Testimony of the
American Health Information Management Association
to the
Subcommittee on Privacy and Confidentiality
of the
National Committee on Vital and Health Statistics

November 19, 2003

Opening Comments

Chairman Rothstein, members of the subcommittee, ladies and gentlemen, good afternoon. I am Dan Rode, vice president of policy and government relations for the American Health Information Management Association (AHIMA). On behalf of the Association and its members, thank you for allowing us this opportunity to provide input today on issues related to the status of our healthcare community and the HIPAA Privacy Rule, implemented for the most part a little over five months ago. 

For those of you who are not familiar with AHIMA, we are a professional association representing more than 46,000 members who manage patient medical and clinical information in the form of health records and databases in provider, health plan, government, research and other public and private organizations, facilities, practices, and agencies. Our members’ various functions have required them to intimately deal with a variety of issues that have become the subject matter for the NCVHS both due to its original charge related to health data and statistics, and its more recent charge to advise the Secretary on the administrative simplification issues contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

I must also note that our members’ various functions have also caused both themselves and our Association to become deeply involved in the movement to secure national standards for the electronic health record, the personal health record, and the establishment of a national health information systems, which leads us to the need to establish trust in the confidentiality and security of such systems and interfaces.  For over 75 years, AHIMA members have managed health information and records and, equally as important, the confidentiality of health information on a daily basis. It was this paramount concern for confidentiality and security that caused AHIMA to be so involved with privacy and confidentiality related to HIPAA, and it is this concern and the need for trust in EHR and NHII standards now being built that keeps us involved with issues concerning confidentiality, security, and privacy. 

Since AHIMA members have served for many years as the trustees of institutional (hospital, clinic, and so forth) records, they have also had the role to manage the “release of information” responsibility, in these organizations.  It was natural, therefore, that when the HIPAA Privacy Rule called for a “privacy officer” to be named for each covered entity, many of our members took on that responsibility, or served on internal privacy oversight task forces and committees. (AHIMA has a certification program for Healthcare Privacy, and with HIMSS a joint certification program in security and privacy and security.)

With that as background, I come to you today to give AHIMA’s perspective on the HIPAA Privacy Rule and the state of privacy and confidentiality in healthcare.

Comments on Privacy Today

In the short time I have today, and in my written testimony, I want to first share with you a glimpse of some of the good things that have happened with the implementation of the HIPAA Privacy Rule.  Then, I want to share some of the challenges we see remaining and ideas from our members to meet these challenges.

It has been only five months since the implementation of the Rule for most covered entities.  The press, public and industry, have been full of anecdotal stories about the impact of the Rule.  Some of the articles or stories have been positive, and some negative.  There have been some very confused stories and a number of sensational stories that seem to bury the good and stress the “bad” or unforeseen impacts of the rule. 

As an Association linked to the privacy issue and function, we have been sought out for comment, and I know that some of you and the Office of Civil Rights (OCR) have responded to even more requests.  Often after listening to the story of the hour, it becomes somewhat clear there are some significant misunderstandings and miscommunication regarding the Rule.  So, now we all have a task before us to ensure that our industry and the larger community – our patients – understand the Rule, and that we take steps to modify the Rule as appropriately needed, after fact-finding.  We believe this can ensure that there will be trust in our handling of confidentiality and security, so we all can move on to establish a much-needed infrastructure and standards for the 21^st Century era of e-health. 

While what we hear in the press, on our hot lines, and in various conversations has taken, perhaps, a negative tone, we must remember that in the media problems often seem to take precedence over success.  So, let me first congratulate the OCR, who, with a very limited budget and time, has done a wonderful job of establishing a Web page, responding to and posting frequently asked questions, and providing outreach when ever possible.  The OCR’s willingness to work with the industry is very commendable.  Unfortunately, few in the industry have appeared to take advantage of what the OCR has done, or, I suspect, is willing to do.        

