CDC conducts a family of health care provider surveys, known as the National Health Care Survey (NHCS), to collect data from providers on patient encounters in order to make national estimates of utilization. The encounters are sampled from a broad range of service areas from doctor visits and hospital discharges to nursing home residents. While the surveys are authorized under the Public Health Service Act which assures confidentiality in law, the newly effective Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) sets further standards for providers (e.g., covered entities) when disclosing protected health information for research or public health purposes. The various surveys in the NHCS each collect slightly different kinds of information and different patient identifiers.
This testimony describes the ways survey procedures were modified to assist providers in participating in the surveys under the new regulations. The kinds of modifications varied across surveys but included obtaining or modifying IRB approval, creating data use agreements, completing accounting documents for disclosures made to assist the providers’ record keeping requirements, and creating new training materials for field staff and new WEBpage materials for providers. The testimony also describes the process by which modifications were discussed and approved. Finally, the testimony describes changes observed in response level or survey cost before and after the implementation date, April 14, 2003.
National Health Care Survey and the collection of protected health information
There are three major provider components to the NHCS: Ambulatory care, Hospital and surgical care, and Long-term care. The various surveys within these components differ in regard to the type of protected health information (PHI) collected as specified by HIPAA’s Privacy Rule. Because the information collected differs, the level of review by Institutional Review Boards (IRB) differed prior to the Privacy Rule implementation. For example, the ambulatory care surveys rely solely on data already collected in medical records and no identifying patient information is collected, so they were exempt from IRB review for the protection of human subjects. However, because the long-term care surveys collect identifying data (e.g., social security number) to link to other databases, a full IRB review was required. The hospital and surgical care surveys collected a medical record number that, within the hospital, could possibly identify a patient, although outside of the hospital, it was not an identifying piece of information. These surveys generally received an expedited IRB review. Because some NHCS respondents may have a narrow definition of what constitutes public health, CDC decided to ensure that the surveys also met all criteria for disclosing PHI for research, which included a full IRB review. As we approached the Privacy Rule compliance date, we sought a full IRB review of all the provider-based surveys including waivers of patient authorization. Additionally, while CDC requests the health care provider to complete or assist in record abstraction, in some cases the provider requests the data collection agent to abstract the data. When this occurs the agent may see the patient’s name or address, even though for some surveys we do not collect it.
Modifications made to survey procedures
With the publishing of the final rule in August, 2002, CDC staff evaluated what kinds of modifications would be needed to ensure that providers would continue to provide survey data and then developed and implemented such modifications. These included a range of materials from introduction letters, development of data use agreements, accounting documents, data modifications, and development of special training. The nature of changes to the survey collection procedures follows.
Introductory letter: These were modified to include a paragraph indicating that there were several ways that the Privacy Rule allowed survey participation, including that the disclosures were for public health purposes as well as for research, the survey protocol was approved by an IRB, and the survey collected only the minimum necessary PHI to accomplish the survey objectives.
Question and Answer: Special Q & A’s were developed to help answer any concerns a sampled provider might have about survey participation and their compliance with the Privacy Rule.
Accounting documentation: Each survey created a one-page document that could be used by the provider to assist in their accounting for disclosure requirements, whether the document be for each sampled encounter or patient, or a summary accounting when more than 50 cases were abstracted.
Data use agreement: Because some surveys (e.g., the ambulatory care surveys) collected PHI that was designated by the Privacy Rule as part of limited data set (e.g., birth date, visit date and residential ZIP code), survey-specific data use agreements were developed providing the necessary assurances of confidentiality.
Training: Special training modules were developed for field representatives to explain to the providers how they are able to participate and still be compliant with the Privacy Rule. In the case of the ambulatory care surveys, the training included a 30-minute PowerPoint slide show with audio that was distributed on a CD/ROM for field staff to view which led them through the new procedures and survey materials, including a new chapter in their field manual.
Provider materials: Special respondent WEBsites were developed to contain information about the surveys including materials pertinent to the Privacy Rule such as the IRB approval letters, Q & A’s, data use agreements, etc. In the case of the ambulatory care respondent sites, a 7-minute FLASH presentation was developed to explain the survey and what the provider must do to comply with the Privacy Rule.
Modifications to PHI collected: There were two instances where modifications were made related to the information collected; the hospital and surgical care surveys deleted the collection of medical record number so that the information collected met the definition of a limited data set, and the ambulatory care surveys allowed the respondents to enter patient age or month and year of birth rather than full birth date. The forms were not modified, but the field staff showed providers where to record age on the form if they objected to providing the full birth date. The other surveys already allowed the collection of patient age in place of birth date.
Other modifications: There were several other modifications made to planned data collection activities to accommodate the implementation of the Privacy Rule. The National Hospital Discharge Survey (NHDS), which normally collected data from the previous year through April, changed the 2002 panel deadline to April 11, 2003 so that the providers and field staff would not have to worry about collecting data past April 14. NCHS also delayed a study to collect medication data in the NHDS from the Spring until the Fall of 2003 to permit hospitals time to become accustomed to reporting under the new HIPAA requirements. Finally, several of the surveys created toll-free telephone numbers for the respondents to call if they have any concerns about how survey participation is affected by the Privacy Rule.
Review and approval process:
After these modifications were developed, they were reviewed by Counsel at CDC in Atlanta who ensured that the materials accurately reflect the regulation. There are still areas of concern among government agencies regarding some of the requirements including the following: individual accounting requirements when multiple records are disclosed for the same survey, and interpreting abstraction by our data collection agents as a disclosure rather than an “incidental” disclosure. Disclosures incidental to a permitted disclosure do not require documentation. For some of our surveys, this is the only disclosure that occurs, otherwise the limited dataset rule would apply.
Effects on survey participation
While it is still too early to provide definite statements regarding the HIPAA Privacy Rule’s effect on survey participation, we can state that no major participation problems have been identified between April and October, 2003. NCHS has received a handful of calls from doctors and hospitals expressing concern about the Privacy Rule and survey participation, but no effect has been noticed on general participation. The response rates for the ambulatory care surveys were essentially the same between January-March and April- July (NAMCS: 73% vs. 71% and NHAMCS: 95% vs. 91%). The field staff indicated that none of the hospitals’ refusals in the second quarter were HIPAA-related. A National Nursing Home Survey pilot test conducted in the Summer of 2003 did not reveal any problems with participation, and the current research study on collecting medication data in the NHDS has also not shown any compromise on hospital response.
Summary
We believe that the preparation steps we took to clearly explain the interface between the Privacy Rule and participation in the NHCS, together with the new materials helped to make a smooth transition from pre-to-post implementation. Implementation of HIPAA’s Privacy Rule led to slightly increased survey costs but has had less of an effect on survey response than originally conjectured. In some respects the additional assurances of confidentiality made some providers more comfortable with providing patient data. However, the full impact on response rates will need to be measured over time as providers and survey organizations become more confident about the provisions in the Privacy Rule allowing continued survey participation.