record components for release, absolve hospitals from liabilities, responsibilities, damages and claims, and recognize a hospital’s right to deny or revoke release. Length and complexity of consent forms was an obstacle: HIPAA forms include more institution-specific and/or expanded wording and requirements. Expanded disclosure of confidential data to more entities (possibly due to IRBs’ interpretations) was a problem. Factors causing declines in participation included: IRBs’ unwillingness to grant waivers, lack of access to medical records, the consent form’s length and complexity, and expanded disclosure of confidential information.
Dr. Linet noted the financial and legal impact. Epidemiologic studies already were already expensive. Additional time for designing forms, training staff about HIPAA requirements, preparing materials required for IRBs, answering subject queries, obtaining agreements from hospitals providing records, and legal requirements increased costs. Some hospitals, concerned about a federal audit, refused to participate. College continues to evaluate experiences and identify patterns. A data-collection survey instrument will be prepared and administered.
Possible remediation measures included: reexamining granting access to databases, a simplified HIPAA-compliant template or universal record release, limiting access, more HHS guidance to IRBs and hospitals, on-going clearer communication of requirements, and HHS’s proactive reassurance that granting waivers will not make institutions more liable to serious problems.
Discussion
Ms. Bizila said their research could not practically be done without a waiver of authorization for recruitment. A third of Indiana University’s studies include one. Noting NIH and OCR Web sites had differing opinions, Mr. Houston said the University of Pittsburgh Medical Center felt they could not meet the criteria and rarely granted them.
Ms. Ehringhaus said “blurring” and confusion over requirements for waiver of informed consent (which had an integrity and rationality of its own) and the HIPAA waiver were a problem for AAMC. It was almost inconceivable that a waiver of authorization (unlike a waiver of informed consent) wouldn’t be granted within single institutions. She noted Dr. Linet reported different experiences when institutions collaborated. Ms. Gonzales suggested it was indicative of how IRBs interpreted the rule differently, depending on safeguards and structure. Without guidance, she said this would continue. Dr. Linet observed that when NIH chose institutions to collaborate with, they went with ones that never granted waivers, putting others at a disadvantage.
Dr. Linet said the problem with expanded disclosures was variable interpretations and confusion on the part of IRBs. Prior to HIPAA, subjects could be told confidentiality was paramount and only project researchers would have disclosure. The new consent form said all collaborating adjuncts and associates plus the IRB and funding agencies might have access. Mr. Fanning said this might be a case of “being more honest” about access that existed all along. FDA regulations for drug trials always required acknowledging audit review. Julie Kanishira, policy team leader from the Office for Human Research Protections (OHRP) said OHRP agreed that confidentiality statements in informed-consent documents, prior to HIPAA, often were overstatements that, teased apart, were not so absolute. Often, someone outside of the research team had to access research data. This was “coming into the sunshine” with HIPAA. People had to consider prospectively who might need access including the IRB, sponsor, FDA, OHOP or OHRP.
Mr. Rothstein said HHS meant to minimize the researchers’ burden by aligning HIPAA and common rule requirements when they could. Informed consent and an authorization for HIPAA purposes could be in a single document. HIPAA-required language took about six sentences. Noting most institutions required separate informed-consent and authorization documents, he asked if the institutions brought on some of the complexities, redundancies and difficulties. Ms. Gonzales noted other parties had to be considered. Sponsors wanted to add pages of specialized language and future uses that were inconsistent across the board. Many chose to do a separate authorization because medical records personnel might not grasp whether consent complied with HIPAA. HIPAA was affected because they wanted it in the authorization. There was confusion about documents and delays in recruitment. Ms. Bizila said a reason for a separate authorization was to hold to a broad language during transmittal, protecting the sponsor’s confidentiality, drug proprietary information, and the diagnosis. She did not want to do away with authorization, which raised awareness of the pharmaceutical companies’ practices, but consider controls.
AAMC’s position was that content of the informed-consent document should be candid and complete; potential disclosures of private information had to be in the document. Ms. Ehringhaus said people did not combine forms because IRBs had a stake in the integrity of their own process and meeting responsibilities in a way they decided best served the common rule. Multi-institution collaborations inevitability had at least two sets of legal and two IRBs, and did not recognize the same language. She doubted the authorization served a useful privacy purpose. Contrary to the rule, FDA said IRBs did not have to review them. If authorization was a mechanism by which people finally “told the truth about what would happen,” Ms. Ehringhaus said that was a problem with informed-consent, not the authorization requirement.