In putting a charge for privacy into the HIPAA legislation, Congress believed that it was providing for improvements to the situations surrounding healthcare privacy it saw in the mid-1990s.  It is our opinion that the Rule has done a significant job to improve the situation from where it was in 1996.  Unfortunately, our job is not done and AHIMA looks forward to working with the subcommittee, the NCVHS, the OCR, and Congress to make sure that we can build on this milestone – HIPAA implementation – to correct as much as possible the problems that still exist.

In the short time since April it has been almost impossible to gather the kinds of facts that would make us all comfortable in moving ahead to stage two.  We know that change has begun and we are hearing of improvements and problems, but each view leaves a lot to be desired in its completeness.  This fall AHIMA attempted to take a quick snapshot of the current situation by seeking input from our members in a short, nonscientific, survey.  Our tools and resources at hand kept us from getting a much clearer picture, but the information we received confirmed some of the anecdotal information we were hearing.  We are now working on ideas on how to make such a survey more inclusive and more scientific, and we will keep the subcommittee apprised of any major steps that we take in this area. 

Based on our limited survey primarily of privacy officers and members of privacy committees, and the input we are receiving from some of our small communities of practice, we wanted to share some of the good news of what has happened with the implementation of HIPAA.  In no special order this good news includes:

• Privacy has become one of the hot topics in healthcare, and even though many were not happy with the change, there has been a significant increase in the recognition that everyone on the healthcare staff has a role in keeping information confidential;
• Access to PHI had been limited to exclude employees who have no need for access or need to know;
• Implementation, in effect, reinforced old policies, but now there is the backing of senior clinical and administrative management for enforcement;
• Security for PHI in research databases has improved;
• Temporary employees and volunteers are receiving much more training in privacy than in previous situations.
• All staff are being retrained with regard to all privacy and security requirements – federal and state;
• Computer security has increased;
• Healthcare employees in covered entities have become significantly more aware of the need for patient privacy;
• Billing offices have become significantly more aware of the need for less disclosure, especially over the phone;
• Rules for disclosures and authorizations have become standardized across facilities and organizations.
• Report distribution lists have been significantly shortened to reflect the “minimum necessary” requirements – and no one objected to have less reports to read;
• The process of using data in home offices has changed significantly, without problems;
• Hospital staff are more aware of the entire release of information (ROI) process, and while questions and requests have increased, there is much more control of the process than ever before;
• “Shredding” type processes for facilities, faculties, and physicians has been improved or in some cases initiated;
• Surgery lists distribution has been considerably cut;
• PHI was displayed in many ways in public areas – computer screens, grease boards, and the placement of papers, records, and so forth.  This has been changed – paperwork is smoother, the work environment looks better, and there is no public display of PHI;
• Fax machines have been moved to nonpublic areas and monitored constantly, and PHI in faxes has been reduced;
• Computer security has been taken seriously – in some places for the first time;
• Nursing units are insisting on protecting PHI, and have changed a variety of “privacy leaks;
• Data between providers and plans and their subcontractors is reviewed closely, and more than privacy improved;
• Conversations with patients and next of kin in public places has been significantly reduced, and besides allowing for better privacy it also improved communication;
• The authorization process for many has been centralized, and while more work is required, authorizations are more appropriate;
• EMR (EHR) systems have been improved to handle security – little was available in the existing software.  This is no longer the case;
• Training of students and nonhospital staff in teaching facilities has significantly increased, and less PHI is leaving teaching faculties;
• A lot of privacy screens have been added to computers;
• “Mail boxes,” electronic and paper, have been made more secure;
• PHI shared by employees (small town) has been reduced;
• De-identifying information is now the order of the day;
• Initials are used for patients instead of names, where names were not important;
• Check-in sheets have been improved;
• We now know to whom we are giving information;
• Shadow records have been reduced or eliminated;
• Waste disposal of paper with PHI has been changed;

In addition to the improvements related to privacy, there were other improvements that affected the flow of information and data flow.  Included among these were:

