Testimony To The National Committee On Vital And Health Statistics

NOVEMBER 12, 2003

Testimony To The

National Committee On Vital And Health Statistics

~ Subcommittee on Privacy and Confidentiality ~

The Impact of HIPAA Privacy Regulations

On Public Health Data Functions

Denise Love, RN, MBA
Silver Spring, Maryland – November 19-20, 2003

Mr/Madame Chair, members of the Subcommittee, my name is Denise Love and I am the Executive Director of the National Association of Health Data Organizations (NAHDO). On behalf of both NAHDO and its members and stakeholders, I want to thank you for the opportunity to offer testimony about the impact that the new HIPAA Privacy regulations have had on public health agencies, and their ability to effectively collect, use and report health information.

About NAHDO

The National Association of Health Data Organizations is a non-profit membership and educational organization, established in 1987, to promote the public availability of health care data and improve health care data systems. Our members represent collectors and users of statewide health care data systems which serve as the major source of population-based health care surveillance data to monitor health care cost, quality, and access at the state and sub-state levels. Increasingly, state health care data are supporting national initiatives, such as the Agency for Healthcare Cost and Quality’s Healthcare Cost and Utilization Project (HCUP), which will provide health care market and policy indicators for the National Healthcare Quality and Disparities Reports. State health care data also support national and local research and community assessment initiatives. Assuring continued access to health care data, and expansion to emerging data sets is essential to measure and improve the health of populations and the health care they receive.

Privacy Regulations Provide a Legal and Technical Framework for Data Collection and Use

NAHDO believes that the HIPAA Privacy regulations recently implemented throughout the country have provided a much-needed national framework for the protection of individually identifiable health information. These regulations are not perfect and it will take time to sort out the issues and make refinements as these opportunities are identified. NAHDO considers the regulations as the price ticket to the electronic information age.

The regulations have significantly strengthened the ability of patients and consumers to understand and control what happens to their health information and established specific boundaries and limitations on when personal health information can be used and disclosed.

The regulations have also attempted to strike a balance between people’s claim to privacy of health information and their public responsibility to contribute to the common good, by allowing the use of their information for important community purposes such as public health.

Privacy Regulations Affect on Public Health and Health Data Organizations

We have been asked today to provide testimony to this subcommittee on the impact that these regulations are having on public health and health data organizations. I would like to start by stating that we strongly believe that the HIPAA Privacy regulations are having a profound effect on the ability of public health agencies and others responsible for ensuring the health and safety of the population to have access to health information in order to carry out their responsibilities.

My testimony will focus on the following areas:

Overall designation of public health agencies under HIPAA Privacy
Impact on the ability of public health agencies to obtain health information from covered entities
Impact on the sharing of health information between government agencies, particularly public health, Medicaid and Medicare
Impact on the disclosure of health information by government agencies to external users
Impact of the accounting of disclosures requirement on public health-related data functions
Impact on specific public health data activities, such as disease registries
Concluding comments

1. Overall Designation of Public Health Agencies under HIPAA Privacy

Most public health agencies across the country have taken the necessary steps to decide what type of entity they are under the HIPAA Privacy regulations. Some have identified themselves as non-covered entities, others as covered entities under HIPAA, and yet a third group have made a decision to consider themselves hybrid entities. It is important to recognize that even those public health agencies that consider themselves non-covered entities under HIPAA will still be impacted by the privacy regulations.

Although this initial step has been achieved by many state and local public health agencies, we understand that there are still significant questions and confusion around how to operationalize these designations, within the context of public health. For example, as a hybrid entity, a public health agency might find it difficult to distinguish the source of a request for individually identifiable health information from covered entities – whether the request is for public health purposes coming from a non-covered component of the hybrid agency, or for health care operation purposes of a covered component within the hybrid agency.

Recommendation: We strongly recommend that the Department develop additional guidance and provide sample models that explain how specific HIPAA Privacy designations affect public health agencies.

2. Impact On the Ability of Public Health Agencies to Obtain Health Information from Covered Entities

We believe the most significant impact the regulations have had on public health has been on the ability of agencies to continue collecting health information from covered entities.