Ms. Kanishira noted the privacy rule, HHS and FDA human-subject protection regulations did not require IRB or privacy-board review of authorization forms if the documents stood alone. Institutions required IRB review. Ms. Gonzales said IRB did not approve a protocol or study until OCS reviewed the documents. Attorneys for pharmaceuticals or other sponsors almost always added unique language.
Noting treating providers’ reticence to refer potential candidates because there was no time with so many patients to sign an authorization, Ms. Gonzales said more potential subjects could be referred with verbal authorizations. Ms. Bizila noted at most universities a research coordinator, who usually was not part of that covered entity, searched records and identified candidates. Coordinator access required a waiver of authorization; verbal-consent exclusion would not work.
Mr. Rothstein said one could argue that the HIPAA privacy rule was insufficiently protective of the rights of research subjects in terms of review in contemplation of research. Under the rule, researchers could review PHI and medical records to determine the feasibility of conducting research studies without IRB or privacy board approval. OCR interpreted in its December guidance document that once people were identified for the study the researcher could contact and recruit them without any approval. Mr. Rothstein emphasized that recruitment was research and following OCR’s interpretation could lead to a totally unethical research protocol that never reached IRB approval. Mr. Houston noted NIH posted contradictory guidance on its Web site.
IUPU said OCR interpreted that investigators could search for numbers to support a study but could not obtain contact information without IRB approval. Mr. Rothstein emphasized that the privacy rule represented a floor rather than a ceiling; the common rule and professional statements and ethics had to be considered. Ms. Ehringhaus said AAMC prevented the researcher from making contact with the subject until the IRB reviewed, approved, declared exempt, or finished expedited review. Ms. Kanishira clarified that recruitment activity for research activities were covered under OHRP’s human-subject-protection regulations and required IRB review and informed consent or a waiver. Given that chicken-and-egg scenario, a waiver usually would be appropriate. Mr. Rothstein noted there were no objections to this guidance being rethought.
Noting some IRBs considered OCR guidance dispositive and did not look to the common rule and NIH’s guidance, Mr. Houston said the guidance was incomplete and presented problems. Ms. Kanishira pointed out that guidance issued by the Department via NIH in August included a Q&A on the point of contact. OCR clarified that making contact with an individual to seek authorization, while not a preparatory-to-research-function, possibly was a health-care operations function if the researcher was an employee or workforce member of the covered entity or acted as a business associate recruiting on behalf of the covered entity. OCR clarified that obtaining documentation of a partial waiver by an IRB or privacy board for the study’s recruitment phase was another mechanism for disclosing contact information to a researcher for that purpose.
Recalling that the level of de-identification was high because Lataunya Sweeney demonstrated to the Committee that “anything” could be re-identified. Dr. Harding asked if de-identification should be lowered. Ms. Bizila said it was a difficult standard to reach and a hindrance. Ms. Ehringhaus noted some community providers refused to do it because it was expensive, burdensome, and they worried about liability. AAMC contended the standard was not adapted to population-based research and advocated regulating for the “responsible” majority, holding serious interventions for others. Ms. Linet cautioned about avoiding studying conditions because conceivably some one might be identified. Mr. Rothstein noted that his own studies suggested research participants did not place as high a value on anonymity as some others.
Panel 6: Research
Dr. Roberts noted Magee-Women’s Research Institute’s clinical trials, designed to use a large multi-center strategy and requiring adequate enrollment for continued participation and other clinical research projects, were devastated by HIPAA regulations. The mandate that a patient could not be approached about a research project without written permission from the clinical team providing care put additional burden on an already over-tasked team whose first interest and responsibility was patient care. Regulations impacted retrospective chart reviews that historically were an important and economical source of information. Patient records were reviewed and relationships of the disease to behavior, metabolic or genetic factors examined. Reviews provided initial hints of the relationship between smoking and lung cancer, estrogen and breast cancer, lipids and obesity related to heart disease. Such studies could no longer be performed without permission from all involved patients, even those cared for years previously.
According to the regulation, a covered entity might give a researcher access if the researcher provided assurance that (1) the use was to prepare for research, (2) PHI would not be recorded or removed, and (3) access was necessary for research purposes. Some interpreted that to allow pre-screening by individual investigators to identify subjects eligible for research; others concluded that pre-screening could only be used for such things as determining the frequency of the disease in a hospital population. Noting charts could be reviewed for treatment, payment, billing and organizational purposes without prior approval, Dr. Roberts observed that for years researchers had regulations in place to protect patient privacy. Dr. Roberts said research registries might solve these problems. Registries must be disease specific, preventing a simple research clause and generic HIPAA information forms. Potential registrants had to be approached by someone on the care-providing team, taxing busy staff whose orientation was not research.