• Numerous paper data sheets and reports (all with PHI) processes have been reviewed – not only did PHI become protected, but the whole process of moving data on paper has significantly improved;
• Transcription and coding processes have been improved with regard to the security of the data and the amount of turnaround time;
• Implementation of the business associate process has indicated for some the need to improve their institution’s contract management in total.  New polices and software have been implemented and the entire contract process is in much better shape;
• Sub-provider and subcontractor contracts have improved beyond just privacy;
• Better data protection has been added to the system;
• Check in and check out procedures have improved;
• Retention and destruction processes have been reviewed and improved;

It was heartening to hear and see in our sample survey that there have been improvements.  This is something many of our health information managers predicted, and it did occur.  We expect more improvements over time, which is a good lead into some of the challenges we still face.

Challenges

In our recent survey a number of problems, I prefer to use the term “challenges were raised.”  One problem that you cannot easily address is the fact that the Rule touches on so many different facets of healthcare, society, laws, regulations, and culture.  We have to realize that nothing that is done today or tomorrow will satisfy everyone’s perception of how we should maintain and protect privacy and confidentiality. So, what I am going to list are our “top” challenges that we see early on in this era of HIPAA privacy.  They are, briefly:

• Accounting for Disclosures
• Research and Clinical Trials
• Business Associate Agreements and Processes
• State Preemption and “More Stringent” Provisions
• Clarification of Federal and State Privacy Requirements
• Release of PHI to family and friends
• Authorizations and Release of PHI to Patients
• Court Orders and Subpoenas
• Release of PHI to Law Enforcement
• Issues Related to the Directory Rules
• Clear Rules and Authoritative Answers
• Application to “Freelance Care Options.”

Challenge:  Accounting for Disclosures

The number one issue for our members, in our survey, and in all other dialogues we have had, is the requirement of accounting for disclosures (Section 164.528).  As organizations have gone through the implementation process, they have come to realize just how difficult this requirement is, especially as it relates to disclosures required by law that do not come under the treatment, payment, and operations provisions.  The extent of the difficulty is directly proportional to the size of the organization and the number of states in which it does business.  The impact varies by state as well, with some states having limited requirements and others having many.  These disclosure laws are often situational.  They may apply to the whole organization, or a specific profession or unit within an organization.

This past summer we looked into a suggestion made by the OCR that perhaps certain events created processes that could automatically trigger a report of a release.  Our review of this suggestion with AHIMA members and professional staff could not agree to such a process, because of the differences and inconsistencies in requirements and organizations, and the fact that much of healthcare is still paper-based.  No trigger or simple formula exists, and many mandatory reports are still paper-based and separate form provider or health plan data processing.  HIM professionals are just as concerned to not record an event that didn’t happen as they are for ensuring to record, when required, events that did happen.  

Recommendation:  We believe that the best solution for the “accounting for disclosures” problem would be to modify the Rule to eliminate the requirement for accounting for disclosures that are required by law.  Note, this is to eliminate the HIPAA accounting, not any legal requirement that might call for a copy of a report to be kept in the medical or health record.

Such a change should have a two-fold revision in the Rule.  First, Section 164.528 should be changed to eliminate accounting for disclosures required by law.  Second, Section 164.520 should be modified to require that a covered entities’ Notice of Privacy Practices (Notice) include a statement to the effect that the covered entity will be making all appropriate disclosures required by federal or state law, with a reference to an attachment, and/or posted list, of exactly what those disclosures are in that location.  [We suggest that this would be a list of such disclosures in language and terminology that could be understood by most patients, not a list of legal sections, etc.].

We suggest the list or attachment because we do not believe a covered entity should have to change its Notice every time the law changed with regard to such legally required disclosures.  Obviously, the list or attachment would have to be changed. 

We believe that such a notice, given to all patients, provides the notification of release or potential release, up front not after the fact.  Covered entities should be assumed to be good citizens that will abide by disclosures, therefore, the accounting for these activities should be assumed whenever necessary, and copies kept according to the particular law calling for each disclosure. 

