[This Transcript is Unedited]
Hubert H. Humphrey Building
Room 705-A
200 Independence Avenue, SW
Washington, DC
Agenda Item: Call to Order, Introductions, Opening Remarks - Mark Rothstein, JD
MR. ROTHSTEIN: Good morning. My name is Mark Rothstein. I'm the director of the Institute for Bioethics Health Policy and Law at the University of Louisville School of Medicine, and chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
The NCVHS is a federal advisory committee consisting of private citizens, which makes recommendations to Congress and the Department of Health and Human Services on health information policy, including those related to the Health Insurance Portability and Accountability Act.
On behalf of the subcommittee and its fine staff, I want to welcome you to the first of two days of hearings on implementation issues under the HIPAA privacy rule. I also want to welcome those of you who are listening to us on the Internet.
Before proceeding further, I would like to have introductions, beginning with members of the subcommittee and staff. I would invite subcommittee members to disclose their conflicts of interest at this time if they have any. I will begin by noting for the record that I am a professor of medicine at a medical school that is supported in part by contributions from grateful patients. Therefore, I could be considered to have a conflict of interest in our discussion of fund raising, which will occur this afternoon.
Now, for the other members of the subcommittee and staff.
[Introductions were made.]
I should note that the subcommittee will begin with a briefing on the HIPAA Security Rule, and that will be followed by three panels of invited witnesses on the issues of marketing, fund raising, and media access to protected health information. In addition, we take public comments on these issues from 4:30-5:00 pm this afternoon. Any individual who is not an invited witness may sign up to testify for five minutes. The public testimony slots are on a first come, first served basis.
Unless the members of the subcommittee have any comments or remarks to make at this time, I would like to proceed with the briefing on the Security Rule. And I want to welcome and thank Stanley Nachimson from CMS, who has graciously agreed to testify before us this morning.
Agenda Item: Briefing on Security Rule - Stanley Nachimson, CMS
MR. NACHIMSON: Thank you very much. I appreciate the opportunity to provide the subcommittee a little bit of education on the HIPAA security standards regulation. I understand you spend a lot of time on privacy, and certainly the security standards rule is directly applicable to your work. So, I will spend some time this morning giving you some details about the security standards final rule.
I'll be happy to stop and answer questions at any time. There is quite a bit of detail in the briefing. Let me along the way if we are going into too much detail, or not enough detail, and I will adjust as necessary. I think everybody should have paper copied of the presentation. I think they are available also at the desk.
Our security standards regulation was published on February 20, 2003, with standard effective date of April 21, which means according to the general HIPAA schedules, covered entities have two years after the effective date to comply with the rule, except if you are small health plan, you get an additional year. So, the compliance date, the date that covered entities are expected to meet all of the requirements of the security rule is April 21, 2005, except for small health plans that have until April 21, 2006.
So, now we are a little less than one year away from the compliance date. We have had a little over a year for folks to digest the final rule, and determine how they are going to comply with it.
We had some general requirements that are published in the final rule, what the real purpose of these security standards. And they are really to insure the confidentiality of electronic-protected health information, that is only the right people in an organization get to see the information.
We need to insure the integrity of electronic-protected health information, that is it's not altered by someone either inadvertently are advertently. The fact that the information stays the way it should be. And also, the information is available, that the right people get to see the information when necessary.
What we hope to do is create a balance here in protecting information. Obviously, we could have a perfectly secure environment where information goes into a computer system, and no one can see it. The information is perfectly secure, however, it is basically useless to an organization. So, what we tried to do is build a balance in the security regulations that information is protected, but people can see it.
It's important to understand that the security standards apply only to electronic-protected health information. This is as compared to the Privacy Rule, which protects all protected health information. Security standards at this time only apply to electronic-protected health information. And it's that electronic-protected health information that any covered entity either creates, receives, maintains, or transmits.
So, this is a contrast to the transaction standards, where the transactions standards regulation really apply to information that is flowing between covered entities. Here, security standards apply not only to that information, but also information that any covered entity will store or create within their organization.
What we expect covered entities to do is protect against reasonably anticipated threats or hazards, and that's in the Security Rule, the security or integrity of the information, and protect against reasonably anticipated uses and disclosures that are not permitted by the Privacy Rule.
I want to emphasize the word "reasonably," because we do not expect covered entities to protect against every possible threat or hazard to the security, or every possible use or disclosure not permitted by the Privacy Rule. That would probably be incredibly burdensome for any covered entities. But what we want to do is make sure that covered entities look at the threats to their information, and determine what is reasonable for them to protect against. We go into some more detail in that in the regulations, and I'll go into that.
We also expect that covered entities would insure compliance by their workforce. It's not enough to set up a nice series of plans and policies and procedures, document that and put it on the shelf, and say that's it, we're done. We really expect that covered entities will train their workforce, and make sure that their workforce follows those policies and procedures to insure that there is protection against the information.
When we designed the regulation, we had a couple of themes that we kept in mind. First, we wanted to make sure that our regulation and our standards were scalable and flexible. Because these standards apply to a wide range of covered entities, from the smallest physician's office to the biggest health plan, we had to make sure that our standards were flexible enough so that covered entities can take into account the size of their organization the complexity of their organization, their organization's capabilities and technical infrastructure, the cost of procedures to comply with these standards, and potential security risks.
We designed the standards so that covered entities get to take these into account when they design their protections. We also wanted to make sure that our standards are technology-neutral. The pace of technology change, especially in the security area is so fast, that if we were to write a regulation, propose it, go through the public comment process, set up a final regulation, and give covered entities two years to comply, if we adopted a particular technology in the regulations, that technology would be way outmoded by the time it was time to comply with the regulations.
So, we took out any references to specific technologies. We talk about what needs to be done in the regulations, not how or what particular technology a covered entity needs to use. That choice of technology is up to the covered entity.
We also wanted to make sure that our standards were comprehensive in that we don't address just the technical aspects, the way that a computer system has to work, but behavioral aspects. How should a workforce act in terms of protecting these security of electronic-protected health information?
So, how did we accomplish this in this standard regulation? We developed a set of standards that are all required, but also included implementation specifications that provide some more detail as to what these standards mean. But these implementation specifications can be either required -- you have to do them -- or addressable.
And what do we mean by addressability? An addressable implementation specification means a covered entity has a decision to make in regards to that implementation specification. A covered entity could decide to implement that exact specification if it is reasonable and appropriate for that covered entity to do so.
They can implement an equivalent measure, something that accomplishes the basic purpose of that implementation specification, but is not quite the same thing, again, if it's reasonable and appropriate for that covered entity to do so. Or they can decide we're not going to implement that addressable specification, again, if it's reasonable and appropriate for that covered entity to make that decision.
And those decisions are based on sound and documented reasoning from a risk analysis that every covered entity is required to do, in fact a risk analysis is a required implementation specification. But based on the entity's risk analysis, they get to decide for each addressable implementation specification, what of those decisions to make for each addressable implementation specification.
Now, security measures in terms of maintenance, have to be reviewed and modified as needed to continue reasonable and appropriate protections. That decision is made about implementing the addressable implementation specifications based on the initial risk analysis, and we expect on a periodic basis, every covered entity to revisit their risk analysis, and revisit the decision that they have made on addressable implementation specifications.
So, what are the standards that we have adopted in the security standards regulations? There are five sets of standards. We have: administrative safeguards; standards for physical safeguards; technical safeguards; standards for organizational requirements; and the fifth section is policies and procedures, and documentation requirements. There are five sections in the regulation I specified there for each of the standards. And the regulation sections go from 164.308 through 164.316. Those are the specific standards within the regulation.
I'll talk a little bit about each of those sections now. I'll give you some detail about the standards, and the particular implementation specifications within each standard.
The first set that we address are the administrative safeguards in Section 164.308, and these really set up the administrative structure for security standards within an organization. The first section, 164.308 are security management process, where we expect covered entities to implement policies and procedures to prevent, detect, contain, and correct security violations.
And I want to try and stay as close as possible to the exact wording of the regulation when I talk about these, so we don't get into interpretation questions, at least in my discussion here, and I'll certainly welcome any questions as to what we meant by each of these standards and implementation specifications as we go along.
The first required implementation specification under security management process is the risk analysis that I spoke about, the analysis that a covered entity must do of all of their electronic-protected health information, and systems to determine the particular risks to the information that they hold, that they transmit, that they receive.
Secondly, another required implementation specification, a risk management plan. How do you begin to manage the risks that are identified in risk analysis? The third required implementation specification under the security management process is a sanction policy for each organization. That is, what are the sanctions that are applied to individuals within the organization when they might violate the individual organization's security process? And an information systems activity review, again as part of their security management process, another required implementation specification.
The second standard under administrative safeguards is assign security responsibility. There are no implementation specifications underneath this. If there is a standard with no implementation specifications, that is assumed to be required, so every covered entity must implement this. There are no decisions to be made about whether or not to implement that.
Assign security responsible. Each covered entity must identify an official who is responsible for the development and implementation of the policies and procedures that are required by the subpart for the entity. This is a security official. It can be the same person as the privacy official. There is no requirement that it be a same person or a different person. This is a decision that is left up to the individual organization, but there is someone who needs to be named and identified as the responsible person in the organization.
The next standard under administrative safeguards is workforce security, and if it's all right with everybody, I think we will skip the Power Point presentation, since I think we have all got it on paper. I will make it available to the subcommittee, if they want to put it up on the Web site or distribute it to anybody. I've got it here on a disk.
MR. ROTHSTEIN: That's fine. We're doing just great.
MR. NACHIMSON: On page 15, we're up to workforce security of the standard under administrative safeguards. This is where we move into how does the workforce react to protect the security of electronic-protected health information. It's incumbent on the covered entity to implement policies and procedures to insure that all workforce members have appropriate access, again, availability of information, and to prevent workforce members without access from obtaining access to electronic-protected health information.
So, there are addressable specifications here to determine how to authorize individuals to get information, how to set up clearance procedures for a workforce to determine whether or not individuals have clearance to access particular information, and an addressable implementation specification for termination procedures.
When you terminate an employee, what are the appropriate procedures that need to be set up to make sure that those individuals no longer have access to information? They are all addressable implementation specifications, and an organization gets to look at their particular situation, take into account the factors I mentioned before -- complexity, cost, size -- determine what sort of procedures to set up under this standard to meet these implementation specifications.
The third administrative safeguard standard, information access management. A covered entity must implement policies and procedures for authorizing access to electronic-protected health information consistent with the applicable requirements of the Privacy Rule. Each organization by now will have set up their procedures for complying with the Privacy Rule. They know who should have access, who shouldn't have access.
Now, when we have electronic-protected health information in that organization, the entity must implement policies and procedures for authorizing access to that electronic PHI based on the privacy procedures that have already been set up.
There is a required implementation specification to isolate health care clearinghouse functions. That is, if a covered entity operates as a health plan, and also a health care clearinghouse, they must make sure that their clearinghouse functions are isolated, and individuals within that clearinghouse have appropriate access to the clearinghouse information, and not inappropriate access to health plan information, for example. There shouldn't be a mixing of that information, again, if a covered entity is doing both functions.
There are addressable implementation specifications for access authorization. That is, how do you authorize the access for individuals. And access establishment and modification once you determine who has, and who is authorized for access. How do you establish that access? And how do you modify that access as necessary?
Again, we would expect for the most part things like role-based access. You determine what individuals, what job functions have access to particular information, and set up policies and procedures to establish that access, modify that access as necessary, as individuals move from position to position. I start out as a claims authorizer, for example. What access should I have to electronic protected health information? And then how are systems set up to arrangement for that access?
DR. FITZMAURICE: Stan, you mentioned isolating health care clearinghouse functions from health plan information. For a self-administered health plan, would that also require isolating that information from regular personnel information? So, that an employer wouldn't have access to the health information of its workers?
MR. NACHIMSON: That particular implementation specification does not necessarily apply there. But the other implementation specifications about access authorization, access establishment, and modification would apply there. So, someone that does not have the rights under the organization's privacy policies to see particular information, the systems would be set up hopefully to prevent that access. That's where these things would be established.
MR. ROTHSTEIN: But is it your point that who gets access to that information is determined by the organization itself, or by some objective standard of who has a need to know that information? In other words, could a self-insured employer theoretically adopt a policy that we have interoperability of functions, and everybody has to potentially do everything, and therefore, we don't want to restrict anyone's access to that information?
MR. NACHIMSON: I think the organization, under their privacy requirements, they determine who can have access to that information for payment and treatment operations. If they determine that individuals can mix, those individuals could possibly have access to that. And it's up to their implementation of the security standards to implement those sorts of access requirements. They could determine that an individual has access to certain systems, and their security policies would set up that particular access.
MR. ROTHSTEIN: So, my question I guess following on Michael's question is am I correct in saying that the rule provision that we are talking about merely requires the covered entity to enforce its own policies that it sets up, as opposed to having some sort of standard that applies to what those policies, and dictates what those policies should be?
MR. NACHIMSON: And I would say that that standard you are referring to, would be within the privacy compliance. That's where the decisions about who has access to what information are made. The purpose of the security rule is to set that up in the electronic environment, so that it is consistent with our privacy policies.
They could not make one decision under privacy, and say Stanley does not have access to that information, and then set up their information systems to give me that access, saying, well, we made that decision consistent with the security. No, that's not consistent with security. It has to be consistent with the applicable requirements of the Privacy Rule.
MR. ROTHSTEIN: Thank you for that answer, and I'm sorry to have interrupted you.
MR. NACHIMSON: No, that's no problem at all.
MR. ROTHSTEIN: We tend to like to ask questions at the end.
MR. NACHIMSON: I think I'm happy to do that, because this is not -- I don't believe the Security Rule is just straightforward and easy to understand, particularly in its relationship with the Privacy Rule. So, please, as we go along, let's ask questions, and I'll expand my explanations.
The next administrative safeguard has to do with security awareness and training. And this is where again, we move into some of the behavioral aspects. We want to make sure that all covered entities implement security awareness and training programs for all their workforce members including management.
So, the CEO of the organization doesn't get to say, all right, we are going to implement security, and I want everybody to take training, but I'm not going to worry about it. It's critical that every member of the organization understand the security policies and procedures. That's not to say that the training cannot be customized for each level of the organization, but it is important that every member of the organization be trained, and be aware of the security policies and procedures in that organization.
And we give some suggestions for the types of things that should be included in a security training program. Again, these are all addressable implementation specifications, so the organization gets to take a look at what their organization is, and determine what should be included in their security awareness and training. There has to be a security awareness and training program. The exact contents, again, are left up to the organization based on their size and capabilities and their infrastructure.
So, password management might be important in a large organization, but may not be as important in a single physician office that perhaps it's just the doctor and one other worker that have access to the computer, and access to the information.
The next administrative safeguard has to do with security incident procedures. There have to be policies and procedures in place to address security incidents. If someone intercepts information that is being sent, someone hacks into your system, you have to have policies and procedures in place to determine what you do if there is some sort of violation of your security, set up requirements for response and reporting of that information.
And the next administrative safeguard has to do with the contingency plan, and this is where we get into the availability of electronic information. It is incumbent upon covered entities to establish policies and procedures for responding to emergencies or other occurrences that damages system that contain electronic PHI.
It might not sound like it's a security issue, but it really is. What happens if there is an earthquake, a hurricane, a power failure, any number of incidents that damage their systems that contain electronic PHI? It's critical for an organization to be able to continue to operate. A doctor's office just can't shut down and hopefully not treat patients. We would not want a health plan to just shut down for two weeks and not pay claims, not provide authorization to its physicians, because something happened to their computer systems.
So, we require each covered entity to set up a contingency plan that includes a data back-up plan, a disaster recovery plan, their emergency mode operation plan. If there is an emergency, how is the organization going to operate? How are they going to access critical pieces of information?
Testing and revision procedures, and an applications and data criticality analysis; those last two are addressable implementation specifications. We would expect I think larger and more sophisticated covered entities to move into those areas.
A data back-up requirement implementation specification could be for a small office, as simple as a physician's office backing up their information every night, putting it on a disk, and making sure that they have perhaps a computer at the physician's home or some other place that they would be able to continue their operations the next day.
The next administrative safeguard is that for evaluation. We expect covered entities to perform a periodic technical and non-technical evaluation to establish the extent to which their policies and procedures meet the requirements. So, it's not enough to set up your initial security plans and procedures, train your workforce, and move on from there.
It is important and required under the rule that there be a periodic evaluation of those security plans or procedures, just to make sure that you are still protecting the information, that if there are environmental or operational changes, you are still adequately protecting the information.
If you set up a new system, you have new processes, you have new people in place, there are new threats to the security information, new viruses, whatever new ways that people are figuring out how to get at the information. It's critical that you continue to update your security plans and procedures to address those.
There is a requirement for business associate contracts and other arrangements, as under the other HIPAA standards. You can have business associates to do some of your operations. A covered entity may permit a business associate to create, receive, maintain or transmit electronic PHI on their behalf, but only if that covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.
There needs to be a written contract or other arrangement, certainly in the case of covered entities, just to make sure that business associates adequately protect the security of information. So, that's the suite of administrative safeguards. You can see that it's fairly comprehensive.
We next move into the physical safeguards. How do you protect the physical environment of a covered entity. Those are Section 164.310 of the regulations, physical safeguards. The first standard is for facility access controls. Policies and procedures to limit physical access to electronic information systems or facilities in which they are housed, while insuring that properly authorized access is allowed.
This is where I think we specifically maintain the balance. You obviously have to stop certain people from coming into your organization, from accessing your information, but you absolutely have to allow certain people to access that information.
There are addressable implementation specifications for contingency operations. Again, under contingency, how do you both protect, limit, and allow physical access to information, a facility's security plan, access control, and validation procedures, and maintenance records?
I think the reason that these are all addressable specifications is again, the wide range of physical plants that we have in the health care industry, from a small physician's office, small provider's office, to a large health plan that is housed in a campus or throughout a campus. The access controls are much different if you have a small office in a building, than if you have all of your own buildings, or you are spread out throughout the country.
The second physical safeguard is that for the use of workstations, and there is no implementation specification here. It is a required standard. Every covered entity must implement policies and procedures specifying proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings or specific workstations or classes of workstations that can access electronic PHI.
If you've got computers in your office, what are those supposed to do? How those functions are performed, what sort of rooms should you lock them or not lock them in. Should they be air conditioned, should they not be air conditioned? How do you make sure that the physical workstation itself adequately protects information, and adequately allows access to electronic-protected health information?
In workstation security, the next physical safeguard, implement physical safeguards for all workstationss that access electronic PHI to restrict access to authorized users. How do you set up passwords on those workstations to make sure that I can't walk into any health plan, sit down at a workstation, and start accessing electronic PHI if it's not my job?
And again, if it is my job, how do I make sure that I can access that information? If I have workstations that are designated for a certain job, and that's my job, they can be placed in a specific room, in a locked room, and only certain people have access to that room and those workstations. It's important for the entity to have processes in place to make sure that the right people have access, and the wrong people don't have access.
If that means setting up a code, or giving out key cards, that's perfectly appropriate. Again, the covered entity gets to make that decision, but they also have to make sure that access is assured for folks that do need access, and it is prohibited for folks that should not have access.
The next standard is for device and media controls, policies and procedures that govern the receipt and removal of hardware and electronic media that contact electronic PHI into and out of a facility, and the movement of these items within a facility. Again, if we are talking about PDAs that contain information, if we are talking about diskettes, notebook computers, there have to be policies and procedures in place to make sure that electronic PHI is not accessed where it should not be accessed.
You have to make sure that there are policies and procedures in place for disposal of information. It's time to get rid of old computers. I think you have all seen the newspaper or media reports where old computers get donated, and all the sudden people start accessing credit card numbers, financial records, all kinds of information.
It's critical that health care entities, covered entities that have this information, make sure that when they dispose of their computers, they figure out a way that that information disappears. Perhaps the safest way is to take a hard drive and just smash it to smithereens. Our security expert thinks that that's pretty much the only way to guarantee that there is no access to that. But obviously are other software procedures that can be applied to wipe out information.
Media reuse, same thing. I've got a diskette that I'm using for something. I put information on there. That diskette could be used by another department. There needs to be a way to make sure that electronic PHI, if it was on diskette, and this diskette goes to another department that should not have access to the electronic PHI, that somehow it gets wiped out.
Accountability and data back-up and storage, again are addressable implementation specifications, but important within this area, you make sure that if information for example is stored on these diskettes, it's adequately backed up and stored.
So, that's sort of protecting the physical attributes of an organization. We now move into the technical safeguards, which is sort of how the computer systems should be set up to adequate protect electronic-protected health information.
There does appear to be some overlap here. I think we use some of the same terms. And there may even be some duplication here. If people start thinking about access controls, they are there under physical. They are also here under technical safeguards. They mean somewhat the same thing, but we want to make sure that all aspects of electronic-protected health information are adequately protected.
The first technical safeguard is access control. And there, there have to be technical policies and procedures for electronic systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access rights. So, we limit access to the building, we limit access to rooms to appropriate people, that's one safeguard. Now, we also limit access in the computer systems themselves.
The first required implementation specification is unique user identification. That is, we require that access to systems is protected by assigning each user a unique user ID. There are entities today that probably assign organizational passwords. All right, everybody in the emergency department, here is the emergency department password. You use that, and you get in the emergency department systems.
Under our security standards, I think we would frown on that. We would want each individual in the emergency department to have their own user ID and password to access those systems.
There are questions that are now beginning to bubble up that say this may very well impact on patient safety. It may be critical that there just be an emergency department password, because if everybody has to remember their own unique user ID and password, and you are going to have to sit there and wait, and critical access to systems may be blocked.
We are starting to take a look at those questions and see how we can balance patient safety considerations against the necessary protections for electronic-protected health information. So, again, I think the questions are now starting to come up as folks implement or attempt to implement the security standards. And we are looking at those, and we'll be issuing either through frequently asked questions or guidance documents, our responses to that.
DR. FITZMAURICE: Is it possible without going through changes in regulation, to make a particular requirement move from required to addressable?
MR. NACHIMSON: I would say no, not without going through changes in regulation. That's part of the standards, part of the official regulation. The final answer on that would probably rest with the attorneys, but my guess is that's a modification to the standards that would require --
MR. ROTHSTEIN: Excuse me, Mr. Nachimson, this is wonderful testimony and we appreciate the handout. I know my colleagues are chomping at the bit to ask you lots of questions. So, if you could complete the presentation at a slightly more rapid pace, that would be very helpful to us. Thank you.
MR. NACHIMSON: I'll certainly be happy to do that. I'll just mention each of the safeguards themselves, without getting into too much detail, and we should move through that.
There are technical safeguards for audit controls, keeping track of systems activity. There is a technical safeguard for integrity, making sure that information is not inadvertently or advertently changed; for person or entity authentication, that is making sure that somebody getting into your system is indeed that person. Is it really Stanley logging on here, or accessing that information? Or is somebody just with Stanley's password?