Chart reviews can be done with permission if de-identified, but an abstractor needs two-and a-half hours to remove the 18 items from every page. Pseudo-dates separated by appropriate periods are needed to judge disease progression or recurrence rates. Waiver requirements state that research can not be done without one and that risk of patient privacy being violated is slight. Interpretations were disparate in different settings.
A research registry instituted with enrollment by care providers worked in slow settings, but enrollment dropped from 80-90 to six percent in busy clinics, raising concern about patient bias. Electronic records were incomplete; chart-review studies almost nil. NIH warned Magee that ongoing funding was in jeopardy unless recruiting increased. Magee instituted IRB waivers so investigative teams could pre-screen charts for eligibility for specific studies. If a patient is eligible and waiver given, a permit enables approach for that study. Care providers still must get the patient to sign a waiver, however this was less complex and time consuming than explaining a registry. The strategy had been in place four weeks and did not seem “incredibly encouraging.”
Dr. Roberts proposed designating research as part of the treatment and using the TPO exclusion to enable research to use medical records without prior approval. Failing this, he suggested generalizing approval for research use of medical information by patients to all research.
Panel 6: Research
Mr. Lawniczak thanked the Secretary and HHS for crafting a “mostly workable” rule, noting the limited data sets “prevented untold difficulties for conducting health-services research.” It was early; data was preliminary. Many researchers were still grandfathered and there were “steps and hoops to go through.” So far, the minimum-necessary requirement had not limited or hindered CHSR researchers access of data. Allowing covered entities to review an IRB approval with their own IRBs created complications and concerns, but hadn’t become an insurmountable burden.
While multiple IRBs had not blocked CHSR researchers from data, Mr. Lawniczak said IRBs often presented conflicting requirements, slowed the process and increased costs. Some problems resolved by adopting onerous requirements. Researchers had to negotiate others with each IRB while staff was idle. The Congress had not increased budgets and less research was conducted.
He encouraged OCR to stress educating and providing technical assistance to smaller covered entities in addressing privacy rule requirements about research. Noting implications of HIPAA and the rule might be particularly complicated for federal agencies that were covered entities, data sources and research sites, Mr. Lawniczak urged OCR to help units throughout government understand how to release data for research while complying with the privacy regulations.
Mr. Lawniczak agreed with comments about the waiver-of-authorization and consent forms and said new forms hurt recruitment and selection bias could not be determined or accounted. Health-services researchers only used the safe-harbor method to de-identify information because requirements for statistical de-identification were too vague and subject to interpretation. He proposed that AHCRQ and NIH, work together with statisticians to recommend a method for the statistical de-identification of health information. He also advised HHS to reexamine the preemption clause and identify state laws preempted. Noting researchers difficulties gaining access to data held by “what would be considered a public-health entity” that considered itself covered, he asked HHS to clarify the difference.
Mr. Lawniczak said most problems with research apparently were resolved through IRBs and educating covered entities. Congratulating the Secretary and HHS on a regulation that seemed to allow researchers access to data to conduct their studies, he also noted ongoing difficulties and called for technical assistance and education. He urged the Congress to recognize the increased cost to researchers of the privacy requirements and correspondingly increase funding for grants.
Panel 6: Research
Dr. Boughman cited concerns that led the American Society of Human Genetics (ASHG) to examine HIPAA and its implementation, point out where the rule is vague, and offer guidance. She reiterated the difficulty in determining when researchers were members of covered entities in many complex academics institutions and the significance to geneticists of knowing the definition of limited data sets and recognizing intertwining and overlapping arenas of informed consent and HIPAA regulations, especially when doing multi-center studies. The biggest financial cost was time taken from research or caring for patients. A hidden cost was the disincentive additional regulation placed on clinical investigation. Institutions considered the cost of new processes and tracking systems to assure compliance an unfunded mandate.
Dr. Boughman noted issues with cross-sectional or longitudinal epidemiological studies and that removal of all 18 elements in the de-identification process stripped metric identifiers and images, making some studies in dismorphology groundless. She noted the challenge HIPAA applies to deceased individuals, cautioning that HIPAA impeded research in many genetic disorders. Voice and fingerprints were biometric identifiers used to ascertain information on deceased individuals; even taped interviews were voice prints and identifiable, technically, under the rule. She asked how genetic studies could be done, if a DNA sample or profile was considered an identifier.