This recommendation does not eliminate the other accounting for disclosure requirements, but it will greatly cut down on the number of disclosures that a covered entity must track, and allow the entity to centralize the accounting of the remaining situations much easier.  Our members indicate that for most of their populations this will eliminate any reporting for the “average” patient. For this reason, while we believe that an individual deserves an accounting of disclosures, this specific requirement related to mandated disclosures serves no purpose equal to the cost of such accounting.  

Challenge:  Research and Clinical Trials

We are aware that the subcommittee will take testimony from the research community at this meeting, so our comments, hopefully, will add to that discussion and some approach to resolution.

Even before the April implementation date, some AHIMA members were reporting concern for the release of PHI as it applied to research purposes and clinical trials.  AHIMA and other groups have attempted to work on education regarding these issues, but it is fairly clear that more understanding of the issues surround research use of PHI and the different ways it was to be obtained from covered entities was necessary as is more education on all sides of such use and requests. 

Like other parts of the HIPAA Privacy Rule, awareness and interpretation is an issue.  In this case, however, it is not only interpretation of HIPAA but also of the Common Rule, and conflicting interpretations, which are coming from researchers, IRBs, healthcare providers and plans, and other “advisors.”  The CDC, NIH, AHRQ and OCR have taken steps to provide guidance to the industry via the OCR Web page, but it is unclear if the industry is uniformly aware of all the problems and of the guidance given to date.

Recommendation:  We believe there is a need to form a working group representing each segment of the industry involved with the various research aspects of the Rule and ensuring some standardized approach and guidance (ultimately agreed to by the OCR), or necessary modifications.  Such a review process might also have to address concern from segments of the research community that the Common Rule itself might need modification.  Given, however, that such a discussion has not taken place, we cannot guess what the solutions might be.  Clearly, it was the intent of the Department of Health and Human services not to interrupt necessary research and research processes with the Rule, but this has not proven to be the case, and we believe a forum of those involved in research should be able to resolve such issues, now that we have had experience with the Rule and can specifically look at the roadblocks.

Challenge:  Business Associate Agreements

While I noted that work on Business Associate agreements has proven to have many side-benefits for organizations, there are still many who feel a need for more clarification and guidance on this requirement.  The problems raised on Business Associate Agreements have not been consistent enough to point to aspects that need changing, and it appears that one of the problems is too many “authorities” and not enough consistent understanding among these authorities. 

Many entities appear still not to know just who is and who is not a Business Associate.  Once a Business Associate is identified, confusion still exists as to what extent the covered entity is responsible for the actions of an associate, and whose responsibility it is to resolve any problems that arise.  Recent press coverage of situations where outsourcing has caused PHI to be sent to locations not covered by US law has further complicated this issue, as much as the similarly identified problem of identifying subcontractors of subcontractors.  Some covered entities are also concerned that they must somehow identify Business Associate practices in the facility’s Notice. 

Recommendation:  We do not, this early in the process, have a recommendation that can answer all the Business Associate problems.  It is clear, however, that some central authority must be established to respond to these questions, since the consultant authorities and attorneys are providing conflicting responses.  Given the nature of these problems - they appear to be across the board - we believe that with time and resources the OCR might be able to identify certain consistent problems, and either provide the authoritative response needed for all, or identify modifications that would resolve most problems.  For our part, AHIMA is preparing a technical “practice brief” to address some of the contractual review and risk analysis that organizations should perform to review any outsource options, including outsourcing that might lead to overseas placement of PHI.

Challenge:  State Preemption and “More Stringent”

While Congress may have been desirous of establishing administrative simplification, when it comes to privacy, HIPAA sets a floor not a ceiling, and the Rule’s provisions related to “more stringent” has created situations that are anything but simple.  These situations may also appear to be the undercurrent for many of the problems that have surfaced since the Rule was implemented.  In addition, some state legislatures have also initiated or passed additional state privacy legislation that has made identification of the “more stringent” and many of the definitions of both HIPAA and state laws even more difficult than before.  This may not be an issue that this subcommittee, the OCR, or the Secretary can ultimately resolve, and more Congressional action, which has proven difficult in the past, may be necessary.