Protecting the transmission security. This is where we move from the information that is simply stored within an organization, to information that an organization either sends out or receives. I just want to mention here that encryption is an addressable implementation specification.
That was a critical policy issue, whether or not to require encryption. It was decided that because there is not a lot of interoperability among different encryption systems, we would leave that addressable, especially when physicians might want to communicate with their patients by e-mail.
There are a couple of organization requirements for business associate contracts and other arrangements. There are certain requirements for group health plans. And there are some documentation requirements, that's the last set of standards. Basically, you have to document your policies and procedures. You have to maintain documents on policies and procedures, and other things that are required to be documented, audit logs and things like that. There is a six year time limit. You've got to keep that information for six years.
I just want to say that at the end of the regulation there is a chart -- those of you on the radio, obviously you won't be able to see that -- but for the folks here in the room, this is an official part of the regulation. We call that our Readers' Digest condensed version of the security standards regulation. I tell people that they ought to start reading this regulation from the back. There is a nice summary of at least the standards, and the implementation specifications, and whether they are required or addressable.
If you like, you can even make a copy of that, laminate it, stick in your pocket and carry it around. You'll be an instant expert on the security standards regulation.
There are a couple of other items here, but I think in the interest of time I'll be happy to open it up now for questions from the subcommittee.
MR. ROTHSTEIN: Thank you very much. That was very helpful to us, and I'm sure the listeners on the Internet as well.
Before we go to questions, I want to afford an opportunity to two people to introduce themselves.
[Introductions were made.]
Thank you.
And now the floor is open for questions, and I believe Mr. Houston asked to be recognized.
MR. HOUSTON: Just a little bit of background. Working for a large health system, one of my responsibilities is information security. So, I'm keenly interested and aware of this particular rule. I'm also working for the NCVHS, trying to understand whether we need to have hearings on aspects of the Security Rule. We did have one set of them already to get some general insight as to where there were issues.
And I'm really interested sort on a general basis, first off, where the areas you think are potentially at issue. Obviously, you mentioned one where you spoke of the fact that there might issues related to unique IDs and access and things of that sort. That would be sort of my first question. And I do have some follow-up questions more specifically in other areas.
MR. NACHIMSON: That's certainly one thing that has been raised. We have also heard a lot of questions about security incident reporting in that security incidents, the way that perhaps a strict reading of the definition in the regulation could mean any type of access from the outside. There are lots of pings that go on, I think is the technical term, over the Internet, where folks are just sort of seeing what is out there.
And if a system is adequately protected, that's rather an innocent operation. But a strict reading of the definition of security incident may mean that you would actually have to report every ping that goes on. There could be thousands of those during the day. So, folks have asked us, do we really mean that they have to keep track of every one of those, or is only sort of major things that really could compromise the security of an operation.
Those are I think, two of the main issues that have gone on. There has not been too much -- there is sort of a spectrum that goes on where people say gee, this is great, that it's flexible. Leave me alone. Don't give me any more information. Just let me do my thing. And then there are others that say, well, give me more information. Is this what you meant by a risk analysis? Or if we do this, will that meet the requirements of the security rule?
We have tended to shy away from telling people, yes, if you do this, it will definitely meet the requirements of the Security Rule, because it's impossible for an organization to tell us everything that goes on in their organization, give us their entire risk analysis, and have us analyze that, and determine whether that's appropriate.
MR. HOUSTON: And each organization is unique.
MR. NACHIMSON: Yes.
MR. HOUSTON: Let me ask just a couple more follow-up questions. Simon and I have spoken about Security Rule issues specifically related to medical equipment. And it seems to be an area that when Simon first asked me, I said I haven't really heard much. And then all the sudden with a couple of months following, it became an issue which I had heard internally a lot about.
Have there been issues so far expressed from medical equipment vendors, manufacturers, or from other covered entities related to how do you deal with this animal? Because obviously, you don't necessarily have the flexibility to put patches, viral protection software, things of that sort on equipment.
A good example is I know in my facility we use medication administration cabinets which have imbedded Microsoft operating systems. We don't have the luxury of patching them, other than based upon a vendor patch. But when we have had a number of outbreaks, a number of these cabinets have been infected, and obviously we have tried to segment them on their own networks and things like that.
But that is an issue, and I think as I dug a little bit deeper and talked to some equipment manufacturers, as well as others in industry, that has been an issue that I have seen. Have you heard anything? Has anything of this sort come up?
MR. NACHIMSON: We have gotten I would say fairly recently, a couple of questions on our electronic mailbox, our ask HIPAA mailbox that CMS maintains, the questions on all the HIPAA standards except for privacy, about certain devices. I think the last one was telemetry devices, and whether these constitute electronic-protected health information, and whether they would be required to follow the security standards. So, we are going to have to start looking at that.
So, that's I think a fairly recent item, where these things are moving to digital -- they are collecting digital information and transmitting that. And whether or not that is a transmission of electronic-protected health information or not.
MR. HOUSTON: I hadn't even thought about that angle yet.
DR. COHN: I have a follow-up from a previous question. I guess it hadn't occurred to me that this wouldn't be covered by the Security Rule. So, are we to infer that you are still trying to figure out what whether it really is a computer? Of course, your watch is a computer too these days, but the question is obviously what isn't a computer, and what isn't protected health information?
So, you are going to be starting to investigate whether this is actually protected health information at this point?
MR. NACHIMSON: We will have to respond to individual situations and devices to determine whether or not these are electronic-protected health information, and these situations are or are not covered by the Security Rule, yes. Certainly, on would expect a covered entity to hopefully err on the cautious side and assume it is something that does need to be protected, but as these questions come up --
MR. HOUSTON: Unfortunately, a lot of these telemetry systems are out of the box. You don't have a lot of control over the configuration once they are installed, necessarily whether you can turn on encryption or turn it off. They run on specific frequencies, and I think there is a new telemetry frequency that is out there. So, that could be problematic, depending on how you --
MR. NACHIMSON: And there is where I'd sort of like to rely on the scalable and flexibility option in the risk analysis, where covered entities would take a look at these devices and say, is there a risk or is there not a risk here? And if there is a risk, what capabilities do we have to protect them?
DR. COHN: Maybe just a follow-up and then I'll pass it on to others. But there is obviously the risk analysis. But then there is the issue of is it in, or is it out of the Security Rule per se. And as I said, until you mentioned it, it hadn't occurred to me that it would not just by definition, be in.
So, certainly, if the department is looking at whether or not this area is even in, and you have any question in your mind, I think you owe it to the industry to inform the industry as quickly as possible.
DR. HARDING: On page 21, administrative safeguards, the topic of business associate contracts and other arrangements, I was wondering -- we have talked about in this committee several times, the issue of business associate arrangements. And one of the things here was it said that the covered entities obtain satisfactory assurances that the business associate will appropriately safeguard the information.
We have talked about the issue of offshore work and so forth, where someone has a business associate agreement, but then from that point it goes into the ether, and work is done in places that aren't under control. Is there any consensus coming out of all of that as to how that is going to be addressed here in the future, the Indian or the Pakistani health care information transcriptions and so forth?
MR. NACHIMSON: At the moment there isn't any consensus. I know that the department has been looking at it, and continues to look at the issue of offshore international operations, and what reach we have, or how covered entities would be held liable for that. Probably through the business associate contract, but if these folks are offshore, and especially if they are not covered entities and they are offshore, it's still the responsibility of the covered entity to maintain the security and privacy that information.
The covered entity would be held liable for any breaches or violations at this point. But how it would necessarily be enforced or how the covered entity would deal with their offshore entity, I don't think has been decided.
DR. HARDING: I guess the phrase that caught my eye was satisfactory assurances. And I'm sure that was very carefully selected, satisfactory assurances that the business associate would appropriately safeguard the information. Coming up with a definition of that is going to be an interesting one.
MR. NACHIMSON: I would agree that that was very carefully crafted. We tried to walk I think a fine line here. We do not want or expect a covered entity to go in and inspect in thorough detail, the operations of any business associate. And I'm sure that business associates at some point would almost object to someone perhaps even walking through and going into detail of all of their security plans and procedures.
However, there is an obligation that the business associate provide some assurances, either written or examples of what they do to the covered entity, so that the covered entities at least have some satisfaction that their information is being adequately protected.
DR. HARDING: So, I, as a provider, a physician who transcribes a note on a patient, and then that goes to a transcription service, I would ask them for specific assurances that this information isn't going -- I don't think there is an answer to my question at the present time. But there is something about it that's my responsibility still to ask the first person anyway that I'm talking to, to guarantee that?
MR. NACHIMSON: Yes.
DR. HARDING: If I did that, then I would have done my duty?
MR. NACHIMSON: In general, I think you would want to go a little bit further than just asking. And if they said, yes, we're talking care of it, I think you would probably either in your contract or prior to signing the contract, you would want to see some assurance that some protections were being done.
If they said for example, we use this particular software, here is the protection that we have, or we have a contract with this company, we have an office that is in a building and it's locked. Each of our employees has a key so that they can get into the information, as opposed to well, we're just in an open area, and we mix our business with lots of other businesses, and the person at the next desk that is dealing with agricultural information, for example, can easily lean over and see what is going on. I think you would want to go a little bit beyond than simply a yes or no.
MR. REYNOLDS: Having implemented all of the HIPAA transactions so far, I would like to commend everybody's work on this particular regulation. I think that different than privacy and transactions, you kind of had to say how to do business. And I think in this one it puts a nice framework around what you need to think about, and how you need to approach it, but it has not been nearly -- especially for large entities -- it has not been nearly as burdensome to implement as anything else that we have had to deal with in HIPAA by a dramatic step.
Most large entities are getting audited on a continuous basis, especially with all the concerns -- John brought it up -- with viruses and everything else. You are constantly getting evaluated, and you are constantly having outside auditors come in and look at how your systems get accessed, and so on.
So, I think this one, I think you have set up a really good structure, and in our case it's actually easy to align to, especially with the addressable and required. So, I think as we look at future standards, this isn't a bad way to look at it, because it doesn't tell anybody how to do business. I know it raises some questions, but it really doesn't.
But a couple of questions. Role-based is an easy word to throw out, but more and more as companies look at the fungibility of their staff, so that one -- I'll just use our example -- one day somebody is a claims processor. The next day they go to customer service. But if you were to get a glut of claims, they could go back and do claims.
So, as a customer service representative they might do this, and as a claims representative -- as long as any entity is able to answer that the person, whatever job they are doing, they can access the data that they can access, you can validate that based on their responsibility. Role-based gets a little fuzzy.
So, I think as you throw out role-based, more and more when people are trying do the accordion thing, where if I have this much work, they do this, if I have this much work they do something else, in today's world, role-based kind of loses the meaning that it had maybe 10 years ago, where somebody was hired to do this, and they just did this. You are having to really cross-train people to do more things. So, as you think about it, a little bit like Simon said, as you talk about role-based to the industry, it is probably a little different now than it was.
Business associates, back to Richard's question. Do people have to go as far with business associates, to talk about disaster recovery? Or that the industry gets an affirmation that somebody understand the rule, they are secure? Or do you have to go as far as to evaluate their whole disaster recovery situation?
MR. NACHIMSON: I think that's one of these decisions that is primarily left up to the covered entity in their analysis of their risks. They need to make a decision for themselves, what's the risk here, who am I dealing with, what type of assurances do I really need to make sure that I can continue my operation, and that my information is collected?
I wouldn't necessarily set up a checklist of every question that every covered entity would need to ask. It would depend on what the business associate is doing, the relationship with the business associate, the information that is going back and forth.
MR. REYNOLDS: Again, going back to Richard's question, there are levels of offshore that people deal with. You deal with an offshore company that the employees are the employees of a US company. And then you have an offshore where they are not.
Do you see a distinction that it's a stronger environment where the offshore are employees of a US company, and that US company itself certifies that they meet the HIPAA rule, versus somebody in another country that is completely outside the jurisdiction of US law, completely outside the jurisdiction of what's going on? Do you see any difference in that?
MR. NACHIMSON: I don't feel capable of really answering that question, not having dealt with those entities. I would again, leave that up to the judgment of the individual covered entity to understand who it is that they are dealing with. To understand what the risks are, and what the assurances are that they might need.
If I can just respond a second to the role-based question, which is an excellent point. And that gets into some of the auditing. I think if an entity allows multiple roles for an individual person, as long as they can go into their system and say, on Friday Stanley accessed the system as a customer service representative, and got into this information, or got into this system.
But on Thursday, he accessed the system as a claims processor, and both accesses were appropriate, I think that's perfectly okay. So, there are sort of multiple layers of protection and standards here, hopefully that are flexible enough to handle situations like that.
MR. REYNOLDS: Mark, my final question, and you just played on it. The system activity audits, which could become dramatically burdensome. If companies have to track every single person that did every single transaction, then it doesn't really matter what their role is, and it doesn't really matter what you set them up on. You are following them around on every transaction. And if you have to audit that on a continuous basis, you are talking about an incredible amount of data, and an incredible amount of information.
So, back to the hierarchy, which is hard to really get a complete handle on, if you allow somebody to be in the system, and you teach them about security, and you have their management agree that that's what they could do, so what level do you have to actually, every single day -- if you think of the transactions in hospitals, doctors offices, and payers and clearinghouses, because once you capture that data, and your example is perfect.
If I have to know that on Thursday Simon did this, and on Friday Simon did that, I have to have somebody auditing that every day, otherwise I can't tell you that somebody has met it. So, that's the one area to me that is so gray, that it's almost getting opaque, because that amount of auditing decides the cost.
So, if you set up a corporate structure, whatever you are, and you say here is how we are going to know that people access it, and you have it audited, and you do everything else, but your answer again, keeps taking it down to that level where somebody has got to track every person, every day in everything they do, and that is not where the world tends to live.
MR. NACHIMSON: My response to that would be every covered entity needs to do their risk analysis, and set up a system that reasonably protects against unauthorized access. That's an individual company decision that you or anybody would make, and say it would be incredibly burdensome for me to track every instance of systems activity, every access by my employee.
I'm comfortable, or I'm reasonably comfortable that I'm protecting against this set of risks, and I don't need to do that. Now, you may have a history where in a department or in some area that there has been a series of break-ins or a security incidents. In that case, you may decide, based on your risk analysis, I need to be a little bit more careful in this area.
MR. REYNOLDS: But that becomes incident-based?
MR. NACHIMSON: Yes, absolutely.
MR. REYNOLDS: Thank you. I think that position, if it would help the industry, which is kind of your continuous position, and I think that's what is good about this rule, is you leave it up to the entity to decide what their liability is.
MR. NACHIMSON: And again, we try to emphasize the reasonableness of the protection, and listed the factors that entities can take into consideration in designing their security plans and procedures.
MR. REYNOLDS: Mark, thank you.
MR. ROTHSTEIN: At this time, let me ask for staff questions, and then we'll have a second round of subcommittee questions.
MR. FANNING: Is there any equivalent for paper records? I know the statute probably doesn't command you to write something, but in fact a great many records are on paper. And there are a lot of bad stories about information being disclosed. The late Queen Mother of Great Britain had both hips replaced over the course of her life, and her orthopedic surgeon left the records in his car. The car was broken into and they were stolen, probably to get the leather brief case. But be that as it may, that is a security breach. What about the paper side?
MR. NACHIMSON: Let me answer that in two ways. In the Privacy Rule there is the so-called mini Security Rule, which requires covered entities to set up appropriate technical, administrative, and physical safeguards to protect the confidentiality of protected health information.
Now, the Privacy Rule applies to all information beyond electronic. So, one could say that there is at least a mention or an assumption that there is some security, going down the HIPAA security, that covered entities are already setting up some procedures that they are putting in place for the rest of their protected health information.
The second, I think it's reasonable to ask why didn't we have protections for the paper in the HIPAA Security Rule? We did have a proposed rule, and I think the initial reading that we got was that the standards should only apply to electronic-protected health information based on a reading of the law.
We got comments in on the proposed rule about applying it to paper transactions. There was a feeling that it was incumbent upon us to first get out protections for electronic-protected health information. That it would be a completely separate set of protections that would apply to paper records. And we would wait to see first how the electronic standards were being implemented, and see if there was a need beyond what is mentioned in the Privacy Rule, to set up standards for paper-based records.
So, I think the department is sitting back and seeing whether there needs to be a regulatory set of standards for paper information. And I would say the jury is probably still out on that, but I'll just leave it at that.
MR. FANNING: I do think that some elements of this regulation point that direction -- controls on physical media and so on. And a thoughtful organization would know how to apply them in the paper situation as well. But this is an especially useful guide, in addition to being a command.
MR. NACHIMSON: Thank you. And I would also say that there is nothing in any of the HIPAA regulations that prohibits an organization from applying protections like this to their paper records. We continue to emphasize that even the security standards are good business practices that organizations probably should have implemented even without the HIPAA security standards.
MR. ROTHSTEIN: Additional staff questions? Amy, Evelyn? Okay, John.
MR. HOUSTON: I wanted to go back to the issues that Harry had brought up specifically related to some of the effort to police role-based security and things like that. And there is saying that three-quarters of the questions out there are actually statements. With fear of just making a statement, I guess I'm going to try to ask a question.
MR. ROTHSTEIN: Well, make you statement in the form of a question?
MR. HOUSTON: I am concerned about the practicality and the cost of role-based security, as well as audit controls and things of that sort. And working in an organization with literally hundreds of systems that manage clinical information, one of the things that I know I have found is that there is a wide variance in how the capability of vendor software, in terms of even being able to do role-based security.
And that, coupled with both the system capacity issues related to doing logging and turning on those controls, and then coupled with the fact that when you do turn them on, sometimes you get the unintended consequence of getting in the way of delivering efficient, quality patient care. You have an environment where I know we have made conscious decisions to impose less security within certain systems, because of those other impacts.
Clearly, there is a concern that where is that edge? And depending on who is interpreting it, we could have to buy a lot more computer hardware to support some of these processes, as well as to try to figure out a workable process to audit some of these things. Because I think as Harry indicated, even assuming that everybody has the role-based access they need, in a nursing unit, nurses see many, many patients. They may move around a good bit.
You have a physician that has to do a consult. He may not have a pre-existing relationship with the patient, but he is brought in, in the middle of the night to do consult, and he looks at the record. How do you know whether that was appropriate? If you really have to do auditing, somebody should be in there looking at all of those things, and that's a lot of access. That's a lot of things that need to be looked at.
This is a problematic issue. I'm sort of concerned with at one level, sort of the official stance sort of embodied in the presentation, and I'm sort of encouraged by what you had said in response to Harry's questions. But I just sort of what to put on the table, well, have you talked to vendors, or have you tried to do assessments of the impacts on a range of different covered entities to determine what is the impact of these specific provisions?
And again, very specifically, role-based security, access control, audit controls, integrity, I think those are the areas where I'm concerned. So, there is a statement. To make it a question, what are your thoughts?
MR. NACHIMSON: I think people seem to be focusing on the role-based, and I don't believe that there is anything in the security standards that actually requires role-based access. There have to be access controls. If role-based is a problem, covered entities can make the decision not to do it role-based, but there still do have to be access controls.
Let me sort of go back to the beginning of the Security Rule. We spent quite a bit of time in discussions with other government agencies, with private sector entities in crafting these standards, and publishing the first set of proposed rules, where a number of meetings with industry. That went on, and in finally crafting the final rules.
I think your concern was really what was expressed to us, that there is the possibility of incredible costs if there were strict security. That it interferes with patient care, with patient safety and other items. And that's why we made the decision to first state that things should be reasonably protected. And then give covered entities the decision-making power themselves. That they must do a risk analysis and set up a risk management plan. There's no question about that.
But you as a covered entity, get to look at your situation, and decide how you are going to protect that information reasonably and adequately. You get to make decisions that it's too costly to do this, therefore, we are not going to do it. Here is an alternative way of doing it.
Or, we have operated this system for X number of years. There has never been any compromise in the security. We don't expect there to be any compromise in the security. Nobody else can get to the information or is interested in the information. Therefore, no additional security procedures are necessary. Here is where we should look at some additional auditing, but here is where we really don't need to do any auditing. The question do come to us what is enough? And the answer has been it depends on your situation.
MR. HOUSTON: Will your answer be expressed in an FAQ at some point? Because I think that those types of comments are of great importance to the industry as it tries to comply.
MR. NACHIMSON: There are a series of FAQs that are going through the departmental clearance process that hopefully will expand a little bit on this. Off the top of my head, I don't remember if that exact answer is in there, but through our presentations, we continue to emphasize, and even to individual answers to ask HIPAA questions, the question comes into, should we do this? The answer, it's almost becoming a generic answer, you need to do a risk analysis and determine whether that particular solution is right for your situation.
MR. HOUSTON: But your exact dialogue to me is very insightful as to the types of analyses we should go through.
DR. COHN: And this is just really a follow-up of this issue. I'm listening to the CMS and the federal response, but I'm also aware that really beyond the federal government there is going to be a lot of accrediting organizations that are going to take and audit organizations against these rules.
And they may not have quite what Stanley is thinking in here, because clearly they are going to be wanting to look at your facility, and look at your various systems and capabilities and security implementations. And so, I think from what you are expressing as your concern, you would need to be probably be as concerned about accrediting organizations and what their upcoming plans are. And this may be something we should ask them.
MR. HOUSTON: Absolutely. And I think even from auditor to auditor on some of the compliance engagements, when JCAHO comes in, it's radically, depending on who comes from JCAHO, what they look at, how deep they dig on certain areas, and what their individual philosophies are, based upon their backgrounds. And I think those are things that again, a little bit of guidance.
Again, I liked what you said. I really liked the way you said it. I hope that that gets expressed in terms of an FAQ.
DR. HARDING: One of the things that has always intrigued me is scalability. And it has always been kind of pressure valve release for a lot of people for HIPAA. I don't have to do as much as Blue Cross does in my office, and so forth.
I remember we had a gentleman who testified before this group in Utah who was an administrator of a small hospital, and we still aren't sure if he was packing heat or not when he came in, because he was pretty ticked about the things that he perceived that he was going to have to do for the privacy things, that he would have to be just like Johns Hopkins Hospital in effect, in his little store is southern Utah.
Is it true, or is it appropriate to think that scalability is purely justified by a self-evaluation of the covered entity? That they can scale things if they can state that they have thought it through? Or is there more to it than that scalability?
MR. NACHIMSON: The size of the organization, their capabilities, and the cost of complying with those are some of the factors that we allow them to take into account. I don't think you can simply say because I'm smaller I don't have to do as much. Those are factors that go into your risk analysis and risk management plan.
Take a look at your risks, and then determine how you can address those risks, taking into account the factors of size and complexity of your organization.
DR. HARDING: It's a self-assessment?
MR. NACHIMSON: It is a self-assessment, but it's not just, hey, I'm little, I don't have to do as much. Here is the risk analysis, here are the risks. I'm small. I don't anticipate a lot of people -- I'm a small organization and I hold a small amount of information. I don't anticipate a lot of outside hackers looking at me, because I only have a small amount of information. Therefore, I probably need as extensive a set of protections as Johns Hopkins or Blue Cross/Blue Shield of North Carolina, that hold lots of information.