While the regulations clearly established specific permitted disclosures of protected health information for purposes of public health and other related important community purposes, many covered entities initially delayed, reduced, and in some cases considered stopping the provision of PHI to public health agencies. Though many state and local agencies have worked through these concerns, there may be pockets of difficulties. For instance, many registries or other data reporting mechanisms may have been established voluntarily with support and collaboration between providers and the public health entity. With HIPAA, the legal basis for these reporting systems is being challenged, forcing the public health authority to mandate the reporting. In some states, implementing such mandates are politically difficult, thus jeopardizing some of these data flows.

We believe that this unintended consequence of the regulations is primarily due to three factors:

Misunderstanding of the permitted disclosure by the covered entity
Fear on the part of the covered entity of inappropriate disclosure and liability implications
Required additional documentation and processing of the requested information on the part of the covered entity

From the public health agency’s perspective, agencies have faced challenges from covered entities as to the purpose and authority to collect certain information. Many had to develop and provide additional clarification and documentation to support data requests that for years have been in place and functioning appropriately. Several states are going back to their state legislatures to strengthen data reporting requirements.

Specially impacted by the HIPAA regulations are voluntary state reporting data systems that rely on the participation of local health care providers and health plans. For example, in order to continue the reporting of benign brain tumors to the cancer registry, previously done on a voluntary basis, an amendment to the enabling statute and changes to their reporting regulations have been required (still in process).

Also impacted in a significant way are local Boards of Health, which are important components in the tracking and surveillance of diseases. Traditionally, they have had some level of difficulty getting providers to report to them. Now, it is even more difficult, as providers believe they are not permitted to report because of HIPAA.

Local physicians providing immunization data voluntarily to the public health authority now believe they must account for every disclosure related to this reporting. This added burden hinders continued reporting under the voluntary reporting structure.

Recommendation: In light of these difficulties, we strongly recommend that DHHS develop a comprehensive educational strategy targeting providers and health plans on the importance of public health reporting and the ability, under HIPAA regulations, for covered entities to continue reporting health information to public health agencies. This comprehensive educational strategy should include case studies for specific public health data initiatives – such as the ones listed later on in this testimony.

3. Impact on the Sharing of Health Information Between Government Agencies

Another very significant impact of the HIPAA Privacy regulations has been on the sharing of health information between government agencies, federal, state, and local. Our members report that in some agencies, there seems to be a “chill” in providing data to other programs or for research. HIPAA Privacy Regulations are often blamed, but the problem may be deeper.

Due to real and perceived restrictions and limitations of data sharing imposed by the regulations, compounded by a lack of understanding of permitted disclosures and fear of liability, there has been a greater resistance to sharing data across public agencies. For example, a state Medicaid agency may resist sharing data with the public health authority, thus permitting the merging of patient level information to support specific public health programs, such as WIC, Newborn and Child Health Programs.

In some cases, public health agencies have had to resort to alternatives data approaches such as the use of de-identified data – which limits the effectiveness of the public health program – or new inter-agency agreements to allow the use of limited data sets.

The same issues apply to data exchanges between state and local public health, and between federal and state programs. On this last point, states have noticed a significant shift in how CMS is handling the exchange of health information with states. Both Medicare and Medicaid data are important population-based data sets for state health statistical and public health purposes. Several states report that CMS is non-responsive to their requests to negotiate data acquisition for these populations. As outpatient data systems are developed to augment current inpatient reporting by states, it is essential that the public payers are full participants and partners in these data systems.

Recommendation: We strongly recommend that DHHS institute a culture of data exchange and sharing within and across federal agencies. Development of messages and models for transparent and appropriate data sharing practices will build public trust and set an example for state and local agencies. This culture can be promoted by:

Providing ongoing guidance to federal, state and local agencies on how they can continue to share health information for program operations and evaluation. Examples and case studies on how this data sharing can be accomplished will be very valuable.
Expanding and enhancing research and training efforts to help health data base stewards mask and code/encrypt data sets without losing the granularity and specificity needed to conduct statistical analyses. Federal-state partnerships should be expanded to build local and state capacities for statistically protecting health data sets for interagency and public use.
Testing various data sharing models that facilitate data sharing. For example, the “honest broker” model”, a third party entity would encrypt/mask identifiable data and control the identifiable data. The two data sharing agencies would not have access to the identifiable data, but would need to work through the third party to resolve statistical or other problems requiring identifiable data.

Furthermore, we recommend that DHHS and the Data Council consider developing a model data sharing agreement for the exchange of data between government entities. In the past, CMS, CDC and HRSA had worked on a similar type of agreement and guidelines for local public health agencies on how to share data. We believe this was an excellent effort that should be revisited.