I noted before that implementation of HIPAA has helped some state laws to be better identified and understood, however, the general comments AHIMA is receiving include statements like:

• States wants to charge covered entities to resolve preemption issues – in these difficult times the states do not have the resources to assist in resolving “more stringent” issues.  Covered entities are also responding that they cannot afford to define “more stringent” and are calling for some sort of “high court” for resolution.
• Some covered entities follow HIPAA requirements because the requirement is easier than the state’s (i.e. Some states require a patient authorization to share information with a relative, HIPAA does not.).  Covered entities are being blamed for not transferring needed information when in fact their attorneys have uncovered state laws that appear to be more stringent and mandate an authorization;
• State laws conflicting with HIPAA laws are confusing the public (and the covered entities);
• Health systems in multiple states are having significant problems keeping track of all the inconsistencies created by “more stringent” and preemption issues – they cannot write a single procedure or policy;
• The problem with state preemption gets even more complicated when dealing with behavioral health and substance abuse issues (see below);
• Some state laws regarding release to law enforcement are stricter than HIPAA, but now law enforcement agencies are demanding covered entities follow HIPAA when the state law should prevail;
• States are changing their laws because of the legislatures reaction to HIPAA, so the rules are changing constantly;
• More people know HIPAA than state law;
• The TPO disclosures without consent or authorization is contrary to state law and therefore, when we don’t release such information, but now other covered entities are coming down on us for following state law.
• State have laws on how much can be charged for copying – lower than what HIPAA allows and patients are now demanding more copies;
• State HIV rules are significantly different than HIPAA and other federal rules;

Recommendation:  As I noted, perhaps Congress is the only party that can deal with these preemption issues.  That said, however, there is much that could be done to identify the issues that Congress, and to some extent the states, need to address, but it will be necessary in some systematic way to ferret out the issues and, perhaps for the NCVHS, to make recommendations.  AHIMA, I must note, has always favored a privacy rule ceiling so that such problems would not exist – this is contrary to those who strongly believe this is a state’s right issue.

One potential solution might be to establish a forum for the legal community and state legislatures to join with the healthcare community in determining a means to resolve some of these identified issues.  Healthcare services are provided on an interstate basis, and there will be no simplification or means to build a serious national infrastructure if government and the legal community cannot assist in this process. 

Challenge:  Clarification of State and Federal Rules Related to Behavioral Health, HIV, Substance Abuse and So Forth

While the preamble to the Rule suggests that the Department has ensured that HIPAA does not conflict with other federal healthcare rules, this does not appear to be the case and the issue is further complicated because of state laws as I have just noted.  In addition, many covered entities are providers run by government agencies further complicating their ability to implement HIPAA to the fullest.  To our knowledge no survey of providers of behavioral health, HIV services, substance abuse, and others that have their own privacy requirements, has been done to clearly identify these issues. 

Recommendation:  We recommend that a survey of covered entities offering services in behavioral health, HIV, substance abuse, and similar services that have separate federal rules, as identified in the Rule’s preamble, be surveyed to identify problems of conflicts between federal rules and federal and state rules.  Once such a survey is completed and shared with the healthcare community, this subcommittee could serve as a forum to resolve some of the issues identified.

Challenge:  Release of Information to Families and Friends

The concerns surrounding the release of PHI to families and friend appears to be occurring due to a number of factors.  First, as the OCR has already identified, the environment for such disclosure varies from covered entity to covered entity and the Rule as written in its very legal format could not address the variety of these environments.  Second, added to this confusion are the state requirements that I previously noted.  Third, there is a fear on the part of many covered entities or their counsel that any mistakes in releasing PHI could result in lawsuits or legal sanctions.  Finally, we have a  public that is less than informed or ill informed as to what the state and HIPAA requirements really are. 