So, that's a decision, a factor that they do get to take into account. The fact that I don't have three security specialists on staff to design all of these things, I have to rely on off-the-shelf software or outside vendors, I don't have the time or the people to devote to that, so I may not be able to design as extensive a security program as a larger organization. So, they can take those things into account, but only, I would argue, in the context of the whole risk analysis, risk management plan.
DR. COHN: Obviously, we are getting close to the end of the session. I actually want to go back to John Paul's I think initial question, which is of course we're asking for this briefing in the context of planning out hearings in the future on the security rules.
And I think John Paul started out by asking well, what current issues are you seeing. With these 41 pages of slides, it doesn't tell us much about the issues. It tells us more about what is in the Security Rule. And we heard from you your response of what you are sort of seeing currently.
What I'm actually curious, just as we look forward between now and next April, which is the implementation date, knowing that we are nine months from implementation, I'm just curious from your perspective at this point, there are many ways to take the fact that we are not seeing a lot of complaints, a lot of issues coming up. One might be that everything is really kopacetic(?) and working, and we've got five issues and we're working them, and everything is fine.
Another might be that everyone is still trying to implement the claims transaction, and the other administrative and financial transactions, and they haven't really started paying much attention to this yet. And that we are really going to be seeing a flood of activity over the next nine months, and issues associates with that.
I'm just curious if you have any perspective on all of this stuff, and if you have any thoughts about timing of occasions to hear from the industry of what might be helpful or otherwise?
MR. NACHIMSON: I think there are a couple of things that might explain why there aren't a whole lot of issues, some of them negative, like everybody has been so attuned to getting their claims transactions ready, that they haven't paid any attention.
But I think that there are some positive things that one, because we worked a lot with the industry on the security standard, there is not a whole lot of things that are brand new, that are surprises in here. There are a number of things that entities were already doing. Entities have been doing risk analyses. That's a standard security thing. They have been doing risk management plans. They have been doing some role-based access. There is some auditing in place. So, a lot of these things, entities have already been doing, even before HIPAA.
Number two, because of privacy, there was already a focus on protecting the confidentiality of information. Some of it through plans and procedures, but some of it through computer protection. So, they have already been doing some of that in complying with privacy.
Thirdly, I think because of the scalability and the flexibility, there is not the hard and fast rule about gee, we've got to do this on security, and how the heck are we going to do it? Because we've got a little bit of flexibility in it, even the smaller entities could say well, it's not a $250,000 proposition. There are some simpler ways for me to go ahead and do this. So, I think those are some reasons why there is not the hew and cry.
We have been looking at, and will continue to look at the volume of questions on Ask HIPAA for example, and the phone calls that we get. It has stayed rather steady in terms of security. There hasn't been a big explosion in the last couple of months, although we are starting to see a few more questions about security.
I would sort of say in terms of timing, we have been telling people it takes probably nine months to a year to do a good security program. That means that they should have already started at least doing their risk analysis. Six months out from the compliance date I think would be an interesting check point to say, all right, how far along are you? Have you done your risk analysis? What have you found? What are your plans?
We are also monitoring some of the industry surveys. The Phoenix Health Organization, for example, not only are they monitoring transactions implementation, but they are also monitoring security implementation. And at least in their survey, which admittedly might be biased, because it's people that are sort of paying attention to HIPAA, their most recent survey seemed to indicate that the vast majority covered entities would be compliant by the April 2005 compliance date.
Now, admittedly, it's self-reported information. I don't know how many people are going to call even an independent organization, a non-government organization and say, I'm not going to be ready. And it was somewhere around 80 percent said yes, they started, and they planned to be ready by April 2005.
It's easy to say that nine months to a year out ahead, but still, it was rather heartening, at least on our point, that people are not saying this is impossible, this just won't work for us. We are never going to be able to make it.
I tend to think that again, because of the scalability, the flexibility, the technology neutrality, that people will have an easier time implementing this than privacy or transactions and code sets. But we continue to go out to lots of conferences and things like that, local and national, and I think it's just sort of steady stream that there are more security conferences these days, because we are over the big transactions hump, but most of the questions that we are getting are gee, now that I have done this risk analysis, is this the right way to respond to it, rather than how do I start thing?
At this point, I think we are relatively satisfied, but things could change in a heartbeat. So, we will, from a CMS standpoint, monitor not on the Ask HIPAA mailbox and the questions that we get on the phone, but the outside surveys and reports that we get from entities.
MR. ROTHSTEIN: I have one last question for you. Before the compliance date for the Privacy Rule, the NCVHS made a recommendation to the secretary that at some level in the department, there be established some way to evaluate with some degree of scientific rigor, the consequences of the Privacy Rule, its effectiveness, its gains in terms of protecting privacy, its costs, its burdens on health care, and so forth.
And I was wondering, now while we have a window before the Security Rule goes into effect, the question is has there been discussion about establishing some sort of ongoing system to study the consequences of the effects of the efficacy of Security Rule, either internally, or through some sort of grant system with another agency, or even conceivably the public?
MR. NACHIMSON: That what I'm aware of. We are currently working on the enforcement procedures for security, coming up for April, to have those in place. And we have the ongoing discussions again with outside organizations that either volunteer or think about doing that themselves. But I'm not aware of any plans in the department or in CMS to do that particular evaluation.
I'm sure as the day gets closer, there will be more people asking that exact question. I think that's more of a longer-term issue that you not be able to make any decisions in April 2005, or even November 2005, but perhaps a year or two further out, and surveying organizations as to the number of security incidents, and things like that.
MR. ROTHSTEIN: Well, even though that was phrased as a question, perhaps you saw something besides a question in that.
I will now recognize that we are scheduled for a 15 minute break, which we will take now, and then resume with the marketing panel.
Thank you very much for your testimony.
MR. NACHIMSON: Thank you. I appreciate the opportunity.
[Brief recess.]
MR. ROTHSTEIN: Good morning, we are back in session now. And we are now beginning our first of three panels. And before we start on the first panel, I want to review the subcommittee's procedures. We have asked each of our invited witnesses to take 10-15 minutes to give prepared testimony. If need be, I will give you a one minute warning. And after each witness, subcommittee members will have an opportunity to ask questions for clarification, and then we'll have our main discussion after both witnesses have finished.
You have two weeks to submit additional written testimony to Marrietta Squire. And I would ask people with cell phones to turn them off, and remind the witnesses to speak clearly into the microphones for the benefit of our Internet listeners.
Before we begin this panel, I want to note that this is the first of two panels that we have today dealing with topics that we have discussed extensively in the past. And it's good to see that some of our witnesses in the past have still been willing to come to talk to us again today.
And the purpose of these hearings, the first two of the three at least, certainly is to ask the question well, what has changed, if anything, since the last time we talked to you? And do you have more information for us about how the implementation has gone?
Has it gone better or worse than expected? What problems have you encountered? What recommendations or additional comments do you have that the subcommittee should relay along to HHS, et cetera? So, I'm sure you get the idea.
So, first I would like to call on Mr. Bell from the National Association of Chain Drug Stores.
Agenda Item: Marketing - Panel 1
MR. BELL: Well, thank you very much for inviting me back to testify this morning. I was looking back over my old testimony. I think it was three and a half years ago, and I was actually testifying on a prior version of the marketing provisions of the HIPAA Privacy Rules. And it was a very different version, and for us anyway -- I represent pharmacies -- a very confusing version.
But I wanted to thank the subcommittee number one, for inviting me back. But number two, also for helping with the clarification and revision process that, as far as our members are concerned anyway, has led to much better marketing provisions of the HIPAA privacy rules.
So, with that I'll start, and just introduce myself. I'm Don Bell. I'm general counsel for the National Association of Chain Drug Stores. NACDS is an association of pharmacies. Our members operate well over 32,000 pharmacies, and employee over 100,000 pharmacists. And initially I just wanted to reaffirm that pharmacies do recognize the tremendous value of protecting patient privacy. It is an important part of the professionalism that all of our pharmacists live with and practice every day.
And it's also just a good business practice. Pharmacies know that they can attract customers only when the public trusts them to protect confidentiality of medical records. So, NACDS members anyway, have no interest in adopting marketing strategies that will endanger that trust.
Now, the marketing provisions of the HIPAA privacy rules of course, attempt to limit the misuse of protected health information. That's an appropriate, laudable goal. In pursuing that goal, of course though the government should not restrict the health care communications between patients and pharmacists. And to my mind, that is the essential tension that we have here. We need to be able to distinguish between marketing and health care communications, and that's not always a bright line that separates those two types of communications.
The HIPAA privacy rules define marketing in part as to make a communication about product or service that encourages recipients of the communication, to purchase or use the product or service. Well, that's a pretty broad definition, because encouraging a patient to purchase or use a product or service is a common aspect of many communications by health care providers.
And again, the distinction between marketing and advertising on the one hand, and health care communications on the other hand is not always separated by a bright line. Let me give you one example of that. A pharmacist may encourage a patient with diabetes to use a glucometer. And that is performing a valuable health care service.
It is also possible though that if the pharmacy then sells that glucometer, it will profit from it. So, is advocating the use of that glucometer marketing, or is it a health care service? Our pharmacy members would say that that's predominantly a health care service, but it would also seem to fit into this fairly broad definition of marketing that is in the rules.
Now, I believe it would also fit within one of the exceptions that I will discuss in a couple of minutes. But you can see I think, the tension here between being able to draw that bright line isn't always there. But our experience is that informed consumers make better health care decisions. So, it's important for pharmacists to be able to inform consumers about the availability, quantity, quality, and price of health care products and services.
Now, as I mentioned, since I testified back in 2001, this subcommittee has helped quite a bit with clarifying the rules. And for the most part, we believe that the Office for Civil Rights has appropriated characterized important pharmacy communications as health care communications, rather than marketing or advertising.
And what I would like to do is just briefly go through some of the examples of the most common communications that pharmacies and pharmacists have with their patients, and describe how we believe those fit within the marketing limitations.
One of the most common is refill reminders. When a patient fails to follow, maybe fails to get a prescription refilled as ordered by their physicians, a pharmacist may call or write the patient to remind them of their doctor's orders. And rather than charge patients for these reminders, a pharmacy may be paid by a third party such as the drug manufacturer or a PBM.
And there is no need to disclose the patient information to that manufacturer or the PBM. So, as far as I know, that does not occur. There is no protected health information going from pharmacies to a manufacturer or a PBM with regard to these refill reminder programs.
Now, studies show that these refill reminder programs save lives, the literally save lives. They also save money, because patients who take their medications as prescribed by their physicians are less likely to end up in the hospital. So, we believe that OCR has correctly determined that refill reminders are treatment activities. OCR wrote that it is not marketing when a pharmacy or other health care provider mails prescription refill reminders to patients, or contracts with a mail house to do so. So, refill reminders is one of the most common types of communication.
Another common type of course is simply recommending medications. Patients often come up to their local pharmacist and ask which medication they should be taking for their particular medical condition. And recommending a drug to a patient is a perfectly legitimate health care activity, even though the pharmacy may end up making money if that medication, if it's a prescription, is ultimately prescribed and then filled by that pharmacy.
But we do believe it is a legitimate health care activity, and for that reason, OCR, we believe, has correctly determined that "recommendations of specific brand name or over-the-counter pharmaceuticals are not marketing."
Now, another example of communications that is sometimes controversial is called recommendations of alternative medications, what is sometimes called the switch programs. And when a patient is taking an expensive brand name drug, pharmacists may inform them about generic drugs that have the exact same ingredients, but cost much less.
Another similar example is when a pharmacist informs a patient about other medications that are biologically or therapeutically equivalent to the drugs they are taking, but maybe they have fewer side effects, or maybe greater ease of use. And these communications also help patients with their health care, and help them save a tremendous amount of money, and provides options to patients.
Again, with these drug substitution programs, as they are called, there is no need for the pharmacy to give protected health information to the manufacturer itself. And again, as far as I know, that doesn't happen. And I have talked with all of our major members about this, and many of our smaller ones as well. I don't know any of them that provide protected health information to the manufacturers as part of these therapeutic interchange programs, or the refill reminders for that matter.
Recommending other health care products is another common communication between pharmacists and patients. For example, OCR has written that informing an individual who is a smoker about an effective smoking cessation program is not marketing. And that is true, even though the pharmacy itself may have those products for sale.
Counseling and drug utilization review, obviously some of the most important categories of communications that pharmacists have with patients. Pharmacists will counsel their patients about the proper use of prescription medications, will conduct drug utilization review to prevent drug interactions, and insure that their patients are properly taking the appropriate medications.
And we believe that HHS has correctly categorized those as health care communications, rather than marketing communications. HHS wrote that pharmacists' provision of customized prescription drug information and advice about the prescription drug being dispensed is a treatment activity. I won't go through all that they have said on that, but we can follow-up if there are any questions on it.
A final category I will talk about is disease state management and wellness programs. These are self-help programs like diabetes self-management training, and similar disease state management training. We believe those also should be included within the exception for treatment. For example, without obtaining patient authorizations, a pharmacy should be able to compile a list of patients who purchase diabetes medication, and send them letters suggesting that they receive diabetes self-management training.
And we believe that at least in the December 2002 guidance, OCR suggested that most of these program, not necessarily all of them, but most of these types of programs would be not within the definition of marketing.
So, despite a lot of alarmist rhetoric that we have heard in the past about how health care providers might misuse protected health information, and it is true, they might, and I'm sure some of them do, but the examples described above include the vast majority of the real life examples of pharmacies using prescription information to communicate with patients. And these communications help patients. So, the vast majority of patient communications by pharmacies lead to better informed and healthier consumers.
Now, the last thing I want to do is talk about a new privacy best practices guide that is being issues sometime this week, maybe today by the National Consumers League. I would recommend that the subcommittee look over that new privacy best practices guide before making any recommendation to the larger committee.
The National Consumers League or NCL is a private, non-profit consumer advocacy organization that has been representing consumers for over 100 years. The best practices guide that they are going to release this week is entitled, "Health Care Communications Provided by Pharmacies: Best Practices Principles for Safeguarding Patient Privacy."
Now, there are a couple of important things I think, about this best practices guide. One is that the NCL best practices guide does recognize the importance of pharmacy communications to patient health. The NCL best practices guide notes the importance of providing useful information about prescription drugs, encouraging prescription compliance or adherence through refill reminders and other methods, recommending treatment alternatives, adjunctive therapies, and providing disease state management communications.
For example, the NCL best practices guide states that it has been firmly established that communicating with pharmacy patients about the importance of adherence to therapy, including refill reminders, has important proven benefits to individual patients, to the public health, and to the economy. And so, the best practices guide concludes that a consensus exists among pharmacists, Congress, FDA, health care experts, consumer groups, and patient advocacy groups that there is a critical need for improving patient access to reliable and understandable health care information.
So, one thing that I think is important about this new best practices guide is that it does recognize the importance of these communications between pharmacists and patients.
Another aspect that I believe is important is the fact that it provides an alternative to more mandatory regulations. NCL's best practices guide creates a voluntary framework for additional privacy protections, and if consumers feel the need for additional privacy protections, then the market will reward pharmacies and adopt best practices guidelines, such as the ones being issued by NCL this week.
So, although the NCL best practices guide is just being released this week, so far the response from pharmacies has been very promising. We believe, in conclusion, that a voluntary, market-based approach by a trusted consumer advocate is better than rigid new regulations.
So, I want to thank the subcommittee for considering my testimony, and be happy to answer any questions you may have.
MR. ROTHSTEIN: Thank you.
Any clarification questions from the subcommittee? Hearing none, I recognize Ms. Pritts. Welcome back.
MS. PRITTS: Thank you.
I would like to thank you for the opportunity to testify today on the marketing provision in the federal Privacy Rule. I think you made a wise choice in selecting the individuals that you have testifying today, because I must say that my impression of the privacy rules is drastically different than that of Mr. Bell's.
I have heard today, and I have heard repeatedly during the discussion of the marketing provisions of the Privacy Rule, that the use of protected health information for marketing purpose is not really a privacy issue, because you only disclosing the person's information back to the patient themselves.
Well, in order to put this into some context, I would like to go back to the Fair Information Practice Principles. These are well established principles. They were developed way before the Privacy Rule ever was even contemplated, and they are very well accepted, not only in this country, but in the European Union.
One of the basic principles of the Fair Information Practice Principles is choice. And I'm going to paraphrase an FTC report on privacy online. They drafted a report to Congress. At its simplest, choice means giving consumers options as to how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information. That is, uses beyond those necessary to complete the contemplated transaction.
Such secondary uses can be internal, such as placing the consumer on a mailing list in order to market additional products, or external, such as transfer of the information to third parties. Those would be used in disclosure under the Privacy Rule. But under the generally accepted principles included in the Fair Information Practices, an individual should have the right to choose how their information is used for a secondary purpose.
I would say to you that when a person goes to a doctor or a pharmacist, and they get a prescription, and then they get it filled, they expect that to be used to treat them. And a secondary purpose for that would be to sell them other things.
Now, I will agree that there cannot be a bright line drawn on this issue. We all would agree that it would be marketing for CVS to sell its patient list to Disneyworld to sell vacations to Disneyworld. That is clearly marketing. That has nothing really to do with health care.
On the other end, you know that it's not marketing when a pharmacist says to a patient, gee, your doctor prescribed the wrong medication here. You could have a serious interaction here. We should switch this medication to another one. There is no monetary motive behind that. That's all involved with patient care.
There is a huge area in between there that is really very gray. And there are practices that are at one end of the continuum and on the other. And I would say that the practice of sending an individual information on new drugs, only because the patient has a medical condition, and the provider is getting paid to send them that information, should at least be disclosed to the patient.
And people have very serious concerns about this. The Fair Information Practice Principles weren't drafted in a vacuum. People have concerns about how their information not only is disclosed to others, but also how it is used. When you look at some of the major news stories that came out not too long before the Privacy Rule came out, you have Eckerd in Florida sending a gentleman switching letters for his HIV medication. He sued them. He thought that that was a violation of his privacy.
You had I believe it was Walgrens sending patients samples of Prozac in the mail with switching letters, encouraging them at the end of the patent for the daily version of Prozac, to switch to weekly Prozac, because now we can get our money through the protected patent aversion. And again, this wasn't necessarily information that was sold to a drug company. It was information that a doctor and a pharmacist were getting paid to use in order to market a particular product to a patient.
In these circumstances, it's not like somebody ever sat down, really looked at these patients' medical records, and determined that these particular drugs would be good for the patient. That would be called treatment. What they did is they selected patients who had particular medications, and they received payments from somebody else to tell them about an alternate treatment. And on the continuum, I would say that that falls more closely to marketing than it does to treatment.
Patient reaction to this I think supports that view. I would like to quote one of the consumers who received one of these switching letters, and his wasn't even what we would consider a serious medical condition. He had psoriasis, and he started receiving all these alternative treatment solicitations in the mail.
He says, "I feel my privacy was violated. It seemed pretty clear to me that either the physician or pharmacy had released my name." Now, the truth is he is probably not right. They probably didn't have to release his name. They were probably just doing it themselves. But what it does is it erodes the trust between the patient and the pharmacist, and the patient and the physician. They think that their information is being sold and bandied about without any consideration of their privacy.
Now, looking at how the Privacy Rule addresses these issues, we all know that they require authorization to use and disclose protected health information to a third party for marketing. And that if the marketing involves remuneration, the authorization must say so on its face. Of course they go ahead and go on and then they define marketing in such a way that they exclude many of the actual activities that we just described. They would exclude things that many people consider to be marketing activities.
And because of the way that health care operations is defined, indeed when you add it all together, pharmacists and doctors are allowed to use these materials and protected health information to encourage people to buy products simply because somebody is paying them to do so.
So, does the federal Privacy Rule improve, or at least preserve the trust between the provider? In some ways yes, and in some ways no. The good thing is that they can't sell the information. That's pretty much the most egregious violation, is when this information is being sold and marketed.
And has the Privacy Rule made a practice in that? It's really hard to tell. I mean as Mr. Bell was saying, most of the pharmacies say that they don't sell the information. The public, including scholars and reporters have had a really hard time figuring out how pharmaceutical companies actually get this information. People who work for these companies generally sign confidentiality agreements when they leave, and this is like a huge trade secret as to how this information really flows.
But I have been to so many presentations where doctors come up to me and they ask me, how is it a pharmacy representative comes into my office, they know all of my patients that are on a certain medication? How does that happen? And I can't answer that, and many people don't. We didn't know how that happened before the Privacy Rule, and we don't know how it is happening now. So, you really can't tell.
I don't think though, that from what I have heard that the common practice that people have heard, and from the news reports that you have read, that it's been the selling of medical information that has really been the concern of a lot of people. It's not what they were doing in the first instance. Pharmacies generally say that they weren't, and when you read a lot of the news reports of these violations in the paper, that's not what was happening.
What was happening is they were receiving payment from drug companies to send out marketing materials on the drug companies' behalf. And the Privacy Rule really doesn't change this. There is no authorization required to use health information for these switching letters. There is no authorization required to send information to a marketing company business associate, so there is a certain amount of disclosure, even though theoretically you have to have this contract saying that they can't use it for any other purposes, but a lot of consumer think that just breaching that barrier alone is a violation of their privacy.
So, these are the very activities that consumers were complaining about, and the Privacy Rule allows them to continue. And there is no chance of getting off the mailing list. When you start getting this stuff, there is no mechanism in place for consumers to say I do not want you to send me information about alternative medicine for my condition. Maybe it's a personal condition. Maybe they don't want to receive these things in the mail.
I know I personally was contacted about a woman who was receiving bright yellow and purple postcards for Prozac in the mail. And she was very upset about that. She said my mail carrier can see that. Everybody in my apartment can see that, and you can see why. And you would have to wonder about somebody's business judgment in doing something like that, in all honesty.
The right to request restrictions doesn't help in this context, because the provider doesn't have to agree to your questions. So, there really is no mechanism, no choice here, unlike what the Fair Information Practice Principles would dictate, and so, there is no authorization, and there is no opt out.
Now, HHS, in particular Claude Allon(?), the deputy secretary of Health and Human Services, said that there was choice, and that patients have a choice, because they can shop around, and they can find a pharmacy that has a practice that they agree with. How? How do you know? Look at a notice of privacy practice. I have got three of them. I've one from Giant, CVS, and Walgrens, all major chains.
You can look at these. You would never tell from looking at the notice of privacy practice whether any of these companies receive payment for sending you switching letters. They don't have to tell you, and they don't. They say we may contact you to provide treatment-related services such as refill reminders, treatment alternatives, and other health-related benefits and services that may be of interest to you.
There is no way of finding out what is really going on here. I would like to point out that for a brief period between December 2000 and 2002, CVS actually did have something similar to a notice of privacy practice. They weren't calling it that at the time. But it had information on it when you received a switching letter, that told you that here is an 800 number you can call to get off this list. They don't do that anymore.