4. Impact on the Disclosure of Health Information by Government Agencies to External Users

Government agencies, including federal, state and local public health agencies, periodically receive requests for health information from external data users for multiple purposes, including program analysis, evaluation and research.

With respect to these disclosures, we strongly support the approach used in the regulations of permitting the creation and use of limited data sets and their release for specific purposes through data use agreements.

Nevertheless, we believe that government agencies have began to severely restrict access to otherwise available data that had been used in the past for program evaluation and analysis “due to HIPAA”. NAHDO, as a user of state and federal data, has experienced these new restrictions to access. This attitude, in our opinion, is fueled by fears of inappropriate disclosures, lack of understanding of the limited data set provisions, and the additional resources need to process and document data requests.

Recommendation: Public health data are a societal good, if used appropriately. We strongly recommend that DHHS develop additional guidance for federal and state agencies that clarify when and how they can disclose health information for other purposes such as policy development, program analysis and evaluation.

5. Impact of the Accounting of Disclosures Requirement on Public Health-related Data Functions

Under the accounting of disclosures provisions of the HIPAA privacy regulations, covered entities that disclose PHI to government agencies for purposes of public health or other related functions must document and keep track of such disclosures.

This requirement has become an important burden and in some cases a deterrent for covered entities to continue disclosing and reporting data to public health.

This has affected both required and voluntary reporting, such as reporting to immunization registries and other disease registries, as well as participation in discharge data systems.

More specifically, one area of concern is the reporting of abuse and neglect cases to social service agencies. These disclosures are permitted under HIPAA, and in many states, the reporter of the case (usually the provider) is protected by confidentiality requirements imposed on the social service agency receiving the report. But the HIPAA accounting of disclosures requires that the provider reporting these cases document the disclosure (and its purpose), which will then be accessible by the patient, creating a disincentive on providers to continue reporting these suspected cases of abuse or neglect.

Recommendation: We strongly recommend that DHHS conduct a formal evaluation of the impact that the Accounting of Disclosures if having on public health and other related reporting. To the extent that this requirement may dissuade covered entities from reporting important public health information, it should be reevaluated and considered for an exception.

We also recommend that DHHS provide further guidance to public health agencies, so they can be provided to covered entities reporting to them, on the documentation of accounting of disclosures that will simplify and reduce the level of burden created by this requirement on covered entities. In our view, part of the problem is the misconception around what and how data needs to be recorded for purposes of the accounting of disclosure. For example, multiple time disclosures done to the same person or entity for a single purpose do not need to be recorded on a per-case basis.

6. Impact on Other Public Health-related Data Activities

There are a number of public health data activities worth noting in this testimony that are affected by the way HIPAA Privacy regulations are being implemented. These include:

A reduction in participation on, and reporting to immunization registries that are voluntary in nature;
A slow down in reporting to specific disease registries such as cancer and tumor registries, asthma registries, trauma registries, etc.
A reduction in participation on discharge data systems and a challenge to the public health-related use of discharge data systems.
Unintended restriction on the voluntary reporting by providers of certain patient situations such as state authorized voluntary reporting of impairment of driving ability for public safety (not meeting the definitions of permitted disclosures under the HIPAA privacy regulations)
Distinction between the uses of PHI for research vs. health care operations. The lines between research, public health activities and health care operations are hard to define, particularly for public health agencies. There is a need for greater clarity on these definitions and how they apply to public health agencies.

7. Concluding Comments

Overall, we believe there is still a significant need for general education in the area of HIPAA Privacy and Public Health. A system of coordinated special technical assistance and guidance is needed for states and public health agencies to help them implement these regulations in a more efficient and effective manner. Several recommendations in this area were provided throughout the testimony.

We also believe there is an opportunity to establish mechanisms for privacy officers form public health agencies to get together and discuss best practices and practical approaches to resolve implementation issues.

In summary, we strongly believe the HIPAA Privacy regulations are having a significant impact on the ability of public health agencies to carry out their responsibilities. The Department should undertake, in the short term, a more formal, comprehensive assessment of this impact.

NAHDO will stand ready to continue to work with this Subcommittee and other industry groups to assist the public health sector continue to work through the issues associated with the implementation of these complex regulations.

I thank you again for the opportunity to provide this testimony.