Recommendation:  While the preemption issue may prevent some resolution of all these disclosure problems, work with the various segments of the healthcare industry, and clearly stated requirements from an authoritative source (OCR) should resolve many of these issues.  AHIMA continues to support the OCR’s meeting jointly with different sectors to identify and resolve the misunderstandings associated with this disclosure issue, and stands ready to assist in the process in any practical way.

Challenge:  Release of Information to or for Individuals

Section 164.524 requires that covered entities release PHI to the individual in the form of copies of all or part of the record.  This same section notes that such a request from the individual or their representative could be required in writing.  Most healthcare providers have always had a similar requirement; however, this section does not provide any content for such a release (generally referred to as an authorization) of information either for the individual to have such PHI released to themselves, their attorney, or other parties. 

Without such a requirement, many covered entities have turned to Section 164.508 covering authorizations.  This section’s requirements were designed for any use or disclosure that is not covered elsewhere in the Rule.  Unfortunately, Section 508 (c) has some requirements that do not fit well for the individual who is seeking a disclosure or release of their personal information.  We have seen, by the way, authorization forms that neatly resolved this problem; unfortunately, they are not consistent, and we believe a consistent format is more proper.

A second problem identified with authorizations is “Whose authorization meets the requirements of Section 508?  I have often referred to this as the battle of the attorneys.  Some covered entities are advised to accept no outside authorization format, even if such an authorization meets all the requirements of the section.  Instead, the covered entity has been advised to provide a copy of its authorization form and the requestor is instructed to complete that form for a release. 

Recommendation:  AHIMA recommends a modification of the Rule so that either the OCR prescribes what should be included for a written disclosure in Section 524, or that Section 508 be modified to indicate that when an authorization originates with the individual or his or her representative, that certain subsections can be eliminated from the requirement.   

With regard to the second issue, we can only point out that in other HIPAA sections, if the transaction (in this case the authorization) meets all the requirements of the standard, then the receiving party is obligated to accept it.  If this problem does not resolve itself as we move forward, then perhaps a similar acceptance requirement will have to be added.

Challenge:  Court Orders and Subpoenas

Covered entities and attorneys have reported a number of problems with understanding what is or is not permitted regarding the disclosure of PHI and associated processes, under a court order or subpoena.  Once again this problem may be directly related to the preemption issue previously discussed, and we have not been able to ascertain if the problems can be directly identified with certain states.  We must note that, except for attorneys, who are actively involved in healthcare, many attorneys are not aware of HIPAA, so some of the problems here may be due to ignorance.  Needless to say once they have encountered the issue they have sought answers, and our members report sending copies of the Rule to a number of attorneys, as well as the location of the OCR Web site.

Recommendation:  At this time AHIMA believes that such issues as this be taken up as part of the discussion of the impact of preemption.  In the meantime, AHIMA will continue to monitor this issue to determine if there is any other means to resolve this problem.

Challenge:  Disclosure to Law Enforcement

As the subcommittee is aware, disclosure of PHI to law enforcement was identified as a problem before implementation of the Rule, and again it appears that the preemption problems are a major factor here as well. 

Recommendation:  At this time we have no recommendation other than to include this issue as part of the discussion on preemption and to continue to educate the law enforcement community and covered entities on the law that takes precedence in each specific situation.

Challenge:  Directory Requirements

The problems associated with facility directories are similar to some of those related to release of PHI to families.  Questions arise as to who should be considered clergy, since some faiths depend on laypersons to serve in the capacity of hospital chaplains.  Some facilities have also expressed the need for clearer descriptions of the requirements, and others have raised questions related to the acceptance of flowers, gifts, and mail for individuals who have elected not to be listed in the directory. 