So, what's the practical result of the Privacy Rule? Again, here it's hard to tell. In all honesty, there haven't been as many published marketing incidents since the compliance date of the Privacy Rule, but I would attribute that more to the few highly publicized lawsuits that have been brought under state law, than what the Privacy Rule has done.
Eckerd agreed to expressly ask for permission to use information for these marketing practices in settling its lawsuit in Florida. And they agreed to do that across all states. So, it's very important not to preempt more stringent state law, because it is filling in where the Privacy Rule lacks.
One of the most clear effects of the last version of the Privacy Rule I would say is to leave the impression with lay people that these marketing practices that we have been talking about are actually prevented by the privacy regulation, and they are not. I say this, because I was recently at an academic conference on marketing, and I was invited to speak on the Privacy Rule.
Everybody in the audience -- these were academics who study marketing, that's their specialty -- everybody there understood that the HIPAA Privacy Rule prohibited using health information for marketing. When I posed the question about well, what do you call it, what do you think it is when a pharmacy receives payment from a pharmaceutical company to send an individual a switching letter? To a one they said in unison, marketing.
So, the lay person's definition of marketing is different, so totally different than what the Privacy Rule. It is generating, I think, a lot of confusion. And I'm not the only one who thinks this. June McDeasy(?), who is an associate professor of law, in an article published in the Nebraska Law Review concluded that the commercial use of protected health information under the HIPAA Privacy Rule is, "marketing disguised as health care operations."
And so, there is a lot of confusion out there about what the actual scope is. And it's beyond confusion. It's almost misinformation. People hear marketing, they think that it means one thing, and the rule means another. And I don't believe that HHS has done nearly enough in the communication aspect to clarify about what the provision means, particularly with respect to consumers.
The main issue that was debated when the privacy rules were being discussed was one of these issues about these marketing letters. And finding this information about whether a pharmacist can receive payment for sending a switching letter from a consumer perspective, if you are a consumer, you are looking for that information, finding that information is difficult.
You look under the HHS's main Web site of consumer information. It has a fact sheet. It says prohibition on marketing. The final Privacy Rule sets new restrictions and limits on the use of patient information for marketing purposes. Pharmacies, health plans, and other covered entities must first obtain an individual's specific authorization before disclosing their patient information for marketing.
At the same time, the rule permits doctors and others to communicate freely with patients about treatment options and other health-related information, including disease management programs. There is nothing said about payment in here. And I understand that a lot of these publications are general in nature, but since this was one of the major issues, and it seems to be a confusing one for a lot of people, you would think that that would be clarified upfront.
Then you go to the frequently asked questions, and it's very difficult to locate information on this subject. The question when is an authorization needed before a provider or health plan can market goods and services to me, says for all marketing purposes. That really kind of begs the question.
It's not until you look under the question, can a provider be paid to make a prescription refill reminder, that you would actually find the answer to this particular question. So, it's very difficult for consumers to actually find the information about this kind of a specific topic that they are concerned about, and that's been in the press an awful lot.
In light of this, I have the following recommendations, and I understand that many of these are merely a pipe dream at this point, but I'm going to make them anyway. I believe that the marketing provisions should comply with the Fair Information Practice Principles. They should provide a choice for consumers when their health information is being used for secondary purposes, at the very minimum, an opt out.
There should be real notice about what the provider/pharmacist is doing. Are you getting this information because somebody has looked at your medical record? Or are you just getting it because somebody is paying them to send it to you? And it should be prominently displayed on the material itself.
And there should be more effective communication about when authorization is required. I understand that the marketing provisions were a very hot political topic. But I'm afraid that the spin here has really done a disservice to people, because I don't think that a lot of consumers, and a lot of just non-HIPAA people understand what the marketing provisions allow and they prohibit.
And if the policy decision has been made that it's okay for a pharmacy to be paid to use a patient's health information to send them marketing materials on behalf of a drug company, why don't we just say so, and get it up out front? Patients should know.
Thank you.
MR. ROTHSTEIN: Thank you very much.
My guess is we'll have a few questions, and also perhaps Mr. Bell would like to comment as well. But I think you will probably get that opportunity to comment in answer to the questions. So, the floor is open.
MR. HOUSTON: I actually have a question for each. I'm going to start with Don. My first instinct is that when Joyce spoke, that by sending a communication to a patient, that there is clearly some potential -- let's say it's something in the mail -- that the patient's family, the patient's neighbors, the mail carrier may actually glean from that mailing, what condition the patient has.
If it's Prozac, if it's something that indicates on the surface that that is what is that is related to, that their clearly could be some type of privacy issue there. And I looked at other sections of the rule, and guidance that OCR has given, and I'm troubled.
One case in point is that covered entities are still allowed to call patients and give them appointment reminders, but we're supposed to be very careful what we communicate so that there isn't the opportunity for others who are in that household to get information about that patient's condition. And there are cases where patients don't want their spouses to know what type of treatment they are receiving.
How would you square your desire, obviously you think the need to be able to communicate with patients in their homes about alternative therapies and treatments, while still -- in my mind there is still some tension here with what the OCR and HIPAA really requires us in other areas to avoid?
MR. BELL: I can tell you how the members of NACDS that I have talked with, and I've talked to well over 200, but I've certainly talked with the bigger ones, and many of the medium and smaller ones as well, I can tell you how they deal with those issues.
There are basically two scenarios you seem to be talking about. One is mail, and one is calling. You mentioned like appointment reminders. A lot of times our pharmacists may call a patient saying your prescription is ready. They will talk to the patient about that. Now, if there is a voice mail, if there is nobody there, I have heard that some of our members will leave them a voice mail saying, Mrs. Jones, please call me at the following number. But I haven't heard of anyone that I know, all of the members that I have talked to have specifically said they do not leave messages saying, Mrs. Jones your Prozac is ready, please come pick it up.
MR. HOUSTON: And that is in my mind, a very problematic issue. If there is something on the face of mailing. If it's not an envelope. If it's simply a brochure or some type of multi-color marketing procedure that speaks of Prozac, the purple and yellow.
MR. BELL: Well, I agree. On the mail, I was about to say, I agree with you completely. I haven't seen this yellow thing about Prozac, but I agree with you it's bad business practice, much less privacy problems. I hope it wasn't one of our members that did that. It sounds like something a manufacturer would do, not one of our members.
Anyway, I can tell you what the members that I have talked to do with mail. They have told me they do not do the little postcards, which I think some of them did in the past, send a postcard. But instead, they have told me everything that they send out is in an envelope.
And I did want to, if I can on the mail thing, because Joy, you raised some very good points that I just wanted to discuss for a second. In any of these mailings, like a refill reminder for example, if they are being sponsored, paid for by a manufacturer, you mentioned that CVS used to have an 800 number on its notice of privacy practices, but doesn't any more. I don't know if they do anymore or not.
But I do know, because I have spoken with the attorney at CVS that writes this portion of the letters, that every single letter that they send out with these types of communications does have an opportunity to opt out in an 800 number that allows everyone to opt out, any patient to opt out of receiving future communications if they want to.
The new National Consumers League best practices guide for pharmacies, that's one of the guidances that they have given, is to say when they receive one of these letters, every time there should be number one, a very clear disclosure if there is any payment by a manufacturer or some other for making the communication, and number two, there should also be an easy method of opting out.
Now, again, this has just come out, but in the process of reviewing it, I have called up a lot of our members, and I said, is that going to be a problem for you guys? And everyone that I have talked to so far said no, because that's exactly what we do already.
MR. ROTHSTEIN: So, let me just follow-up and see if I'm clear on this. You would have no objection to a recommendation -- I'm not saying that we are going to make it, but hypothetically -- in which we recommended that there be some sort of opt out mechanism available to consumers if it were included in the regulation, or some interpretation thereof?
MR. BELL: Well, as I mentioned, our members are not in favor of any new regulations, because we think that best practices guides by NCL and others, and just the market itself has been working this out. And it seems like it has been working it out. From the members that I have talked to, they are already doing these things.
MR. ROTHSTEIN: So, you approve of the concept, but you don't want it incorporated into the Privacy Rule? I'm trying to get an understanding.
MR. BELL: No, I understand, it's a good question. As an association, I have to walk a line. I can't tell our members what their business practices should be. So, I don't know that it's up to me to say yes, we should do this or not. But I can tell you that the ones I've talked to are already doing that.
MR. HOUSTON: Just sort of a follow-up, I think from Joy had indicated though, there isn't 100 percent compliance, or else she wouldn't be speaking of these examples.
MR. BELL: I don't doubt that. All I can speak for is our members, and the ones that I know of.
MR. HOUSTON: I want to ask Joy one question. First of all, are you going to be here this afternoon, or are you leaving after your testimony?
MS. PRITTS: Well, it depends on if you need me. I have a phone call at one that I need to make. So, I can either make it here, or I can make it back at my office.
MR. HOUSTON: The reason why I ask is that we are going to be talking about fund raising this afternoon, and I had one specific question about your perspective on fund raising, and again, using the one thing out the Association of Health Care Philanthropy, which was related to requests about using one additional piece of information, which is the patient service department information in conjunction with it doing fund raising-related activities.
And I am interested in getting your perspective on using that additional data element for the purposes of fund raising. I apologize if I sort of -- I know we sort of switched gears here, but I did want to get your perspective at some point.
MS. PRITTS: I would like to think about that, and get back to you after we are done with this part of the session, if that's okay? I want to look at one part of the regulation before I answer that.
MR. HOUSTON: Okay. It is relevant for today's testimony, though it's not necessarily relevant for this testimony.
MS. PRITTS: No, I understand. And it has been an issue, and I do understand their perspective on this, which is that it makes it difficult for them to do fund raising for things such as a cardiology unit and things of that nature.
MR. HOUSTON: Thank you.
MR. ROTHSTEIN: Okay, other questions? Mr. Reynolds.
MR. REYNOLDS: Thank you, both of you. Excellent testimony.
Joy, I have a question. Don talked a lot about health care communications. Do you have a box that you have drawn around health care communications?
MS. PRITTS: Yes. Well, I'm sorry, are you referring to an actual diagram that I had drawn in the past?
MR. REYNOLDS: No.
MS. PRITTS: I thought you were referring to an exhibit I had in the past. I'm sorry.
No, I think it's a difficult line to draw, but I think I would draw the line a little bit different than where it has been drawn in the Privacy Rule. I understand that there was a lot of concern about -- and this really came out in the hearing before the HELP(?) Committee after the modified Privacy Rule was issued -- that there is a lot of concern about doctors being able to attend conferences, and to receive perks from drug companies, because that was concerned remuneration.
And so, they didn't want doctors to be prohibited from prescribing or making decision based on the fact that they had received remuneration in that context.
I do think that there are issues there, but they aren't necessarily addressable in the Privacy Rule context. And that that is not so much of a concern for most consumers that your doctor went to a conference, was paid to go to some conference, and now they are prescribing a drug for you. That's always an issue in your health care, that somebody is not making a totally unbiased decision on why you should be getting a particular medication.
But generally when that is happening, the doctor is looking at the patient's medical chart. They are deciding they know the patient's condition. They are deciding well, yes, the patient does need this. And they are considering this among several options. So, to me, that's more health care. And when you're looking at the continuum, that's health care communication, even though there is some kind of removed remuneration involved.
I think that it's a clearer line to draw when somebody is receiving $3 a name to send out a mailing for something like Prozac or a new HIV/AIDS treatment. To me, that's marketing. And I think to every marketing professional that I have talked to, that is marketing. And most health care consumers think of that as being marketing.
And I think that's where some of the confusion comes, because the rule says you can't use it for marketing, but when anybody thinks of that term, most people would include that activity.
MR. ROTHSTEIN: Can I ask a follow-up on that? So, let me just sort of sketch this out, so we are all clear with this. It would be unlawful for the pharmacy to sell a list of patients who are being treated for depression, let's say, to a pharmaceutical company, who would then directly solicit them to switch drugs or try their products, or whatever?
It is currently not a violation of the Privacy Rule for the pharmaceutical company to approach the pharmacy and say, look, we will pay you X amount per mailing. Don't tell us who the patients are, but you send it out to your patients, or people who are prescribed drugs for this condition, who are taking other medications, announcing our product. And that's what you have a problem with.
Suppose the manufacturer of this second pharmaceutical product went to the pharmacies and said we think our product is superior to the other one. It provides better outcomes, et cetera, et cetera, et cetera. And we will pay you the costs that you incur in mailing this stuff out. We will reimburse you. So, we will pay you 50 cents, or whatever your costs are in mailing each one out, but we are not going to give you a bounty for each one that you send out.
And to make it more complicated, suppose the pharmacy actually thinks that the second product is better. Would you have a problem with that arrangement? So, what I'm focusing on, is it the fact that the pharmacy is getting money from the manufacturer that constitutes the big problem in your view?
MS. PRITTS: Well, it's a difficult line to draw, but I think that is one of the obstacles that I have in this area. At that point, it really does become a secondary use of the person's health information. The information is being used to treat them kind of secondarily. The primary purpose that these things are being sent out is for profits.
I've been at some pharmacy conventions where I heard some small pharmacies say that they needed to do this, because this is where they made their money.
MR. ROTHSTEIN: So, let me ask you this. Would it satisfy your concerns if there were a provision that said it's permissible under the Privacy Rule for a covered entity to mail out news of additional products for the individual's condition so long as the covered entity did not receive compensation from the manufacturer of that protect in addition to their mailing costs?
They will still have something to gain by it if people switch to their product. They presumably would make more profit. But would it satisfy you if there were a provision that said this arrangement is okay so long as you don't derive any income from promoting this other product?
MS. PRITTS: No.
MR. ROTHSTEIN: That would not satisfy you?
MS. PRITTS: No, I would still want there to be on that mailing, a notice to the consumer that this mailing was being paid for by the pharmaceutical company.
MR. ROTHSTEIN: Supposed we added that on?
MS. PRITTS: I'm not done yet. Ideally, what I would want upfront is when a patient walks into a drug store, for somebody to say to them, look, we send you these things on occasion. Are you interested in receiving them, yes or no? And then the patient can say, like some patients do, that's a great idea. I want as much information as possible. Sign me up. And then the people who have reason to say, I don't think I want that kind of thing coming into my house could say no. And that would make me happy.
MR. ROTHSTEIN: Let me just follow this up, and I want to ask Mr. Bell the same question. Knowing that it's not going to make her happy, how would your organization feel about and what objections would you have to a change in the Privacy Rule that said you can do this. You can mail out stuff for manufacturers about new products related to conditions that your patient/customers have. But you can't get compensation over your costs, or that becomes marketing for which you need a prior authorization. So, what would their reasoning be?
MR. BELL: A couple of things. I want to answer that, but first let me respond to what you were suggesting that you might be able to live with. I think our members could actually live with that too, maybe. I'm speaking out of turn, because obviously I haven't talked to them about it.
But they could, but only if when the patient said no, I don't want to receive that information, then the pharmacy would not be held liable for anyone for not providing medical information that they might get paid for if they were sending out. Because our members are sort of stuck between a rock and a hard place here. Our members are held liable all the time.
One of the fastest growing types of lawsuits against pharmacies is not providing this type of information, like the importance of refill reminders, or the importance of taking your drugs correctly. That's the biggest type of lawsuit we face right now.
So, if they could get protection from liability when the patient says no, I don't want to receive that information, they may just go for that. I say that to highlight the issue here as a fact that again, it's not a clear distinction, in my mind anyway, between marketing and health care communications all the time.
There is an attempt here, it seems to me, that you are getting to, which is well, let's try to draw a brighter line, and say that if someone is making money off the communication, then it's marketing. I think that's a very dangerous conclusion to get to, because we don't have a nationalized health care system right now. We have a market-based health care system right now.
Someone is paying for all of it. Someone is paying for all the drugs dispensed, all of the communications being made. Someone is paying for it. Now, maybe it's the patient. Maybe it's the patient's health plan. Maybe it's the drug manufacturer, but somebody is paying for it. So, to try to draw a line and say, well, as long as they are not getting paid for it then it's health care, but if you're getting paid for something, then it's marketing, I think that's a dangerous line to try to draw.
MS. PRITTS: I was actually going to agree with Mr. Bell here that I think the line is easier to draw actually in the pharmacy context. But when they were drafting the rule, I know that there is a large problem in dealing with PBMs in particular, pharmacy benefits managers, because that's what they get paid -- to switch people to lower cost drugs and things of that nature. So, it is a difficult line to draw, and I don't want to give you the impression that I think it's easier than it is.
MR. HOUSTON: I want to blur the lines, or draw the lines differently anyway, because when Mark posed his last question to Joy he said covered entities. And we have been focusing on pharmacies up to this point, and I think there are other covered entities that would do communications to patients which -- would you consider it marketing or is it treatment-related?
And the two other entities that I can readily think of obviously are the providers themselves and more specifically physicians, who obviously have a treatment relationship with the patient, a very intimate relationship. But also health plans. And as we know, health plans change formularies all the time, and change programs, and therefore will send communications related to changes. And is it Clariton or something else for allergies?
What are your opinions regarding communications with patients from health plans as well as providers, again, the same type of communications, maybe in a lot of cases under the same circumstances. The pharmaceutical company may be underwriting the physician office the health plan to make these communications. What are your thoughts? Does it change your opinion? It's probably more related to Joy than Don.
MS. PRITTS: Well, I would like to look at the provision, because I think that they kind of take care of that in the specific provision which deals with health plans and what they can do. So, it's very specifically tailored to health plans, and how they can send out information on what's available on their plan.
MR. BELL: If you want to look at that, can I just try to respond? I cannot claim to be an expert on any other types of providers, but Joy did raise an excellent issue, and that is PBMs, these pharmacy benefits managers that send out a lot of communications. Trying to figure out who PBMs fit within the privacy rules has been very, very difficult for our members.
They own mail order pharmacies, and those are clearly providers. But the basic job that PBMs do, which is stand between the pharmacy and the patient and the health plan, and keep track of all of these drug sales, and reimburse the pharmacies, they are not considered, as far as I can tell, covered entities.
So, they are sort of in a gray zone. At most, they are considered to be business associates of the health plans, but a lot of times what we have seen is that that tail, the PBM is wagging the dog, the health plan, and it's the PBM that makes a lot of the decisions about what types of communications will go out to pharmacies. So, that might be something that you'll want to look at, is how PBMs fit within this whole regulatory scheme.
MS. PRITTS: I don't have the provision with me that I was looking for. But I do believe that there is a specific exception for health plans that kind of removes them from the equation.
MR. HOUSTON: In some regards I think, but again, they are still going to making potential marketing communications, and it still is a communication coming to the patient's front door if it's a mailing.
MS. PRITTS: I think it's a problem. I don't know that there are any easy answers to it. I think that there are better answers than what we currently have. This gets into kind of micromanagement, but I know that there are a few states that have requirements that marketing materials for health services and treatments and probably pharmaceuticals is what I'm guessing, prescription drugs, that they must be sent in an envelope. I'm hesitating, because I'm trying to remember which state that was, because I was so surprised to see it. But there is at least one state that really gets down to that level.
MR. HOUSTON: The realization is that an almost identical communication could come from a pharmacy, a physician, or a health plan. And they could be underwritten by the same manufacturer, they really could. And what it sounds like is that it could be acceptable simply based upon where it is coming from, rather than anything else.
MS. PRITTS: Well, as a practical matter though, when we look at how things are actually working, what usually happens is doctors are getting paid to write the prescriptions. So, that's actually what has been at issue for the last few weeks, is doctors actually receiving large payments from pharmaceutical companies to write prescriptions for their product.
As a practical matter, that's where they are getting their money from in these kinds of -- the marketing is being done to the doctor directly. It's usually not being done through the doctor.
MR. ROTHSTEIN: Dr. Harding.
DR. HARDING: I'm missing out on some money somewhere. I haven't been paid for prescriptions lately.
MS. PRITTS: I'll send you this article. It was quite amazing. Did you see that?
DR. HARDING: I think it was oncology.
MS. PRITTS: Yes, a $10,000 check.
DR. HARDING: I'll leave that one alone. But when you were talking, Joy, about doctors being told the number or the people who they were writing prescriptions for by pharmaceuticals, just as an anecdote, in my area the pharmaceutical representatives don't come in and tell you who you wrote prescriptions for. They tell you the percentage of a certain product that -- we're using psychiatric drugs here today, Prozac and so forth. But they would come in and say what percentage of your antidepressants were Prozac. They would tell you that.
MS. PRITTS: Right, and I think that's the more common practice, what you are speaking of.
DR. HARDING: As opposed to individual-identified.
MS. PRITTS: Right. But it has come up to me what has been a surprising number of times where I have been approached when I've been at a conference by a doctor who says, I got somebody in here who is telling me the names of the patients that are on these medications, and I want to know how they know. I have no idea.
MR. FANNING: Is that not from the PBM, rather than the pharmaceutical company?
DR. HARDING: It could be.
MR. FANNING: Because they have the record of the transactions.
DR. HARDING: Mark, you were talking a little bit about the profit issue, and a certainly amount of profit becomes marketing and so forth. That to me, is kind of an abyss, thinking about how to divide that up, and what kind of profit are we talking about, and so forth.
I could come down a little bit more on Joy's side of things in saying that the real issue, it seems like, is the notice. That if the notice is there, if the letter comes and it says we are sending this letter to you at the request of or for the payment from big pharma or some system or something, if that notice is clearly there, it doesn't give me near as much heartburn as if there is no notice. Now, I still think that's marketing, but it is at least clear and upfront as to what is going on with that letter.
MR. ROTHSTEIN: Well, I'm persuaded that the trial balloon never even got off the ground on trying to restrict the payment issue, because there are so many ways you can imagine to get around that by changing their pricing schedule and increasing their profits, and so forth.
So, let me follow-up on Richard's approach, and that is to ask Mr. Bell whether you think there would be acceptability to a change in practice that there was disclosure on anything that was sent at the behest of a third party, where that was indicated there? It could be if you just sent them a mailing, this mailing was paid for by such and such pharmaceutical company, or in a letter, or however you want to do it, leaving aside the issue of the appropriateness of the method.
MR. BELL: Well, I don't even think it would require a change of practice, at least with the pharmacies that I have talked to about this. Again, I have been told that they are already doing it now. I don't now about all pharmacies. I don't claim to speak on behalf of all pharmacies, but the ones that I have spoken to among our members already make those disclosures.
So, I don't think that it would be necessarily a change of practice. I'm sorry to keep referring back to these NCL best practices guide that you guys haven't seen yet, but that is one of the best practices that they mention, both the notification of payment by a third party, like a manufacturer, and the opportunity to opt out. And I do know for a fact, having talked with quite a number of our members in discussing these best practices within that, they are already doing that. So, I don't know that it would require a change of practices.
Now, I do know though on the other hand, our members do not like messing with the privacy rules in any way. It took so long, and such a great effort to come into compliance. And I think they did a very good job, and I haven't heard of -- Joy may have, but I haven't heard of any lawsuits against any of our members anyway based upon activities that would have been a violation of the HIPAA Privacy Rule.