Research laboratories that do not follow Clinical Laboratory Improvement Act (CLIA) regulations cannot return research results to individuals; CLIA-certified clinical labs can not test unidentified samples. Anyone complying with either potentially is in conflict with the other.
Discussing difficulties with family studies, including contact with relatives, Dr. Boughman asked the Subcommittee to imagine using family history as an entry criterion to a study: some smaller hospitals required signed permission from all the subject’s relatives involved.
Discussion
Dr. Roberts noted that the busy clinical setting did not allow time to explain the registry and those approaching patients were not necessarily committed to “getting them in.” Recruitment was slipping. Magee felt the regulations precluded anyone not on the care-providing team from knowing a patient was eligible or first contact. He said motivated staff paid to recruit patients would solve most the problem. Mr. Houston noted the problem was compounded when a hybrid entity or its research arm was not covered. And some IRBs precluded cold calling.
Dr. Roberts noted the time and energy committed to “getting around the regulations legally,” emphasizing the intent was to stay within the spirit of the law. Dr. Boughman cautioned that this process involving varying levels of liberal and conservative interpretations often dropped to the lowest common denominator in multi-institutional studies. Mr. Lawniczak suggested education and changing the regulation so the institutional IRB was primary, with other entities secondary and modified review sped the process, avoiding costly, conflicting requirements.
Asked how HIPAA created an ongoing issue, Mr. Lawniczak said the common rule did not apply to most health-services research, which did not deal directly with human subjects. Some health-services researchers that only collected medical records did not require a covered entity IRB.
Ms. Kanishira said HHS’s human-subject protection regulations include obtaining private identifiable information for research purposes and applied to the use of identifiable medical records to conduct epidemiological studies. Regulations strictly apply only to HHS-conducted or -funded research. HHS’s assurance mechanism lets institutions voluntarily apply them to all research, regardless of funding. HIPAA provisions do not distinguish the funding source and mirror requirements under the common rule of IRB review. Extension of review beyond what typically was covered is perceived in some circumstances. Mr. Lawniczak noted a substantial part of health-services research was funded through private foundations and required HIPAA steps.
Dr. Roberts reiterated that interpretations of whether researchers could contact patients without approval by someone on the care-providing team determined the difficulty of recruitment.
Mr. Lawniczak complimented OCR on doing “a tremendous job” with limited resources, stressing resources should be increased and the Congress needed to “step up to the plate” and help fund education and researchers’ extra costs. Dr. Roberts noted Pennsylvania held a question session linked to grants and posted answers clarifying “where the line is drawn.” Noting Web-based modular courses for researchers were not required for IRBs, Ms. Linet suggested HIPAA-approved sample forms could add standardization and begin to educate covered entities. Mr. Houston noted University of Pittsburgh researchers had to take a Web-based training program segmenting HIPAA modules related to research staff, researchers, and students that covered IRB requirements and required testing and certification before submitting a protocol for review.
Participants said IRB’s divergent answers reflect interpretations of the safest, narrowest common denominator and the philosophy of those in charge as well as community circumstances. Ms. Kanishira noted HIPAA and the common rule enable central/single IRB project review.
Subcommittee Discussion
Issues carried from the September 9 conference call include: FERPA/ HIPAA concerns with privacy and schools; treatment of law enforcement, subpoenas and certificates of confidentiality; banks as clearing houses and the Gramm-Leach-Bliley Act; and the payment chain.
Noting issues still impact research and fund raising, members discussed determining if conditions were better or worse than anticipated pre-April 14. Other priority topics heard included: offshore medical contracting, accounting for disclosures, employers and correctional facilities, and employer access to employee/applicant health information. Noting the growing number of health-care providers not covered by HIPAA because they do not bill electronically, members considered discussions about the Congress expanding HIPAA’s scope to effectively cover business associates and simplify all health-care information.
Members said a meeting might be held late in January if compelling issues arose. Noting compliance will have been in effect one year in April, members agreed to draft a letter to the Secretary and present it to the March full Committee meeting. A conference call will be scheduled December 3, 4 or 5 to identify and draft a letter on public health, research and general issues (e.g., accounting for disclosures) prior to the February 18-19 Subcommittee meeting. Mr. Localio will be invited to participate. One topic will be deferred until the still unscheduled (probably April) meeting, so members can discuss issues heard in this and February’s sessions and craft additions to the letter. Thanking the participants, Mr. Rothstein adjourned the meeting.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/s/ 2/4/04
_________________________________________________
Chair Date