Recommendation:  Since we have not conducted a definitive survey at this time, we do not have a clear recommendation other than to call for a meeting of the OCR with representative of the various providers (acute hospitals, nursing homes, long-term care facilities, and so forth) and as well as representatives of the chaplains to determine the nature of the various problems the directory requirements have surfaced.  We are sure that most of these issues will be easy to work out and recommendations can then come forth for whatever modification is needed.

Challenge:  Clear Rules and Authoritative Answers

This may be the largest challenge.  For many of the reasons I have noted before, it is clear that HIPAA Privacy requirements are not clear.  The legal way that the rule was written and then amended, combined with the preemption problems, and the appearance of many “authorities” has led to a confused industry and public.  This is unfortunate, because we believe that when studied most of the rule is clear as to the professional latitude given and the flexibility provided to ensure that the Rule does not interfere with the provision of care.  Perhaps in the litigious era there is too much flexibility for many to handle.  That is unfortunate, because we have seen the OCR and several other organizations do their best to ensure a proper understanding and implementation of the Rule. 

Recommendation:  I have indicated that the preemption issue is a problem to understanding what the requirement is for a particular situation.  This can only be resolved by either moving to a Privacy Law and regulation that sets a national ceiling, not floor, for privacy and confidentiality, or the case by case resolution of each conflicting case, something the public may not understand or tolerate.  Either way, there has to be some systematic means to define this problem for the proper policy makers.

Preemption, however, is not always the cause of the confusion, and in the meantime we believe that the covered entities in the industry stand ready to work with the OCR to clarify requirements and to develop a process whereby (and outside of preemption) authoritative answers can be provided from a single source, the OCR.  We believe that the NCVHS should call upon the Secretary and the Congress to provide resources for a survey of the HIPAA privacy rule in 2004 or 2005 at the latest.  Furthermore, resources should also be increased to provide for an OCR document that can convert the HIPAA legal requirement into a description that the public, non-attorneys, can understand.  While AHIMA and others have tried to do this, something is needed with an HHS stamp of approval.  AHIMA stands ready to assist in input for such a document and for any other way that we can allow for industry and consumer understanding of the requirements.

Challenge:  Application to “Freelance Care Options”

This last challenge that we will address today was identified as groups in the healthcare community held health fairs and provided flu shots and other healthcare checks in public places around the country.  Such events are for the good of the community and are now being challenged to abide by the HIPAA Privacy Regulations.  Quite frankly, this is one of those items that we did not see addressed pre-regulation.  Calls are coming in now as to whether Notices of Privacy Practices must be given, how should accounting take place, and so forth.  Often one or more covered entities provide the inoculation or the screening at such an event, and other covered entities, including health plans, are the sponsors of the event, so we even get the question, whose Notice?  Whose accounting? and so forth.  We haven’t given answers, and the ones we hear vary across the map. 

Recommendation:  This is not a simple question, and we are not sure what the answer should be.  We are not aware of any event that has been canceled by a challenge to the Rule, but there have been enough questions that our recommendation must be that this issue be discussed.  Since accounting may be a problem, this issue might be resolved by merely requiring such events to carry a separate notice describing how any PHI will be handled, and leave it to the attendee – the individual – to decide whether or not to participate in the event.  

Mr. Chairman, that concludes our comments for today.  I’m sorry that we have not brought you answers to all the issues that have arisen in the implementation of the HIPAA Privacy Rule.  Overall, we believe that the healthcare industry and the public have experienced a good change that, over time, will become even better.  While there are a few issues that may strain our ability to move forward without the support of Congress, the time since implementation has been short, and we believe our recommendations and the good work of the healthcare community, the OCR, and this committee will be able to address and resolve many of these problems.

AHIMA’s members are an active part of the healthcare community, and we desire to participate in the resolution of these problems in any way possible.  We are anxious to continue the good work of the Rule and to bring our nation full confidence that PHI is being handled appropriately and that confidentiality and security appropriately exist in this nation’s health records and data systems and organizations.

Again, our thanks for having this opportunity to participate in this ongoing discussion.  We await your questions today and in the future.