So, I think they have done an excellent job of implementing the rules. I think that they would not be in favor, to put it mildly, of any changes along the lines that you are talking about.
MR. HOUSTON: I just wanted to ask Richard if he was finished?
DR. HARDING: I have a little bit different topic, so I'll come back around.
MR. ROTHSTEIN: Is this related to this topic, John?
MR. HOUSTON: I just wanted to follow-up on the issue about marketing from health plans. I did pull up the provision, and maybe I'll just read it really quickly. Marketing does not mean, "describe a health-related product or service, or payment for such product or service that is provided by or included in a plan of benefits of the covered entity making the communication, including communications about the entity participating in a health care provider network or health plan network, replacement of or enhancements to a health plan and health-related products and services available only to a health plan enrollee that add value to, but are not part of the plan of benefits."
So, I think that was the provision that you were relying upon. It gives a health plan some additional wiggle room, but I still if you are providing communications about specific drugs and therapies --
MS. PRITTS: That are covered, I think might come under there.
MR. HOUSTON: It might, but it doesn't give you that much wiggle room. In my mind, I still think you have somewhat of the same issue.
MR. BELL: To me it doesn't resolve that basic issue. It says health care isn't marketing. We still haven't decided exactly where to draw that line between the two.
DR. HARDING: Just kind of a quick thing that came up, that Joy mentioned, and that's the issue of state lawsuits and preemption. And I would imagine that the two of you would have different thoughts about preemption in this category. But I wonder if you could say just a little bit more about the necessity of preemption, or the difficulty of preemption?
MS. PRITTS: Well, it would be very nice if we had a very strong federal privacy rule where the bar was set high enough that patients would feel comfortable. Because of a lot of compromise, where we ended was, as has been repeated stated, a floor of privacy protections. And the compromise that I think was reached there, was reached because there are a number of states -- every state in the union has some rule, some law that is more protective than the Privacy Rule.
And there are very important policy reasons behind that. Many states, for example, have decided to protect certain medical information at a higher level. Generally, those protections are afforded to medical conditions that have stigma attached to them. It's unfortunate in this day and age that we still have this, but there still is a lot of stigma attached to certain medical conditions.
And these states have decided, a lot of them based on their population, that these are things that are worth protecting. So, one way of solving the issue, I have always said, is to just raise the standard high enough, and then you wouldn't have to worry so much about different state laws; raise that standard high enough on the federal level.
We are not there. And until we get there, it's very important that more protective state laws remain in place. I'm not naive enough to think that it doesn't cause practical difficulties for people who practice in more than one state. I know that it does. What some of these providers have -- the way that they have solved the issue is admirable. They decide to apply the highest standard that they can to all of their operations. And that way people in other states kind of get the benefit of the higher standard set by one.
The thing that I have seen repeated though when I have looked at this, is how much privacy protection there really is at the state level. And again, it varies dramatically by state. You look at New York state and they have an enormous amount of case law dealing with medical privacy issues. Michigan has almost nothing. So, if you were to eliminate the current structure, it would really be lowering the privacy protections afforded to very many people in this country.
DR. HARDING: Has there been the burst of legislation that was predicted in the states to increase privacy levels during the last year since the privacy?
MS. PRITTS: No, in fact the opposite has actually occurred. Hawaii basically revoked its comprehensive medical privacy statute in light of the federal regulation, saying we don't need it any more. Texas did something fairly similar. They had passed a fairly comprehensive set of laws dealing with medical privacy, and they revoked most of them.
There are movements afoot in several states to modify their existing privacy, some of the kind of nuts and bolts of their privacy requirements to make them more in line with the privacy regulation. Sometimes that's good, sometimes that's not, but it does make it more consistent. But there has been a trend.
Right, now I'm thinking of some of the access provisions. There has been legislation introduced in I believe three states where currently the individuals have I would say the response time is shorter for producing the medical records, and things of that nature. And they are going to the federal standard. So, instead of the federal Privacy Rule that floats all boats, it's kind of becoming the least common denominator.
MR. BELL: On preemption, our members would appreciate preemption. I understand it would take probably a change of the statute itself. And preemption is an issue that we deal with not just on privacy, but on many different levels.
Our difficulty with preemption is, as you mentioned, our members operate in many different states. Our members are companies like CVS and Rite Aid and Walgrens and Wal-Mart and Safeway and Giant, companies like that, that operate in many different states. So, it can of course be confusing to determine all right if you've in 50 states, you've got to follow 50 different rules.
Our association has created a HIPAA preemption analysis, where we go through and try to determine what is preempted and what isn't, and what's more stringent standards in states. That cost us over $1 million. And we spend another $10,000-20,000 every other month to update it, because it not just the fact that there are 50 different standards out there, but there are 50 different constantly changing standards out there.
And I understand that legislatures aren't necessarily the ones that are doing all of these changes, although they have in places, California for example. But there are also regulations that constantly come out in effect or change, the privacy rules.
There are lawsuits that are decided that change the privacy standards. For example, in Illinois a couple of months ago an Illinois court decided that the mental health privacy statute will apply to mental health drugs. And that pharmacies have to know why a drug was prescribed, for example, in order to tell which set of privacy standards apply.
And then of course there are the attorneys general that are always doing investigations, and whether their settlement agreements, which they then proclaim must be followed by all other providers that aren't a party to the settlement, whether that constitutes a standard that is more stringent I don't know. But there are always constant changes coming along that does make following 50 different changing standards difficult. So, sure, our members will like it. If you can do that, we'd appreciate it.
MR. ROTHSTEIN: Let me ask Ms. Pritts a question. I'm sure Mr. Bell wouldn't mind getting off the issue of pharmacies for a minute. And that is whether you have any concerns about marketing in other settings? For example the redisclosure of PHI by marketing firms that have gotten information via an authorization or marketing in other contexts.
MS. PRITTS: That's one of the concerns about the fact that the Privacy Rule doesn't cover everybody who holds health information. The people who get it, such as marketing firms, they are not covered directly by the Privacy Rule. They are only covered through a business associate contract.
And there is concern that they will use it improperly, but there is no real mechanism for people to tell if they have. A lot of the times when you read about the things that people are complaining about, they don't know who has their information, or how they got it.
I'm thinking now about this Prozac example that I had raised earlier. The person who received that tried to trace back where the information came from. And they found kind of a marketing company, but they couldn't figure out who had paid the marketing company to send the information. So, it's a difficulty. I think it's a difficulty in knowing whether it's actually being done.
And if you find out that the information is being disclosed, I think it may be difficult to do a real trace of where the information came from, because it is so possible it came from different sources. And then of course there is almost not enforcement at that point, because HHS doesn't have authority over the business associates.
MR. BELL: Yes, and if I could follow-up on that, I agree with you. And there are other entities out there that aren't covered entities, but do have protected health information. I probably filed one of, if not the first HIPAA privacy complaints on April 14 or 15. I can't remember when I did it, but it was about all of these Internet pharmacies that specifically require patients -- I'll call them patients -- to waive any privacy rights.
So, I filed complaints against literally hundreds of these companies, and about a year later got a reply back from HHS that said, well, they're not covered entities, because they don't adopt the type of electronic transactions. So, I think you are right that the privacy rules do not cover all of the entities apparently, that have this type of information.
MR. ROTHSTEIN: Other questions or comments?
Well, I want to thank both of you very much. It was a very enlightening and stimulating discussion. And with that, we will break now for lunch. We will have our next panel on fund raising beginning at 1:15 pm.
[Whereupon, the meeting was recessed for lunch at 12:15 pm, to reconvene at 1:15 pm.]
DR. ROTHSTEIN: Good afternoon, everyone. I want to welcome you back to the hearings of the Privacy and Confidentiality Subcommittee of the National Committee on Vital and Health Statistics.
This afternoon we take up two issues, fundraising in our first panel and media access to PHI in our second panel. I want to remind members of the public that there is an opportunity to provide public comment at 4:30 p.m. If you want to sign up, please do so at the front desk, and you can address the issues that we are discussing today for five minutes.
Agenda Item: Fundraising - Panel 2
This afternoon, we have two witnesses on our first panel on fundraising. Let me say thank you to both of you for coming, and say at the outset that the first two panels today, the marketing as well as the fundraising panel, are issues we have dealt with in the past. I know Dr. McGinly has testified before us and other Hopkins representatives. Duran Pollock testified in 2002 at our hearing on the issue of fundraising. What we are doing today is revisiting the issue. We had many concerns expressed to us at that time and even before then on fundraising issues, and we are checking back to see what has happened, trying to see if there are problems in the implementation of the rule, if you have recommendations that you would like us to pass along to the Department on ways to make the rule operate more efficiently for you and for those people who are working in your field.
What I would like to do while Dr. McGinly is getting settled is to first ask for Mr. Zeller to testify.
MR. ZELLER: Thank you. Good afternoon, Mr. Chairman and members of the privacy subcommittee. My name is John Zeller. I am the Associate Vice President for Development and Alumni Relations at Johns Hopkins Medicine in Baltimore, Maryland.
First, thank you for inviting me here today to discuss with you the impact that HIPAA has had on fundraising efforts, particularly at Johns Hopkins Medicine. Before I discuss the impact, I'd like to make two brief comments. First, that academic medical centers and nonprofit health care organizations support without question the spirit of HIPAA legislation to insure the privacy of medical record information. Second, I would like to thank you and the committee for your letter dated March 1, 2002 to Secretary Thompson, in which you recognized the vital role that private philanthropy plays in funding medical research, patient care and education programs in this country. The privacy interests of patients should not impede responsible fundraising activities.
At Johns Hopkins Medicine, private philanthropy from our patients is not only an essential component of the institution's financial health, it contributes enormously to medical advancement. Generally, patients direct philanthropic funds to the cutting edge medical research we perform tied directly to their own diseases or to those diseases from which their family members are suffering. This research is often so new that traditional funding sources such as NIH will not yet support their ideas, therefore making private philanthropy a driving force in the identification and development of new medical discoveries.
Fifteen months after the implementation of the fundraising portion of the regulations under the HIPAA law, how has this impacted our fundraising efforts? Let me begin by addressing what we can quantify. We have diverted current staff to focus on HIPAA. We have added staff to manage authorization information, and we have created a new office of HIPAA fundraising compliance, which reports to my colleague here on my left, Cynthia Beech Smelser, who is a director of the fund for Johns Hopkins Medicine.
Our operating budget is increased to accommodate substantial authorization for printing and systems costs. We have developed makeshift systems to manage authorization information in the short term while we are building a system that will be able to handle a system that will be able to handle this information long term.
One of the reasons for success at Johns Hopkins Medicine is the way in which scientific collaboration occurs across the institution, spontaneous and unimpeded. However, trying to implement a uniform process in a large complex organization like Hopkins presents a great challenge.
In order to comply with HIPAA, we met with our leadership, trustees, legal counsel, physicians, clinical managers and various hospital committees to discuss how best to proceed. This resulted in a number of pilot projects examining different approaches to securing patient authorization. The outcome was an agreement that our institution policy would be to offer authorizations to patients at registration.
We have been implementing this process throughout the Hopkins health system since last December. Our preliminary data suggests that less than half of our patients are signing the authorization form. The signing rate does very from clinic to clinic, however.
At this juncture, the HIPAA impact on fundraising is difficult to assess. First, we do not yet know whether or not the patients who have signed the authorization form are truly those who are philanthropic. This will have to be assessed over a period of time. Second, successful fundraising programs rely on strong relationships built with potential donors, educating them about the impact of philanthropy, involving them in the programs of the institution, and matching their interest and philanthropic capacity with the needs of the organization. This is done face to face, over time, and as an ongoing relationship that continues past any initial gift. Asking permission to engage in these types of conversations before any contact with the institution can be very awkward for all parties involved.
Third, the combination of varying legal interpretations of the few paragraphs in the law devoted to fundraising make it extremely difficult for academic medical centers and nonprofit health care institutions to determine best practices for grateful patient fundraising, and develop a model for institutions to follow.
In closing, let me again restate that it would be helpful if HHS would implement what you suggested in your letter of March 2002 and employed responsible fundraising activities. In that letter, you recommended that HHA should explore procedures for the disclosure of clinical department of service information for use in fundraising such as simplified authorization or an opt-out procedure for departmental information. We ask that you renew that recommendation today.
Thank you. I would be happy to answer any questions you might have.
DR. ROTHSTEIN: Thank you. We will have plenty of questions, I'm sure, but we want to hear from Dr. McGinly first, unless someone has some particular question.
DR. MC GINLY: Hi, Mark. Thank you all for inviting us back. I am delighted to be back with you here. I wanted to try and address more questions in addition to what we had submitted to you earlier and to wrap up with a rather strong recommendation regarding point of service in the use of that information, which was for the first time eliminated from professional fundraisers' use without the written authorization.
A couple of things I wanted to address. How has life for fundraisers changed since the last time that we met with you. On this issue with the privacy regulations, I can tell you that there is a lot of confusion. There are a lot of people that are upset out there. There is a loss of services in communities because of the added costs that our organizations have incurred as a result of not only doing the written authorization portion of it, but just tracking and dealing with the notice of privacy practices, and on and on.
Just to give you a flavor for this, some of the things that are coming out relative to the interpretation of the regulations as it relates to fundraising. You are all familiar that demographic information can be used without prior written authorization, as long as there is an opt-out, and all that. Here we are with interpretations that run the gamut and create more and more confusion.
I've got an attorney in Kansas City who is advising clients and volunteers, all have to enter into a business associate agreement. The attorney hasn't read the regulations, but that is part of the confusion that is out there. We have compliance officers and other advisors initially explaining and still explaining right now to our members that they can't visit patients any longer. I can walk in off the street and visit you in one of our hospitals, but our development person can't. That is not the way it is in the regs. They are defining things quite differently. We are entitled to have the age of the patient, but they won't give the birth date in some instances, the birth date. You need that if you are going to into planned giving, or you are a part of that program. And of course, that is permissible. I can give you five or six more sound examples like that on the one side.
One of the things that we did in 2002, actually towards the end of 2002, is, we conducted a fax survey of our members. We got a range of expenditures and added costs relating to implementing HIPAA just for fundraising. Remember, this runs the gamut just from small community hospital to those like where John happens to be, where they have made a decision because they want to fund raise by department, that they are going to go for the written authorization. But it ranges from as little as $25,000 to well over a million dollars. We have a group of our larger organizations that are going with the authorization form, reporting that it is anywhere from $400,000 to $700,000 annually to manage this process. Part of that goes to things like some of the responses we got, where additional compliance officers hired IT computer security database training. A physical plant change is $120,000. Investing a million dollars to implement staff publication, public education as it relates to the fundraising. So we see quite a wide gamut there.
Also, we saw in the year 2002 that giving -- and unfortunately, I can't attribute this in a statistical way to specific things, but we know what some of them are, but we watched giving drop from eight billion dollars in our annual survey to $5.5 billion. Now, granted, the major portion of that was because of the economy. We saw gifts of appreciated property go down. But we also know that an awful lot of that was due to the confusion in donors' minds.
An important element that John raised with you as well, when you talk about the written authorization, what some of the larger teaching hospitals in particular are finding is that about 40, 45, less than 50 percent of the people who are asked, will you give us the prior written authorization, are saying no. This flies in the face of what we know has been permissible up until the implementation of HIPAA, and is creating tremendous troubles for us.
Those people are responding just the way you responded to the question I asked you when I was here last: What do you think of when you hear the word fundraising. You came back and you told me, it is the telephone call at dinnertime. We are not that, but people who are presented with that option are now having the opportunity to be educated about what we are doing, or given the opportunity to engage to volunteer and donate money will opt out of it, because they have that misunderstanding. So that is one of the biggest things that we see going on.
Our members are struggling with this, there is no question. They are struggling to the point that I have become at my age the HIPAA -- nobody at my age is HIPAA -- I have become the HIPAA expert. I have made presentations to over 40 foundation boards since this was enacted, and even before. I have done over 100 workshops with attorneys and others. We get into arguments and fights on the floor of these workshops, particularly the gentleman from Kansas who was advising the business associate agreement was necessary for every volunteer.
We write to the Secretary, and we raised three questions about point of service, and we knew the answer to that, but we wanted to get it on the table. The business associate agreement, because some organizations have chosen to treat their foundation as a business associate rather than complying with what is in the regulations, and that opportunity that they are a health care extension, they are a part of health care operations, there is no need for a business associate, and the physician referral of patient names for the purposes of fundraising, which was pretty well clarified in that letter.
The key thing that we are seeing as we go through all this is, we are now rebuilding from the standpoint of 2001, with eight billion dollars raised, which is incidentally what one chief executive, Blue Cross Blue Shield, told us that implementing all of the HIPAA regulations worldwide or across the board, was going to cost about $8.6 billion. So if that is true, we have wiped out what we have done in philanthropy as a result of these HIPAA regulations.
Now, the piece that is fundraising of course is a much smaller percentage of that. But we see substantial dollars being invested in something that in our view, in accordance with what is the donor bill of rights, our donor ethics, is unnecessary. This idea that a written authorization, no matter how simple it is, is just like that question asking, do you want to go to the hospital, do you want to go to the dentist, what do you think of when you hear fundraising. The answer is no, you don't want to go to the hospital until and unless you have that need.
These grateful patients have been through that experience. They have been helped. They have been assisted. Many of them want to turn around and benefit the community and others that cannot afford to benefit themselves in the same way.
I also would point out that there are a lot of contradictions in the regulations, but look at an independent cancer center, which we have done, Fox Chase in Philadelphia, and several others, Craig Memorial Hospital in Denver. These are all institutions that are freestanding, and they offer only one service. They do fundraising to their patients. We haven't had any issues with that, we haven't had any problems with that. We didn't have those before this regulation came out.
Incidentally, we understand that back in November, December, there were 2400 complaints. As far as we have been able to determine, not one of those was dealing with fundraising. I can't say that with total accuracy, because I have only gotten anecdotal information from OCR as well.
So with that, I would recommend, and I would hope that you would recommend to the full committee and on and on what we were talking about before. That is, to allow the use of point of service information within the health care provider, without prior written authorization from the patient, for fundraising purposes. It is the way that we have conducted business for 35-plus years, up until the time that these new regulations come in.
Lastly, you asked what kinds of things are we doing educationally. Again, I just finished our round of regional meetings. We had HIPAA on the agenda. We have put together with one of our compliance officers out in Pacific Medical Center in San Francisco a program where we take this all over the country. We have a compliance officer who is sitting down, and we promote this. It is HIPAA and fundraising, specifically what you can do and what you can't do. When we get into these discussions, we find our members are all over the board, based on the advice that they are getting.
There is one last thing I wanted to add, but at my age, I have these senior moments. My most serious thing is simply a recommendation to allow the use of point of service patient information within the health care provider, by the health care provider, without prior written authorization for fundraising purposes.
Thank you.
DR. ROTHSTEIN: Thank you very much. Before we begin with our questioning, I know you weren't here this morning when three of the four subcommittee members at today's hearing indicated for the record that we work at academic medical centers that are funded in part at least by private donors, so therefore we have in theory at least some level of conflict of interest. But we wanted to get that on the record.
The floor is open for questions.
DR. HOUSTON: A question just to summarize. You definitely believe that there has been an impact on the amount of funding you have collected due to HIPAA, as well as an impact on your costs in order to do fundraising. I just want to make sure I clearly understand that. I just want to be crystal clear.
DR. MC GINLY: Absolutely, from what we have seen.
DR. HOUSTON: Mr. Zeller, can you specifically quantify the impact on Johns Hopkins?
MR. ZELLER: As I stated in my remarks, it is very difficult to quantify it definitively. We do have some indications, and I was speaking with Dr. Harding beforehand about this. We track the percentage of individuals who sign authorizations. That is less than half. So we really won't know what the impact will be on individual giving going forward until we really ascertain whether or not those who are signing up are philanthropic.
But specific information for our financial year that ended June 30, we have traditionally in the past garnered support in the vicinity of 70 percent of our contributions coming from individuals, the balance coming from corporations, foundations and organizations, not necessarily associated with an individual. So private foundations are counted within that 70 percent. Of that 70 percent, approximately 90 percent has come from grateful patients. This year, although we achieved comparable results to last year, that percentage has dropped from 70 to 56. So a trend line is such -- one year does not make a trend line, obviously, but it is an indicator, coupled with less than half the individuals signing the authorization, that we may be headed towards a significant issue.
DR. HOUSTON: if somebody doesn't sign the authorization, do you automatically put them into your opt-out database? Obviously an authorization is only required if you want to use Department specific, disease specific information. So if they register and don't sign this authorization, do you immediately assume that they are opting out of the generalized database?
MR. ZELLER: No. We will try to re-seek an authorization six months later.
DR. MC GINLY: Can I add, we will try to re-seek authorization --
DR. HOUSTON: You still try to make contact without an authorization, generally without the disease or department --
MR. ZELLER: We do have that option. I will tell you that in the overall fundraising impact -- and I think Duran Pollock made this comment two years ago; if you look at the amount of money that we raise on an annual basis as a percentage from general solicitations, as you are suggesting, last year was about $160-plus million in private gifts from a variety of sources. Last year from direct mail, using only generalized information, that number was $220,000.
DR. HOUSTON: So it is less than one percent.
DR. MC GINLY: Also, those figures about the source nationwide, it is about 68 percent in our surveys. If you add bequests, which are also individuals in a different state, it is closer to 80 percent.
DR. ROTHSTEIN: Dr. McGinly, you spoke earlier about fundraising at Fox Chase and some other specialized centers. Could you repeat that point?
DR. MC GINLY: The regulations don't prohibit a specialty hospital from doing fundraising, grateful patient fundraising. They don't have to ask for an authorization, because all the people at Craig Memorial Hospital at Denver are spinal cord injury patients.
DR. ROTHSTEIN: No, I understand that. Was it your statement that fundraising at those institutions did not decline between the years that you mentioned?
DR. MC GINLY: They have held up much better, absolutely. My point is though that here is a spinal cord department within Mass General that cannot do that without having a written authorization. Here is one at Craig Memorial, Fox Chase, the cancer center there, that cannot do that without a written authorization.
Yes, the return from a grateful patient -- just as an example, from direct mail, if you get one-half of one percent return on a direct mail acquisition, you would be very happy with it. We are finding a lot of our members are getting 28 to 32, 33 percent return from grateful patients.
So yes, their mailing costs are a lot less because they are going to their grateful patients, and their return is a lot higher because there are grateful patients that have had an experience with the institution. But they don't have to worry about a written authorization. My point is that it is not an issue as far as privacy is concerned, but it is an issue as far as our fundraising effects, and the cost.
DR. ROTHSTEIN: I see the point you are trying to make. That is the issue that we have all been wrestling with, how do you continue successful fundraising at large multi-specialty medical centers. The methodology side of me is questioning whether A equals B, but that is beside the point, because you could argue that cancer survivors are more motivated to give than the average hospital patient and so forth. You would have to compare longer term trends in one year, and I don't want to do that. The issue is whether in balancing the patient privacy rights against the other valid rights, where do we strike the balance. That is what we are all wrestling with.
I want to ask Mr. Zeller a question. You said fewer than half of the individuals at registration sign initially. What percentage are you able to recapture later on through other efforts?
MR. ZELLER: We have actually only put the patient in place at the end of December, so we have really only had six months worth of data. The process as it is now is that for those who do not authorize, choose not to authorize, that we try to recapture them six months later. So the time frame is hard to assess what that successful recapture might be at a later date.
DR. ROTHSTEIN: What would your view be on an opt-out for patients similar to the directory opt-out, where individuals could elect not to have that information disclosed for fundraising, but ordinarily it would be available?
MR. ZELLER: Help me with the definition of what type of information you are talking about.
DR. ROTHSTEIN: The department of service information. So in other words, I check into the hospital for treatment of something that I consider sensitive, and I am given an option to opt out, either expressly or just in the rule that I can exercise if I want, so that I don't have to be approached by a specific division of the hospital or that information is not given for fundraising purposes. Is that better than the current state or not sufficiently better than the current state of the rule, so what?
MR. ZELLER: Bill may have comments on this. It still puts it in a very awkward situation relatively to seeking that authorization or that process at the front door, if you choose to do it at registration.
We tried a couple of different pilots. It is clear that physicians do not want to participate in the seeking of this authorization.
DR. ROTHSTEIN: Suppose the burden were on the patient, and the patient would have to initiate and say, by the way, don't put me in the directory and don't give my information of what sort of diagnosis or whatever for fundraising?
MR. ZELLER: I think that would be significantly better. Let me come back to the point where you said diagnosis. What we are talking about is point of service relative to potentially a physician's name or an area in which they are seen, as opposed to any specific diagnosis. So that would be significantly better than what we have now, in my opinion.
DR. HOUSTON: Just to be complete, can somebody describe the specific types of information you like to have, in as much detail as you think is necessary?
DR. MC GINLY: First of all, what is the difference if I am an oncology patient in Fox Chase or an oncology patient in Hopkins? One place they have to get written authorization, the other they don't. There is no difference. I would submit to you that if you want to opt out one piece of this or carve out one piece of it, it is going to make our members' lives more difficult in tracking this information.
We are not interested in whether you had colon cancer or rectal cancer or what kind of cancer you had. What we are interested in is that you received services through the oncology department or whatever it happens to be. We can then take that group of grateful patients and appeal to them on the basis of supporting something in oncology or cardiology or whatever it happens to be.
DR. HOUSTON: I also heard mention of physician name. I just wanted to know exactly what elements you are interested in.
DR. MC GINLY: For the most part, having the physician name, which is permissible for our members in our normal work, gives you the department they received service in. There is no way that you can avoid knowing that necessarily. Part of our responsibility is the visit will begin in the hospital. You know that I am in the cardiac care wing, but how I use that information is the bigger --
DR. MC GINLY: You mentioned opting out of the directory. Another good example. Here are patients saying they want to opt out of the directory. They opt out of the public directory. That doesn't mean you deny the name of the physician that is providing treatment, nor should you deny the name to the fundraising person for fundraising which is part of health care operations. They have simply opted out of the public directory. But again, there is a lot of confusion out there.
DR. ROTHSTEIN: But again, if you approach someone and they said don't call me again, it is just a different stage of the opting out.
DR. MC GINLY: Here is another good example, too. In the notice of privacy practices, we have collected numerous of those, and I find some of our best members who have an opt-out in the notice of privacy practices, when they receive that statement. That is not required. It is the worst place to put it, because it is the same thing as presenting them with a written authorization. Fundraising, opt out before I even learn what this is all about.
One of the best notices of privacy practice I ever saw or have seen so far is with a for-profit hospital. Why they even had it in there -- I explored it with them, it was just in the regs, so we complied, was their answer. They don't even do any fundraising. But it was the best one, because they didn't have an opt-out in the notice of privacy practices. They were doing it correctly as far as good sound basic practice, and putting it in the materials that they were mailing out, or they would have been.
DR. ROTHSTEIN: You made a statement earlier, you said that it is common for fundraisers at hospitals to visit patients. You are talking about people who are long time donors, right?
DR. MC GINLY: No, not at all. I am talking about the fundraising office or the volunteer that they have working for them, who is making a visit to patients that are coming into the hospital. Quite frequently, they are people who are established or they have been a donor, yes. But they may make a call on somebody. I will call my member to visit one of my friends in Enova, not necessarily for fundraising, but to help them out, how is everything going. They may add them in later. That is part of what is expected of them in their fundraising duties.
MR. ZELLER: I think sometimes there is the perception that if someone who wears a fundraising hat visits a patient, it is for the purpose of discussing a gift, or to solicit them. My comments reflected the fact that grateful patient fundraising in particular is built upon a relationship. It is a relationship with a physician, it is a relationship with the organization, which development for fundraisers helped to facilitate.
So there are courtesies, whether it is escorting a patient to appointments that they have been asked to do, or to simply stop by, getting greetings from friends or colleagues who knew they were in there for the purposes of facilitating the best possible experience that they could have, not to sit there and solicit them for a gift at that time.
DR. ROTHSTEIN: So I needed to clarify that. People are not coming and hitting up people. It just sounds awful.
DR. MC GINLY: This is a role that they play that is building a relationship. Have you ever been in the hospital for something?
DR. ROTHSTEIN: Yes.
DR. MC GINLY: Isn't it comforting to know that there is somebody there who can be an advocate for you?
DR. ROTHSTEIN: We learn in law school not to ask any questions that you don't know the answer to. My view, when I am in the hospital, I barely let my doctor see me, and everyone else is thrown out.
DR. MC GINLY: So you do not feel comforted by someone from headquarters coming to visit you?
DR. ROTHSTEIN: No. And frequently the president of the hospital and people I work with want to drop by. No visitors. I don't want to see anybody.
DR. MC GINLY: Then that should be protected for you.
DR. ROTHSTEIN: I want to get off my hospitalization.
DR. MC GINLY: Apparently he is not a major donor.
DR. ROTHSTEIN: No, actually I am a donor. I am grateful to the institutions that have cared for me, unsolicited. I appreciate the fact that they saved my life, and they don't have to do anything.
I did have a question. That question was -- and see if I am correct in this -- using a publicly available directory, you could go to John Fanning's hospital room, and you see that he is being treated by Dr. Harding. You know Dr. Harding is a psychiatrist. Then when you decide you want to endow a chair in honor of the esteemed Dr. Harding, mail him a solicitation saying that we are -- not saying that you are a patient, that we are establishing a chair for Dr. Harding. Is that what you are saying?
DR. MC GINLY: In practice, prior to this regulation, exactly that could happen. There were some very clear cautions that we have in our practice about psychiatric care of patients, about Medicare and Medicaid patients, and what your philosophy is, what your management is, not off a public record necessarily, but the census that I am going to receive daily as a part of my fundraising responsibility. I can walk in off the street and come and visit you in your hospital, except when I get there, they are going to say, Mark doesn't want anyone to come in, and I am going to honor that.
So yes. Would we do that with psychiatric care patients?
DR. ROTHSTEIN: Well, let's make it internal care patients.
DR. MC GINLY: I would, on making those visits, because I know why you are there prior to these regulations --
DR. ROTHSTEIN: What about after the regulations?
DR. MC GINLY: I can't do that.
DR. ROTHSTEIN: Why?
DR. MC GINLY: I may know, because I have come to visit you, which is perfectly permissible, that you are on the cardiac care wing. I cannot take your name and put it in a file and build a file of cardiac care patients to do fundraising to, unless I get a written authorization from you. But do I know that you are in the cardiac care wing? Sure, I do.
DR. ROTHSTEIN: I'm struggling with this. Suppose I am in the hospital, and someone from the American Heart Association looks at the directory, pays me a visit -- forget the no-visitor stuff -- they see I am in the cardiac care wing. They send me a solicitation for the American Heart Association, right? Can they do that?
DR. MC GINLY: First of all, the person that is with the American Heart Association is not employed by the provider.
DR. ROTHSTEIN: I understand that.
DR. MC GINLY: Could that person walking in off the street do that? Sure. It would be kind of unscrupulous, though.
DR. ROTHSTEIN: I'm just talking about whether the privacy rule prohibits it. The answer is, obviously not, right?
DR. HOUSTON: The privacy rule says that an institution related foundation is only able to do fundraising on behalf of that institution and not on behalf of other --
DR. ROTHSTEIN: No, but they are an independent foundation. I am trying to draw -- what I am trying to do is compare what is publicly available information about where you are, that someone learns by just showing up, which they are allowed to do, and what you are allowed or prevented from doing under the privacy rule.
DR. MC GINLY: The difference is, first of all, the language is crafted very nicely that it is speaking only to the institutionally related foundation, because these people are working for the provider. It doesn't speak to the person from the American Heart Association who would walk in off the street, I suppose, because they are not part of -- do those regulations apply? I doubt it. Would that be unscrupulous? I would think so. But by the same token, our member coming across the street from the foundation or the department of philanthropy, while they can make that visit and build the relationship with you, cannot categorize you and promote to you off a list of cardiac care patients exclusively. You may get a promotional piece or an invitation to contribute, but it is much broader, and it has gone to a larger list of patients.
DR. ROTHSTEIN: See, the complicating thing is that the information about the department is learned through an inadvertent disclosure, and it is not obtained by the development office getting a printout of all the monthly cardiac patients.
DR. MC GINLY: It is the development office getting a daily printout of all the admissions or people in the outpatient area or whatever it may be, and perhaps comparing those to current donors or deciding that these are a group of people that we want to visit. That is not inadvertent. That is part of sound fundraising.
Am I learning about your diagnosis? Probably not. I am learning where you are receiving service in the hospital. How I use that information is restricted.
DR. ROTHSTEIN: I'm trying to help you. You are not helping me help you. The point I am artfully trying to make is, the institutionally related fundraisers are seemingly in a worse position than someone off the street.
MR. ZELLER: But I think you could also look at -- as Bill was speaking to, we all as part of health care operations are engaged in making appointments and securing services for individuals. In the course of that process, they are privy to in some cases very detailed PHI. We do not and cannot use that by law, but we also as an organization do not use that in any kind of direct fundraising way.
It would strike me -- and I don't know the legal interpretation to this, but it would strike me that if the AHA walked in off the street and saw the same type of exposure, saw that you were being treated in a cardiology unit, that information was incidental and could not be used in a direct fundraising way.
AHA would not have access to that information as a health care provider normally. So I don't know how they could use that. That is what I think Bill was saying. It would be unscrupulous to use it. I would argue that it probably would almost be against the law. Maybe not.
MR. REYNOLDS: I want to focus on this level playing field that you have seemed to mention. So a hospital is identified in the reg as being able to do things that you wish you could do. If you had a unit in one of your hospitals -- let's take Johns Hopkins. If you had a unit that specialized in cancer and you changed the organizational structure of that to a specialty hospital, would you be allowed to do the same things that the specialty hospitals do?
DR. MC GINLY: I'm not an attorney, but I can play one. I don't know the answer to that. I suspect if they reconstituted themselves legally as a separate entity, separate and apart from Hopkins, they could do that. But look what they would lose.
MR. REYNOLDS: No, I'm trying to make a point. In other words, you would have somebody that is offering exactly the same services, though they may be structured differently when we go through the finances and we go through everything else, you would be offering the same service to the same people, don't change any doctors, don't change any nurses, don't change any beds, don't make it different, that they could in fact approach each of those patients.
Now, is there a set of specialty hospitals that identifies what those specialty hospitals are, those other categories? You don't need to list them off, but if there are categories, I think it is an interesting consideration.
DR. MC GINLY: They are harder to find because there have been so many mergers and multi-systems, and many of them that were freestanding couldn't afford to stay freestanding. So they merged into systems, multi-hospital programs, and once they have done that, they are part of a larger system. Then they no longer have that stature.
DR. HOUSTON: I don't necessarily agree. I think some hospitals will be branded as -- I worked for a large health care system in Pittsburgh, and we kept three of our hospitals branded specifically to a specialty area.
DR. MC GINLY: Are they within an organizational structure even within a holding company?
DR. HOUSTON: They are a separate 513c, but they are still under the parent corporation, which is a 501c3.
DR. MC GINLY: Then I think you would have to review that. The response I am getting from the attorneys is, at the very least, to be on the safe side, make sure you get written authorization.
DR. HOUSTON: I guess where I am continuing to go with this is, if you had a category of specialties that the law allowed, DR. MC GINLY: If they were specialty, I really struggle personally to understand the difference.
DR. HOUSTON: If I have privacy and I walk in this door, and if I have cancer and I walk in that door, if that is a specialty that is identified as one of the ones that was a category, I guess if you looked at a level playing field of a regulation, cancer is cancer is cancer. I'm just trying as a committee to understand what kind of consideration we need to give. The level playing field just doesn't seem to come into play here.
DR. MC GINLY: That is one of our key points with groups that are facing that kind of situation. Again, I would ask you, why did you find it necessary to exclude this point of service information from being used in fundraising? It operated for 40 plus years prior to this under the ethical guidelines of our organization in how we treated information.
DR. HOUSTON: But I believe in one of the preambles it does specifically describe why. The rationale, I believe, was that by including that department of service information, that you are in essence disclosing PHI, and that if somebody got a mailing at home from the Johns Hopkins Cancer Institute or whatever, that somebody receiving that letter might say, did they have cancer.
We took testimony this morning, talking about fundraising, where there was a discussion talking about the fact that right now, it is permitted for pharmacies to send brochures to patients' homes describing alternative therapy and different medication, giving an alternative.
DR. ROTHSTEIN: Pat of the rationale is not so much because of the contact of the individual. It is just a sharing of the information with third parties who have no role in their treatment. That would not include only your in-hospital people, but your business associates. Therefore, you could hire some outside fundraising company to assist you, and now to disclose that I am being seen for such-and-such, would be to disclose that condition to another set of people that on balance the privacy rule thought that if those disclosures should be made, it should be pursuant to an authorization.
So my question was, what is the rationale. I believe that is the rationale. Part of it is as John described, but also reining in the control.
DR. MC GINLY: But the fact that I get a mailing from the oncology department at Johns Hopkins doesn't mean that I was a patient there. I may have an interest in that, because I have a relative who was -- there are all sorts of things. I don't see that as disclosing information.
DR. ROTHSTEIN: But it is not the mailing. If that is disclosed to ABC solicitation company, --
DR. MC GINLY: If I hire a direct mail firm to do that, they are subject to the same rules we are. That is another thing.
MR. REYNOLDS: But again, I go back to the specialty hospital. Could the specialty hospital hire that outside service to do any different? I am going to the level playing field of the situation that the patient is in, and then what can whoever finds it out do.
DR. MC GINLY: I think you also need to interject, in 35 or 40 years, what kinds of issues have we had with patients, donors and others about this kind of fundraising. For all that period of time, if people said to us or said to our members, we don't want to receive fundraising materials, they are gone from the list. They have always been gone. We don't want to waste our efforts on people that aren't interested, and added costs, just from that perspective. But we have a bigger responsibility in protecting that information. That is the integrity of the fundraising through the health provider.
Again, the question that comes back to the committee is, is this overkill. From our perspective, it certainly is.
DR. HOUSTON: I'm going to ask a question I think I know the answer to. Are there any OCR FAQs on fundraising? I think I already know the answer, but I am going to ask it anyway.
DR. ROTHSTEIN: I don't believe so. I looked at the website before I came on fundraising and marketing, just to prepare for the hearings, and I couldn't find it. That doesn't mean that there aren't any.
DR. HOUSTON: I hadn't found any. I know that as of a couple of months ago there weren't any.
DR. MC GINLY: You are talking about any complaints?
DR. HOUSTON: Well, complaints is another point that you brought up. What I am trying to establish is, obviously there is an impact on fundraising with the privacy rule, but still, there is nothing from an OCR perspective that gives any guidance or clarity as to these types of issues. Maybe it is what it is, and the issue is not clarity and FAQs, but rather some type of substantive change that allows these foundations and other organizations to do their business or to regain the lost fundraising dollars.
MR. ZELLER: I would argue, Mr. Houston, that it also comes to the individual interpretation of the organization, which I referenced in my remarks. The diversity of the interpretations are so broad. I think Bill has probably seen that in reference to his discussion and comment as well.
I would like to come back to the component of patients and their support by disease area. There is a very powerful motivation for individuals who are philanthropically inclined to want to become engaged in the support for either the patients or the programs specific to their disease, or what their family may be facing. Our history has shown, at least at Hopkins and I think at other institutions, that people are very passionate about that. What we have found is that this process as it currently exists interrupts that at a very inopportune time by asking the people before they have had contact with the institution to agree to a perception of what fundraising might be, as opposed to how it is actually conducted.
DR. MC GINLY: I think what you are assuming was, when our member visits somebody in the hospital, they are making a solicitation. That never happens.
DR. ROTHSTEIN: I understand. I just wanted that to be clarified. I didn't assume that was happening. I work with development people every day of the week, and you never would ask somebody the first time you met them, even if you met them in their office.
DR. MC GINLY: That is the point John is making, as far as the point at which you are asking for this authorization, and the fact that we have never had this issue before. This has made it much more complicated. We are losing service, we are losing dollars. We are investing more money and expense, and really, it has been a non-issue with patients and grateful patients in the community for the most part.
We have seen people ask questions, or we have seen people charge into an office and say, how did you get my name, what is this all about, and we explain that to them. if we want to take them off, fine. But more frequently, we turn them into much more avid volunteers and donors.
DR. ROTHSTEIN: Let me just remind everybody that the committee is already on record with a recommendation in this area. Much of the discussion this afternoon has involved things that would require a change to the rule, an amendment.
Is there anything that the department could do to make your lives easier than could be accomplished without amending the rule? In other words, is there guidance, education and interpretation or something of that sort that could be done more easily and with less controversy, and more quickly of course, than amending the rule?
DR. MC GINLY: I gave you some examples early on in interpretation for age and insurance. It is all over the board. Despite our best efforts, there are people out there who are interpreting it one way. There are people that are making decisions that are based in politics. There are people making decisions based on compliance, strict and not strict. There are people making decisions based on advisors that haven't even read the regulations, unfortunately.
DR. ROTHSTEIN: So you are saying that more guidance and clarity would help in interpreting?
DR. MC GINLY: In anything, yes, absolutely. But it is not going to be -- that goes across the board in the fundraising part of this. However, the one thing that is really detrimental, and I know you are on record with this, but you are also able to amend that or follow through and suggest a rule change. That should be in our humble opinion the elimination of that written authorization.
What are you going to go back to? You are going to go back to what was working, anyway.
DR. ROTHSTEIN: Further questions?
MR. FANNING: I have a question. Dr. McGinly, you make reference to donors and volunteers. Explain what you mean by volunteers, people who actually give individual services?
DR. MC GINLY: Sure. We have a whole host of volunteers, auxiliaries, people that are manning information desks, people that are helping the chaplaincy throughout the hospital. Those are volunteers that may not necessarily be financial donors.
Now, once you have somebody who is volunteering and contributing time, and we have got high school students, we have got the elderly that are in there, all ages doing this, it is phenomenal. But some of them are both volunteering time and financial resources, some are just volunteering time.
MR. FANNING: But do you solicit -- in the same way that you solicit for money, do you solicit for volunteers?
DR. MC GINLY: Sure, we will try and get them involved and have them support financially and things that are dear to them. We are not trying to get everybody in the world. if we can get 30 percent, --
MR. FANNING: Thank you.
DR. ROTHSTEIN: Dr. Harding.
DR. HARDING: Let me see if I have a couple of things straight here. One is that costs of fundraising have gone up in the last 15 months due to new hires and systemic changes that have to be done. So the cost has gone up. Would you say that is significant? Or is that two percent, or is that 50 percent? Is that a considerable amount that we are talking about, or is that just a little.
MR. ZELLER: I can give you the exact numbers. Our budget went up by $400,000 just in the short term. That has not taken into consideration the systems time for development that needs to be put in play, does not take into account the cost of preparing three-part authorizations, does not take into account the technology necessary to manage thousands of authorizations and index them.
PARTICIPANT: Or the redirection of some staff resources.
MR. ZELLER: Or the redirection of existing resources. At a time where health care budgets are extremely constrained, those dollars are being taken as redirects to avoid jeopardizing the revenue stream that we have.
DR. HARDING: So a significant increase, you would say. You also said that there was a decrease in small donor contributions in the last year? You are saying patient contributions. I refer to that as a small donor as compared to a foundation or something.
MR. ZELLER: Actually, Dr. Harding, some of our largest contributions come from individuals. So the diminution of the percentage of individuals supporting Hopkins from 70 to 56 percent can translate quickly into multiple millions of dollars.
DR. HARDING: And once again, 15 months out -- and there hasn't been a trend line developed, your feeling is that the authorization and the less than 50 percent signing up and so forth is very likely to be contributing to that.
MR. ZELLER: That is our intuitive response to it, if you will. As you look at it, there could be a confluence of a number of factors that are happening, but when you look at those two together, it begins to give us pause as to whether or not we are headed for a problem.
I might say that there is a shadow effect that occurs here, and I think Bill would support this. Philanthropy, as I mentioned, is built on relationships. It comes over a period of time. So much of what we are seeing can be pre-existing relationships that exist between a patient, a physician, the institution development office. To keep that stream if you will alive, you constantly have to replenish it with new relationships. If that part of the process is being interrupted, then what we see now may be a very temporary sustaining philanthropic support that could be in great jeopardy going forward.
PARTICIPANT: It will likely take us two to three years at a minimum to see the impact of this.
DR. MC GINLY: They need to learn about us, and that takes time, as to what we do in finding out what their interests are. This comes at a terrible time. In 2002, for instance, when we surveyed our members, 47 percent said they were at the same level or giving or less than the prior year, just before we ended the year; 27 percent of those were way, way down. Fifty-three percent said they were up, not significantly. In the fundraising parlance, almost all of those were in some stage of a capital campaign, which is an added special effort. That was what was sustaining them more than their daily operations and continuing to build those relationships. So it was very difficult that year, for a lot of reasons.
MR. ZELLER: I would also add that there is a cumulative effect here that needs to be taken into account. We have been able to with fairly high confidence track back what the investment of a philanthropic dollar does. It translates into what happens at the institution. Over the course of time, that return is almost ten to one. So for every dollar invested philanthropically, we are able to leverage that ten times over, particularly in our research enterprise, where as I mention, patients want to support new novel investigations in research that isn't currently funded.
I can give you very, very notable examples. Probably the best would be Bert Vogelstein, most cited scientist in the world for the last 20 years. His program -- and he fundamentally changed the understanding of cancer -- his program was only made possible because a private gift gave him the money to start something that the NIH wouldn't even consider. Radical prostatectomies began as private philanthropy that was then leveraged into NIH.
Bert Vogelstein's lab has produced some of the world's leaders in cancer research. He is very handsomely funded by NIH, as is his lab. But the fundamental basis would not have begun if it were not for individuals who came in and provided those critical dollars.
So I think it is not only the bottom line impact that philanthropy has to a P&L statement of an organization, which is significant at a place like Hopkins, where in our overall budget we are talking about a margin of $40, $42 million on a nearly four billion dollar operation, and philanthropy makes that difference. When you back out all of the clinical revenue and NIH revenue and begin to narrow that gap down to a relatively defined revenue stream, philanthropy represents a huge piece of funds that can be leveraged, unlike any of the others.
So it is a significant impact not only from the P&L and how much money is raised this year, but it is how it is used and how it is leveraged going forward.
DR. HARDING: Just to finish, Bill, you also said that there were very few complaints at this point that have come into the CR. At least, we don't know of any at the present time.
DR. MC GINLY: I can't quantify that because they wouldn't give me exact numbers. But as of December, there were about 2400 complaints that had come in. They did tell me that one-third of them had been resolved without anything, but they did not tell me the exact number of fundraising -- but to my knowledge, there hasn't been anything about fundraising. In my 20 years in this spot that I am in, I bet you I haven't run into more than half a dozen. Some of them have been critical as far as a patient being upset, but they have been resolved and turned around.
The last thing I wanted to say is, I remember the discussion years ago about the issue of point of service within a general hospital of a specific -ology, urology and so forth. But I don't remember any discussion about specialty hospitals at that time, that they should have a separate or a different --
DR. ROTHSTEIN: My recollection is that there is no mention of specialty hospitals. It is just by default. So when M.D. Anderson wants to solicit you, you would know who they are.
DR. MC GINLY: Life is life. When the bank statement comes to our house, if my wife opens it, she knows all the checks I have written and I'm not supposed to write. That is the chance you take. But I don't see where that is disclosing anything that has got to be a big problem.
DR. ROTHSTEIN: John, would you like to follow up on that line?
DR. HOUSTON: Sure, a couple of points, I guess. We obviously can check with OCR and see if we can find out if there is any additional information related to fundraising. But a couple of thoughts. You need to ask the question, are there things you can do in the context of the current rule. I'm going to throw two of them on the table, just to get a sense of whether they are feasible.
One is in the context of saying, if you do have some type of organizationally separate subsidiary or freestanding facility, maybe we could get guidance that would be acceptable because of the fact that there really isn't any specific separate risk of privacy.
The other one I would ask is, what about guidance regarding employed physicians who make fundraising appeals in their capacity as a physician to their own patients? Does that help?
DR. MC GINLY: Let me give you a sense of some of the things that are going on around the country with that. We wrote a letter, got some clarification, like a physician employed by the entity can certainly give a name, just like a nurse, the janitor, anyone else can give a name. The physician who is on staff has to have -- it is in the letter, I forget the exact words, the organizational relationship agreement. We have had attorneys that have said, that is implied, and therefore all physicians can get that, and that is the one I would like to go with.
Go ahead.
DR. HOUSTON: I am more thinking of the physician that is able to provide the actual letter appeal to his patients.
DR. MC GINLY: One of the approaches to that is, they are doing that, and maybe the development office is doing all of the back office work for that, can they do that. Well, if they are acting as a volunteer, you could, under the direction. But how do you get that kind of interpretation?
DR. ROTHSTEIN: Besides that, let me add that there are some ethical problems with that, because patients would feel a sense of coercion if the doctor who is saving their life and treating them on an ongoing basis now solicits them to make contribution to his or her institution.
DR. MC GINLY: You could say the same thing about the institution that saved their life.
DR. ROTHSTEIN: They are not bound by the same codes of ethics that physicians are. My recommendation would be that that is probably a direction that I would not like to see --
DR. MC GINLY: But, Mark, in fact, physicians do do that. The AMA has a statement about ethics and fundraising, and they are exercising in that statement -- they have just reviewed it, the draft has come out, I don't think they have finalized it.
Yes, there has to be due diligence and care, and some physicians will use that as a reason they don't want to get involved, because -- for whatever reason. But again, it is acknowledged by the AMA.
DR. ROTHSTEIN: But many physicians are very uncomfortable in that role. What I am saying to John is that I would not like to institutionalize the role of physician as gateway to patient information for fundraising purposes.
DR. HOUSTON: I understand that that is your own personal perspective. It sounds like there is some -- I appreciate that. I am just thinking, is that a possible strategy that should at least be considered in the context of the subcommittee, and is there a value to it from --
DR. MC GINLY: There are champions out there that are physicians in the fundraising environment. Of course, they are very careful with what they are putting out. They are not always raising funds or something that is their research; they are doing it on behalf of the institution.
DR. ROTHSTEIN: I understand that. Having served on the board of directors of a major disease organization that had many leading physicians on the board of directors, we debated for hours about the proper role of physicians in raising money for what we all thought was a terrific cause. Many told us stories about patients who sought another physician because they were wealthy patients who were asked by their doctor if they would consider giving money to such-and-such foundation, and the patients had a fit. The docs became very gunshy then, and I understand that.
There is a role for that. But my view is, I don't think we should be latching on to that as a way of solving some other problem.
MR. ZELLER: Let me make a comment, Mr. Houston, relative to that. I would echo the Chairman's comments. We actually looked at and did some pilots using physicians for seeking of authorization, not asking a patient for money. It was very awkward. Physicians were very uncomfortable having to have that conversation, coupled with patient care.
Physicians -- there are many who are very accomplished fundraisers, but by training are not fundraisers. Under our scenario, they still would not be allowed to disclose that patient's name to the development office to provide the support necessary to do it even if they wanted.
DR. HOUSTON: Your model as I understand it would be, the physician sends the letter which says, if you would like to contribute or be contacted, please provide this authorization, send it to whatever the foundation is or the fundraising office, and they will contact you back. I think that is what your model is.
MR. ZELLER: No, our model is at the point of registration.
DR. HOUSTON: No, what you tested, though.
MR. ZELLER: They were tested in both personal presentation as well as at the registration model. We did not send letters.
DR. HOUSTON: Oh, you did not?
MR. ZELLER: No. The interpretation was that we couldn't.
DR. ROTHSTEIN: Other staff questions? Thank you. It was a very engaging presentation. It is always good to go back to issues that need further refinement. We appreciate your presentations.
We will take a brief recess for 15 minutes, and begin the panel on PHI and the media at 2:45.
(Brief recess.)
Agenda Item: Media Access to PHI - Panel 3
DR. ROTHSTEIN: Good afternoon, everyone. We are going to get started now. In the interest of moving on with these hearings, we are going to begin our third panel on media access to PHI a few minutes early. Because we have six individuals testifying on this panel, I thought if we began early, we would be able to give more time t present your testimony, and also give the subcommittee members more time to ask you questions.
Alerting those of you on the Internet to a proposed schedule for this afternoon, as of now, there are no individuals who have signed up for the public comment period, so we will conclude with the media access panel. The time listed for subcommittee discussion five to 5:30 will simply be moved to tomorrow because we have subcommittee discussion essentially all morning. Therefore, we don't need to meet at five this afternoon. So we will conclude at 4:30 or sometime around there, whenever the subcommittee members and/or the panel members have exhausted the issue and/or themselves.
So I want to welcome all of you to address an issue that is very important, very interesting, one that we frankly have not spent any prior time on in terms of our hearings, unlike some of the other issues we talked about today. We are anxious to hear your views on this.
So I would like to begin by asking Sara Howley to speak.
MS. HOWLEY: Good afternoon. My name is Sara Howley. I am the Director of Public Communications for the North Broward Hospital District. We are located in Fort Lauderdale, Florida, and we cover the northern two-thirds of Broward County. We are a tax assisted public hospital system. We have approximately 35 facilities that range from our four medical centers, Children's Hospital, and about 30 other facilities that are primary care, school-based clinics, and also some family health centers in that area.
We are the third largest employer in the county. That means we have 7500 employees, and we have 1600 physicians on staff.
DR. ROTHSTEIN: Excuse me. I don't mean to interrupt. Our hearings are not only going on the Internet, but we also have some people who are on conference call listening in to us. I would ask the people on the conference call to try to be as quiet as possible, maybe hit a mute key if you have got it, because all of the telephone movement and shuffling around is being heard here at the hearing. Thank you. I'm sorry.
MS. HOWLEY: That's all right. Anyway, we provide care for everyone regardless of their ability to pay within the northern section of Broward County. I wanted to also point out that we have two of the three trauma centers in that county. We are going to speak about a lot of high profile media situations here, where we would have patients that would come to us. I think that is an important point.
At the North Broward Hospital District, patient privacy has always been our top priority. That has been for years, ever since we came into existence. So we really take it very seriously, but we also had a very large task ahead of us to make sure that we were compliant as of the April 14 deadline, but we started way before that. We actually started in October of 2000, where we hired someone onto our staff to help us evaluate exactly what we needed to do. By October 2001, we had a complete department that handles all of our HIPAA compliance throughout our whole hospital district and with all of our medical centers.
One exception. We have been very patient focused on privacy. One exception prior to HIPAA being put in place was with public record patients, where we had a little bit more leeway in the timeliness and the information we were able to provide to the media at that point. That has obviously since changed somewhat, and we have included that in all of our policies.
Within our department of corporate communications, we started very early on looking at our policies for releasing patient information. We also had to revise our policy along with redoing our consent forms for information. We had always had a consent form; we now needed to make sure that it was done appropriately and according to the standards. We also had it done in four different languages to accommodate our patient population.
From that point on, we decided that once we had our policy in place and our consent form finished and complete, we needed to then educate our internal media relations staff, approximately 15 people, and another 25 people who are not direct media relations employees, but they have direct contact with the media, such as security personnel and some of our nursing supervisors who handle weekend and media calls in the evenings.
We did that training, and we also took the time to evaluate media staging areas. As you can imagine, especially with the trauma centers, we do have a lot of high profile situations that come, and media outside of our doors was considered a public access area. Now we have to readjust our parameters to make sure that patient privacy for other people who are coming in and out of the facility was handled.
We went ahead and got that taken care of, handled all of our internal issues, and then decided that we really needed to go and work directly with those agencies that we worked with on an everyday basis, including the media, and including law enforcement and fire and rescue personnel.
Our first step was to go to the fire and rescue personnel and talk to them about what the new standards were going to be, how it was going to be different in our response to the media. We spoke at big meetings for department of law enforcement, also the Florida public information officers group, we went and talked to them and explained what was going to be happening and how we would be changing the way in which we would be responding to the media in the upcoming year.
Once we completed that, we realized that now we needed to bring together everyone. So we went ahead and pulled together all South Florida hospitals. All media outlets in South Florida were invited to attend, all law enforcement to a media summit that took place on April 2 of 2002. We had representatives from the American Hospital Association and from the Florida Hospital Association attend to tell everyone in the room what was going to be taking place and how the changes would affect them and our relationship, and what we could do really to work together. Our focus always, always, is patient confidentiality and privacy first, but we also understand that the media has their job to do, and we were always able to work with them, and we wanted to continue that relationship and figure out the best ways to work together.
That actually was an excellent summit and an excellent time for us to gauge everyone's feeling. We followed up with lots of newsletters and lots of answering of questions from the summit that we were able to send out by blast e-mails and newsletters to the agencies and newsrooms so that they could make sure to have it accessible. We wanted to be accessible to them so that it wasn't a huge change. We didn't really look at it as -- there wasn't a whole lot to change, but we did realize we would probably see some repercussions after the fact that we were going to want to take note of and follow up with.
So the next thing that happened was that everything went into effect. We actually started ours much earlier, just to get our media personnel up and running and feeling comfortable with it. We have seen some consequences since the HIPAA implementation. Some of them we expected, others we were just learning about and feeling our way through in our dealings with the media.
I would say that one of our top concerns we received -- and these are mostly coming from our dealings with patients -- is, we do have a lot of trauma that shows up to our facility. Some of them are high profile and some of them involve high profile people from the community as well. We had a recent incident. I did get a consent to be able to explain this, but we did have a recent incident where there was a small plane crash that involved three people, a pilot, his son and the son's girlfriend.
It just so happened that the pilot was killed in the crash and so was the female, the girlfriend of the son. The son was transported to one of our trauma centers, and the mother and wife of the pilot in this unfortunate situation arrived at the hospital. She is a very prominent member of our community and very well respected, and is actually is a corporate communications director for a large company there.
When I met with her, there was a television on in the waiting area, she had it on, and she said, one thing I don't seem to understand is, you don't give out information, but how can fire, rescue and law enforcement be allowed to talk about the injuries to my husband and what took place at the scene as far as my son's health. I sat with her and I explained the HIPAA requirements and how we are bound by them, but law enforcement and fire-rescue aren't bound by the same situations. She was very bothered by this. She mentioned it a few times during her visit to me. I explained to her that we would be the go-between for her and the media, if that is what she wished. That is what she wanted. We worked with her, sent out statements and releases. She felt much more comfortable, but she still was very concerned about the fact that they were not going to come to us, but they were able to go to the fire-rescue. They could have come to us if they wanted to sign a consent, but she felt this was a very private moment in her life and a very tragic moment, and she wasn't ready to share the health information about her son.
So that is one example. We have seen that a few times, where families don't quite understand why fire-rescue and police and law enforcement can discuss information at the scene, but once in the hospital they have the protected information.
The next consequence we have seen -- and we expected this a little bit -- we realized that the reporters need to do their job and we are there to help them do their job, but priority is confidentiality for the patients. So reporters will do what they have to to get the information or get to the patient or the family to get to get their story in first or get their job done.
We have had reporters who have snuck into our hospital, or who have called patient rooms directly, where they are waiting outside for family members or patients to be discharged. We have had to for patient privacy reasons find other ways to escort our patients out of everything from different doorways because they didn't want to have to deal with the media at that time in their life.
We also have seen where reporters are contacting -- we have had lots of families call, they are at my house, or they are calling a place of business, and we don't want to deal with this at this time. We do explain to them that we are there to help them, and if they would like to sign the consent form, that we are able to get information per their recommendation to the media, and in some instances do press conferences or help them manage the situation. But we realize that the media's job is their job, and that is important, too. So it is just an unusual situation.
The third consequence I would say that we have seen recently is John Doe and Jane Doe patients. We have instances where we have had patients brought to us who are unable to -- that have no identification on them, they don't have any family with them, and they are unable to communicate to us. We need to find help for these people, a next of kin to make decisions on their behalf.
In a very last resort prior to HIPAA, very, very last resort, we would contact the media and have them come in. Prior to that, we would have law enforcement come in and do their prints and we would do some other checks to see if we could find out who these people are and get their next of kin there without going through the media.
We used to as a last resort then ask the media to come in and take a photo of the patient and take some information, and very instantly we would find their loved one. That made our process much easier. We were able to get the answers we needed from their loved ones. Now we are unable to provide a photo, and in the last year we have had a few of these situations where, instead of the newspaper and television, we would have to get a description, which is much harder for people to realize, this is a family member. So we have to get a description together and ask the media to then run it. It does add some extra time onto what we would consider critical care time. Nurses and doctors come to us to help them with that as a last resort, and now we are just not able to get them the information they need as timely.
Other than that, I know that we have had a few other situations, but all in all, I think we have always been so conscious of patient confidentiality. I believe that most hospitals, the majority of them have been that same way. So we are able to work in many of the parameters, but I do have some recommendations on behalf of what I have experienced, and my colleagues.
The largest recommendation I can offer is more education. I am completely, 100 percent impressed with how the health care profession and hospitals, medical centers, everyone has been educated on HIPAA, and exactly what it stands for. It is very impressive. Anyone you meet, you can mention it, and if they are in the health care field, they know exactly what it is.
Where we do see a problem is with the general public and with law enforcement, and also with media. The general public we find it very difficult to explain to them these rights that they have and what HIPAA is all about, especially in a time of crisis. When we are seeing people, they are coming in the door in a time of crisis. So they don't want to see the extra paperwork all the time. It is hard for them to understand what it is all about. I think it would be most beneficial for us to be able to educate people prior to them coming to the hospital, so they understand, and a user friendly format would be very beneficial.
Also, I know that law enforcement and fire-rescue does not fall under HHS, but I do believe that they should be educated and encouraged to be held a little bit more accountable for patient information in the field. I have seen personally what has happened with some of our patients. As a media relations representative, you become more than just a media relations representative in those times; you become a contact for these families in a hospital.
Other than that, I would just recommend for media to be able to work better with them, to use them to get the education out there. Also, we realize it is their job, and obviously we are doing what we have to for our patients first and foremost.
DR. ROTHSTEIN: Thank you very much. Ms. Stewart.
MS. STEWART: Good afternoon. I am Emily Stewart, the policy analyst with the Health Policy Project. The Health Policy Project is dedicated to raising awareness about the importance of insuring health privacy in order to create better access to quality health care on both an individual and a community level.
In addition to educating both the public about their rights and providers about their responsibilities, the privacy project conducts analysis on a broad range of issues, including the HIPAA privacy rule, state privacy laws, genetics and workplace privacy, e-health initiatives and bioterrorism and public health surveillance initiatives. In addition, we also coordinate the Consumer Coalition for Health Privacy, which is a coalition consisting of over 100 major organizations representing both patients and providers alike.
The mission of the Health Policy Project is in general to build greater trust and confidence in the health care system, so that patients feel more comfortable fully participating in their health care and in research as well without feeling that they are at risk for unwarranted disclosures of their personal health information.
We believe as most here do that it is wrong for patients to have to choose between health care quality and privacy. Unfortunately, when patients do have to choose, they often have to forego quality health care in order to secure their privacy.
According to a 1999 California health care survey, one out of every six Americans withdraws from participation in their own health care for fear that the medical information will be used without their knowledge or permission. This could include patients either being dishonest with their physicians, doctor hopping, which is moving from one doctor to another in order that there is not a medical record trail, paying out of pocket or in the most extreme cases, avoiding care altogether.
When Americans feel that disclosing their health information is going to result in stigma and discrimination, they often choose not to disclose whether it is to family, friends, coworkers. In April 2001, a Harris survey showed that four out of ten people with multiple sclerosis had lied or failed to disclose their diagnosis to colleagues, coworkers, friends, and even family members out of fear of job loss and stigma.
This is obviously why we believe the HIPAA privacy rule is so important. For decades, the public clamored for a federal safeguard to protect the privacy of their personal health information, and the HIPAA privacy rule was a significant step in rebuilding that public trust in the health care system.
Based on a principle of informed consent, the HIPAA privacy rule acknowledges that in order for patients to have meaningful control over health care decisions, they have to have meaningful control over their personal health information. The most basic tenet of the HIPAA privacy rule, that personal health information should be kept and shared where it belongs, in the health care arena.
Which leads us to the issue of the media. By and large, health information can be highly sensitive. There is no reason why it can't be subject to public scrutiny. In the past, disclosures in the media have not always been for altruistic purposes. For instance, in 1992, New York Congressman Nidia Valesquez' confidentiality medical records were disclosed on the eve of her primary. The information included information of a bout with depression and a suicide attempt. After overcoming the fallout and winning the election, she did testify very eloquently about her experiences.
That same year, the now late tennis star Arthur Ashe was forced to publicly reveal that he as HIV positive, in 1992, after a health care worker tipped off USA Today. The editors of USA Today showed up to his home with a reporter and photographer to confirm the story. Coerced into publicly revealing this sensitive information, Ashe called a press conference to announce he had contracted HIV through a blood transfusion. The next year, he died, but before that, he did publicly say how distraught he was over having felt forced to disclose this information. Him and his family found out that he was HIV positive, I believe in 1988, and one of their top priorities was keeping this a family matter, private family matter.
These stories serve to highlight and align that the privacy rule intentionally draws -- patient medical records are not public records, although hospital directory information is available for people who know the person's name, as long as the person did not choose to opt out of the directory.
In the past, the media's access to any information they had access to was by custom, not by law. Prior to the privacy rule, the media may have become used to lenient practices at certain hospitals that treated patient records as public records, but the privacy rule clearly now prevents this.
The privacy rule regulates information both in the health care industry and in the core health care system, whether it is having an opt-out for the directory or the next of kin, or the minimum necessary disclosures, minimum necessary applying to non-treatment relationships, and then disclosures outside of the health care system are even more strictly regulated, barring disclosures to employers, for instance. The media is not and should not have access to special privileges.
The privacy rule also allows for access outside of the core health care system, whether it is for quality assessment or accreditation or reporting to law enforcement or assisting public health authorities. Representatives of the media are not deputized to be law enforcement or public health officials, and their investigations should certainly not trump the privacy of patients. Although the media does play an important role in informing the public and investigating misdeeds within the health care system, these investigations must proceed within the bounds of personal privacy.
We recognize that this issue does pit civil liberties against one another, the public's right to be informed and a patient's right for personal privacy. This 1989 Supreme Court case serves as an informative backdrop. The reporter's committee sued the government because the FBI refused to give them information on a Charles Medinos' rap sheet. They were arguing that the rap sheet was a matter of public interest, because Medinos' family business had inappropriate relationships with the Congressman who awarded the business contracts, defense contracts. The Supreme Court held that the media did not have a right to access the rap sheets, and that the disclosure constituted an unwarranted invasion of personal privacy. The Court also affirmed that the rights of the press respondents in this case are no different from those that might be asserted by any other third party, such as a neighbor or prospective employer.
While the media would be accessing information for reasons that might be different from a neighbor or an employer it is still important to note that they should not have special access. In this situation too, medical records are more sensitive than rap sheet records. Whereas rap sheets contain information available to the public, it is just that the rap sheet brings the information together. If you knew where the person had been arrested or been before a court in the past, you could collect this information on your own. Medical records contain highly sensitive private information that is not available to the public. Whereas rap sheets are compiled by the government, medical records are compiled by the private sector. And whereas rap sheets contain information about criminal proceedings, medical records contain information that was collected in a very private setting.
The HIPAA privacy rule was designed to keep information within the health care arena. The media's interest in recording medical information, whether in pursuit of a story or to aid in public disclosures in an emergency does not trump peoples' right to medical privacy. We therefore urge the NCVHS to keep the privacy rule concerning media as it stands.
DR. ROTHSTEIN: Thank you very much. Just to remind all of our panel members, we will have questions at the conclusion of all the presentations. Now we will go to Tonda Rush.
MS. RUSH: Thank you very much. I have to confess that while I did prepare a Power Point presentation, a gentleman with a crowbar got into our office the night before last, and he now has my laptop, so I have no machine on which to show it. Do we have any independent projection possibilities here? I think you have written copies.
DR. ROTHSTEIN: If you want, we can skip you in the queue and get something set up.
MS. RUSH: That's fine. If you want to take someone else first, it might make it a little bit more organized.
(Discussion off the record regarding presentation arrangements.)
DR. ROTHSTEIN: Ready to go.
MS. RUSH: Thank you. My name is Tonda Rush. I am President of American PressWorks, which is a private consulting -- an association management firm here in Washington. We represent the National Newspaper Association and others, and have done some work with other media organizations on HIPAA related issues.
It probably bears a few moments to explain to you what the National Newspaper Association is, particularly for all of us who are accustomed to life inside the Beltway. These newspapers are small dailies and weeklies that operate around the country, many of them more than 100 years old. There are 2500 members. There may be 6,000 weekly newspapers in this country. It is not something that you would necessarily recognize if you lived your life inside the confines of the Washington Post and the New York Times media world. So when I am talking about the press, often in my mind's eye I am talking about the people that live in Missouri and Utah and New Mexico and Minnesota, and places that may not be as familiar to all of us unless we happen to come from one of those areas.
Clearly, interests of very large cities and their media are involved here. We have two other folks here who I think probably will address some of those maybe more pertinently.
Let me talk about how the news media use health information. I want to say in this context that mostly what I am talking about here is the kind of information that would have before the HIPAA privacy rule fallen into the context of directly information and possibly a statement of condition. In some cases, there may be something that would become more detailed and possibly more intimate than that, but I think it has been true for some time that because of the practices of health care institutions, most media organizations have learned to work with public affairs people to talk to patients directly and receive consents in many cases.
So most of what I am talking about here is a very simple statement of name, maybe an injury and maybe a statement of condition.
News media will pick up this kind of information to connect the community through people stories, provide information on public events, at times put health care institutions and the state of health care in this country into the public spotlight, remembering that newspapers are not textbooks, they are organizations that try to tell stories through people, and on occasion to provide vital information about public officials.
Since the privacy rule went into effect, and to the media, HIPAA is the privacy rule in a lot of ways, we recognized there is a lot more to it than you all have examined than that, but HIPAA has become shorthand for a lot of trouble we have had in the past year.
The peoples' stories are often gagged. The news sources that reporters would have gone to have found themselves confused, sometimes illegitimately, sometimes rightfully so, about what they can say and what they can't say. I receive still to this day periodic reports through our legal hotline of people that say, I spoke with the small hospital, the public affairs woman said our CEO says we are not going to disclose anything because we are not sure what we can disclose. We would rather break the law by not telling than by disclosing something that we are not supposed to say.
Very often, official sources that do have public record responsibilities in the states and they are not covered entities, they don't have patient information, but may have public records, are using HIPAA as an excuse to not reveal things that they otherwise would have said. Or possibly otherwise would not have said, but they just found a new reason not to say it. That is not an uncommon circumstance.
There is a history of the involvement of the media organizations here. I'm not going to go through this in great detail. It is all in your public record. But a fair summary would be to say that we probably were late in coming to the realization that the privacy rule would affect news gathering. The Reporters Committee and the Society of Professional Journalists commented on this very early. Other organizations have been involved in this kind of conversation. As recently as last June, an organization that included NNA, Radio and Television News Directors Association, Newspaper Association of America, which represents large media, and American Society of Newspaper Editors met with the Office of Civil Rights. We discussed some of the problems we were having, and I think for the most part it is fair to say that we simply agreed to disagree. We said what our problems were. Some of them were not really their problem. They involved public records. OCR could not think of any good reason why they should not be involved in the discussion. In some cases, it was a matter of our trying to convince the office that waiting until patient consent could be given as a practical matter would kill the story, because it would never happen within a news cycle, and OCR felt that that wasn't important.
We did get to a point where we very seriously discussed whether the very excellent decision making tool that OCR has in its website should include and could include a statement that the privacy rule does not affect public records laws held by law enforcement officials, for example, so that we would have a place to point to when the county sheriff cites HIPAA as a reason not to release an accident report. We thought at the time that we had an agreement to do that. There has been no followup on it. We had another discussion in March about it and one more letter, and we have not had a response to that at this point.
Most people in our industry have decided that for the most part, HHS is indifferent to the concerns, and if there is a solution it should be found in Congress. There is great fear on many sides, including some Congressional offices that we have visited, that a public disaster similar to 9/11 will be the springboard from which we get into this public discussion again, and that could be a very uncomfortable place for all of us.
The types of problems we have run into, to be more specific, do involve law enforcement agencies. Typically they are not covered entities. Typically they do have public records filing responsibilities. It is not unusual to find that a sheriff's office or a police department will file a public record, and that the information that the media are trying to access would be in it if it were filed on time. But it may not be filed for a day or two, and often by the time it is publicly available, the access is not meaningful any longer because the story has moved on.
We have had a lot of trouble with hybrid agencies, particularly in small towns where there may be first responders, EMS services and fire departments operating under one roof. The regulations do allow them to segregate themselves out and protect patient information, and still observe their public record responsibilities, but many of them have found them way too confusing and too expensive, and have not gotten into it. Therefore, I think what is going on out there, and you may have investigated it more thoroughly than we, is that they are treating themselves as a covered entity for purposes of press accounts, but not for purposes of any other thing that they are doing. That is probably way too broad of a generalization, but I have seen some specifics of that.
To give you some examples, and I'd like to say, I hope this is the beginning of your inquiry and not the end. There certainly are file cabinets and clippings and things that with a little more time we can assemble and give you, and are happy to do that. Sara and I unfortunately had played phone tag for almost a week before I found out that you wanted me here today, so this is about what I have had time to put together for you.
We did have a case in Denver that did reach the public record, federal court case, where a hospital had some accreditation problems, tried to stop reporting on that story, citing HIPAA. The newspaper prevailed so far in that case, but there was quite a legal skirmish, and fortunately it happened to a newspaper that had deep enough pockets to have counsel to address that.
The kinds of hotline calls that I get as an attorney for our media groups have involved a hospital worker wanting to talk about patient abuse and afraid to do it, talking to the newspaper, and the newspaper being afraid to write the story now for fear of inviting a firestorm of subpoenas against the newspaper to find out which hospital worker had actually been the source.
I have heard of several cases like this personally. I'm sure there are many more out there. You may have seen the story in the Washington Post a couple of weeks ago about one case of viral meningitis. There was one paragraph in there that said, there may be many more cases, but the public health department is not required to report it, and the hospitals aren't able to tell us.
We have had several stories of indigent patients brought in to the emergency room, shuffled from place to place, no one knows where they are or how to find them. They don't have a name to seek a patient directory listing. I just yesterday had a hospital staffer say, I would rather break the law by saying nothing.
Had an interesting case come out of Louisiana not too long ago where there was an amnesiac, just the kind of thing you would expect to see on the soap operas, where the person bops his head and you get five or ten weeks of, the person doesn't know who he is, you have seen all of those. This really happened. He didn't know who he was, and neither did anyone else. As it happened, that case unfolded and developed before the privacy rule went into effect, so the man was identified.
I was curious to see how you would ever ask about him by name, since he didn't know his name. It would have created some interesting conundrums.
I did have a personal experience just along these lines not long ago with a friend whose brother had gone into the hospital for cancer surgery. The family was not in touch with him. It was an emergency surgery. He was rushed to the hospital. The family couldn't reach him, could not get through to anyone in the hospital. As it happened, he was in Bangkok and the family was in Florida, and we had an 80-year-old mother who was almost hysterical. We were very fortunate to find an American working in Bangkok with enough Thai to call and speak to the head nurse and find out who he was and that he was all right, and tell the family that he was okay. If they had been in the United States, we could not have done that. So HIPAA has had some real-world impact.
I think probably it is hard to get the Washington community to really understand how these work, but these do happen in small towns. We still have a lot of newspapers that have been in the practice of running the nursing home admissions, and people would send them the flowers and the cards. Birth announcements that used to be around are discontinued. Of those cases, consent forms would solve the problem, but no one has got the time to do them. The hospitals aren't staffed to collect them,and the newspapers aren't staffed to get them, either. We have had some complaints from churches saying we used to get the paper on Saturday to get our prayer list. We don't do that anymore. People go to the hospital and cannot be found, because no one is able to reach someone who can tell them what the patient directory says at that point, and possibly hasn't been updated.
I'm sure many of people have talked to you about the list on the hospital doors for 9/11. I am going to pass out in a few moments a reference to a workplace shooting that happened in a small town near Kansas City recently, where the family members were basically herded into a community center, and the police told them almost nothing for three hours. Five of their family members had been shot by an irate worker. There was near hysteria. We had a reporter with them, and the police department later said, you know what? Talking to those people was not our priority. We were trying to find out where the shooter was and what happened, which is as it should be. That was the source however that under the present law the media and the families would have to rely upon, and that source in that case was unable to do anything to try to assuage the community concerns. They couldn't have called the hospitals, they wouldn't have talked to the ambulance workers, which quite frankly were newspaper sources before the privacy rule. So there was a lot of anxiety, and probably needlessly so. A little public affairs management might have solved it. But in this case, HIPAA was one of the complications.
You may have heard stories of family and press trying to identify and find the people injured in the Chicago collapse, the Providence Nightclub fire. I was interested in the derailment from Amtrak that happened outside Jacksonville. It was just about a week before the privacy rule went into effect. Obviously the institutions involved had begun compliance.
Here is how the story went. I don't know if any of you remember this, but the train was the car train, I forget what that is called, that comes up from Florida to Washington, and it derailed, and there were a lot of injuries. The Post ran three stories on it. The first day's story said there were a lot of injuries, that the injured had not been identified because of privacy rules. The second day's story said that there were a lot of injuries and a lot of people were in the hospital, but their identities had not been disclosed. By the third day, when you might expect that all of the public filings would be on record, the Post story had moved on to whether the track was bent.
Now, you may say to yourself, so what, it was no one I lost. The world didn't come to an end because I didn't get to find out whether my second cousin was in that train accident. But the fact is that the names of the people who were in that accident never appeared in the press. Had there been someone on there that you might have known that you stumbled across, you certain wouldn't find it out from the news media in this kind of circumstance.
Why didn't the newspaper wait until it was all finished and get all the disclosures and talk to the patients and get their consent to put their names in there? Because in the real world, newsprint is dear and time is short, and the story moves on to something else. That space is occupied by another story.
The press will continue. The stories will continue to happen. I think it is the readers in this case that wind up not getting the information.
There have been a number of solutions to this problem proposed. I don't know, to be quite honest with you, that any of them operate in a perfect world, and I'm not sure a perfect solution is available. A number of them have been involved with trying to find a little bit better synergy between the privacy rule and the public records laws.
It is quite true that before the privacy rule went into effect, a lot of the information that would have appeared in the public print didn't happen as a result of a public record law. It was part of custom. It would have been the practice of a hospital, for example, to tell the name of someone who was in a highway accident the night before. That doesn't happen any longer. It might have been in the practice of the ambulance service to give that person's name. That would not happen anymore. Those wouldn't be public records disclosures, but they are the kinds of things that would have led to names being attached to those stories if the stories had run.
In today's world, the stories often are not being run, because if there is no name, there is no story. In the cases where there is a very large story, if there is enough time and the story continues long enough for all of the parties to get all their ducks in a row and the hospitals to feel comfortable and the public records to be filed, then you may get the kind of story that you had two years ago.
Unfortunately in the nature of media, media don't usually tell the story that they don't tell. So if reporting is not happening and if information is not reaching the public, it is difficult, other than by running around and interviewing the reporters or getting their legal questions as I do, to find out what is missing that you would have had before. I think as time goes on, we will probably become unconscious of the loss, quite frankly. What I think will be lost in the process is all the benefits, both direct and intangible, that come from having a spotlight on public events, on accidents, on public institutions, upon disasters, anything that you might have had some benefit from public disclosures.
It is quite true, as my colleague of a few moments ago said, that these aren't always altruistic. The press are not nonprofit organizations, or at least not intentionally so, although I own a piece of one that seems to be headed that way. They are in the business to do stories. I think it is left to the public arena, the public officials, to try to look at whether the kinds of information that they are unable to access and the stories that they are unable to tell or the ones that they are not able to tell, make us richer or poorer as a society.
I appreciate the opportunity to talk to you. I am going to quickly pass this little clipping around. I have about 20 copies of this, Sara, and I am happy to send you some more if you need them. It is a commentary from an editor about how HIPAA played into the hysteria in this workplace shooting last week. I thought it might give you a bird's-eye view.
Thank you very much.
DR. ROTHSTEIN: Thank you very much. I'm sure we will have some questions for you later. Now we will go to Ms. Cochran.
MS. COCHRAN: Thank you very much for giving me the opportunity to testify today. I was so pleased to receive the invitation, because as Tonda just said, after our last meeting here, we were a little discouraged about whether the issues that we are seeing were going to get any attention. So we are very glad to be able to talk to you about them today.
My name is Barbara Cochran. I am the President of the Radio and Television News Directors Association. We represent 3,000 journalists working in television and radio and new media in about 30 countries. But most of our members are here in the United States, and so are affected by this law, and most of them work as executives in local television and radio stations.
For myself, I also have been a journalist for about 30 years here in Washington, beginning with the Washington Star, working at National Public Radio, NBC's Meet the Press, and I was the bureau chief for CBS News here in Washington.
We have participated in the efforts before the regulations became official to make some accommodation for the needs of the news media in these regulations. So I won't review all of that history with you, but I do want to make a couple of points about the importance of this kind of information to the news media, but even more importantly, to the public. Particularly in times of emergency, disaster and other events of high public interest, we believe that a certain amount of identifiable health information reaches the public through the press, and we believe that the HIPAA privacy policy has had the unintended consequence of placing the blanket of secrecy over health care information.
The public's interest in health care information should not be underestimated. There is a public interest in knowing whether victims of crime or disasters are being treated in the hospital and what their general status is. There is a public interest in knowing the health of our public officials and its relationship to how those officials carry out their duties in public. There is a public interest in uncovering corruption or mismanagement at the facilities where individuals receive medical care for themselves and their families, and there is a public interest in learning about a wide range of health care issues that affect the community, and about being able to make informed decisions regarding those issues, including where individuals will seek health care.
Tonda spoke about the importance of health information after major events of public importance. Certainly after the terrorist attacks of September 11, journalists used hospital lists and other records to chronicle the devastation and to do compelling vignettes about the victims. Directory information also enabled the public and journalists to keep track of victims who were felled during the Oklahoma City bombing, the school shootings at Columbine and in Jonesboro, and during the anthrax attacks. That information helped the public to fully understand the effect and extent of such tragedies.
But since the HIPAA rules became effective in April of 2003, those rules have stood in the way of stories that regard matters of public importance that used to be reported every day by electronic journalists across the country. No one wants to run afoul of HIPAA. People are afraid of giving out information that will expose them to litigation, penalties or fines. Because of HIPAA, many traditional news sources can or will no longer discuss patients with the press. Journalists are having a hard time finding out names of disaster and accident victims and investigative reporting or malpractice or patient abuse is difficult or hazardous to chronicle.
HIPAA has made it more difficult for journalists and other interested members of the public to obtain health care information on matters of public interest that used to be routinely available. HIPAA has handcuffed reporters in their ability to perform due diligence on sources. We are not able to say where a certain amount of information has come from, or to confirm that this information is available from a hospital, which used to be the routine way of confirming information.
Because I have been asked to testify on behalf of the broadcast media, I wanted to say what makes our situation of particular interest. First of all, broadcast media is a very important source of news for the public. We conducted our own study in 2003, and we found that local television news is the chief source of information for 49.9 percent of the public. Network news is responsible for 23.2 percent, and local newspapers are the prime source of news for about 13 percent of the public. Our study also showed that television is rated highest as the most trusted medium. The FCC Nielsen survey in 2002 found that almost 60 percent of Americans rely primarily on radio and television for local news and information.
So our members are those who are providing the news of local interest that is the first source that the public thinks to turn to, especially when they are looking for local information. Certainly this is true in breaking news. A fire, an accident, or still worse, a school shooting or something of that nature, the citizens turn to local television and local radio for information on that kind of event, and HIPAA has made that kind of event much more difficult for our members to report on.
One of the things that we have found is that HIPAA has affected not only the covered entities, but also the non-covered entities and what they feel free to report. Many non-covered entities such as police, firemen, even athletic directors and victims' relatives believe that they cannot give out information because of HIPAA. You have probably had the experience yourself of watching a sporting event that is televised, players injured on the field, and the announcer says, we can't give you the information on this athlete who you just saw injured before your very eyes, because of HIPAA regulations. No wonder the public is confused.
We have collected lots of examples. I will run through just a few of them with you. A department of corrections used HIPAA to withhold information about inmates who had died in state prisons, certainly a story of public interest. One of our news directors had a news team removed from a hospital after the patient and the family had expressly invited that news team to come in, and had agreed to a taped interview about the patient's treatment and recovery. The hospital said, even though you are interviewing this patient, we can't tell who the camera might inadvertently pick up, and therefore you have to leave. Routine requests for 9/11 recordings, which are part of the public records, have been denied, because public officials mistakenly feel that these fall under HIPAA and can't be given out.
Because of all of this confusion, RTNDA has prepared and distributed and posted on its website a set of frequently asked questions and answers on the backgrounds and the fundamentals of the privacy rule, so that reporters can assert their rights to obtain information when it is mistakenly being withheld. We also joined in writing to Mr. Campenelli to ask that the information be posted on the HHS website, that clarifies that HIPAA does not pre-empt state public record laws, and that the state law enforcement agencies that are not covered entities may still provide patient information. So far, we haven't received a response to that request.
We also face problems not just because of misinterpretation and misunderstanding, but because of the application of the rules as they are written and intended. Some of the examples that Tonda mentioned are examples that our members have also encountered. A story about emergency room procedures that would show that particular emergency rooms are not taking appropriate care of poor patients, those kinds of stories are now impossible to document because of HIPAA regulations. We talked about the Amtrak train derailment. We also have had the example of sharks who began attacking swimmers off Virginia Beach, and reporters were stifled in their efforts to report on those attacks and the status of the shark attack victims. When 57 partygoers were injured and 13 people died in a porch collapse, Chicago listeners and viewers learned almost nothing about what happened. When there were reports of SARS cases in the United States, 1.51 suspected cases in 21 states, U.S. and state health officials held back the identities, conditions and locations, and refused to disclose how the cases might be connected. Certainly the public had a deep interest in understanding more about the degree to which SARS was affecting American citizens.
You have heard just now about the meningitis case in Fairfax County, and Tonda detailed exactly how that was a matter of public interest, but where the public was shortchanged in the information that they received.
Even a feel-good story was stifled because of HIPAA. There is a young girl in Milwaukee who had been a victim of leukemia. Her story had been widely told in the pre-HIPAA days, and she had thankfully recovered from leukemia. In gratitude for the treatment she had received from the local children's hospital, she went every year to distribute Christmas presents to the young patients who were at the children's hospital. This year -- and that was a story that was also frequently told on local radio and television -- this year when she tried to go back at Christmastime, the hospital said, we are sorry, we can't allow the media to come in to chronicle this story of one little girl who recovered and who was offering hope to other patients in this hospital. So a story that was uplifting and that provided something for people to feel good about at the holiday season was untold because of HIPAA.
Finally, the thing that we have discovered is that HIPAA penalizes whistle blowers. Again, Tonda talked about that. But the kinds of stories, so that the public can understand the quality of health care that they are giving, so that they can go to health care providers who are providing quality care, so they can avoid health care providers who are not providing that care, where the quality of health care can be exposed at the local level, at the national level, those kinds of stories are simply not coming to us anymore because people who might have been willing to blow a whistle before are not willing to take that risk.
We have also talked about the public disaster. I agree with Tonda, I think the thing that will disclose the problems with these rules will be another disaster. We hope it is not another home and security disaster. But I would suggest that at a time when the federal government is so intent on insuring the security of the homeland, so intent on protecting the public that the HIPAA rules which were adopted and being worked on and were never changed after 9/11 occurred, that those rules are in contravention to the goals that the federal administration is trying to achieve now in making sure that there is quality information after a homeland security disaster occurs.
What happens? What do people do if there should be another disaster? They tune in to radio and television to find out what they should do and how they should protect themselves. They tune in to find out information about their loved ones. If this information cannot be disseminated because of HIPAA, what will happen is that something that began as a crisis can quickly develop into a disaster because the public is being denied important information that would previously have been available through the news media.
One local example again. In Syracuse, a public school bus was carrying about 40 pupils on a trip. The bus had an accident. Almost all the students were injured in some way and were taken to a variety of hospitals around the area. The hospitals couldn't release the information about what kids they were treating. The parents turned to the news media for information and were unable to get it because it wasn't available. So these parents were in a position of going from emergency room to emergency room, all around the Syracuse area, trying to find their children and be with their children. This is surely not what was intended when HIPAA was drawn up.
We have offered nine specific proposals that we would ask the committee to consider and the Department of Health and Human Services to consider in trying to remedy what we are experiencing now under HIPAA. Just to very briefly state those for the record, number one is that we ask that the rules be revised to allow a covered entity to disclose basic information about an individual's medical information to the press and the public, so as not to interfere inappropriately with news reports on matters of public interest.
Most patients who come in to hospitals will never be affected by this. We are talking about the few instances where this information is of public interest because it involved an accident or a disaster or a criminal incident that is of public interest.
The definition of a covered entity should clearly exclude public agencies, including fire, public, police and law enforcement departments and youth homicides of 9/11 emergency services. The definition of health care should clearly exclude emergency services provided by emergency and law enforcement agencies. State laws should be pre-empted, and that should be clearly stated. The regulations should be revised so as not to limit protections for whistle blowers. They should insure protection for whistle blowers to report their concerns to journalists or others charged with investigating the quality of health care. The regulations should state that they do not apply to health information of individuals who have died. The rule should not afford the ability to restrict public access to directory information. The regulations should not apply to entities including public health authorities and law enforcement agencies that receive disclosures of health information from covered entities. The regulations should clearly state that the civil and criminal penalties do not apply to the news media, where even information disseminated by news media is received from a third party who may have violated HIPAA.
I will conclude with that, and wait for your questions. Again, thank you for the opportunity to raise all these concerns with all of you.
DR. ROTHSTEIN: Thank you very much. I'm sure we will have several questions for you. We will now go to Ms. Daugherty.
MS. DAUGHERTY: Thank you very much, and thank you for inviting me to talk to you this afternoon. I am Rebecca Daugherty, and I am the FOI service center director at the Reporters Committee for Freedom of the Press. We are a small organization that runs a hotline for reporters who encounter legal difficulties in gathering and covering the news. Probably nine-tenths of the questions that we get from reporters have to do with the inability to access information from government or from other entities such as hospitals.
Today in my written testimony which you have, I have highlighted our concerns over two things: the effects of these rules on would-be whistle blowers, and the need to dispel the widespread theorem in other bureaucracies that these rules apply to them, and that they would be subject to penalties for giving information to reporters.
The effect on whistle blowers is certainly pernicious, but we have no idea how to document what that effect has been, other than to point out the kinds of stories that we have gotten from whistle blowers in the past. We do not know what whistle blowers faced with fines and possible criminal penalties of $25,000 to $250,000, how those people are going to be affected when they have a story that they feel needs to be disclosed through the press.
A classic example is the 1960 story of Miss Evers' Boys, a four-decade long experiment on black men who had syphilis and who were not treated with the standard of care that people knew at the time. They were not given penicillin, they were just allowed to deteriorate as there was a study of deterioration of people who had syphilis. This was a study that was approved by the American Medical Association, it was a study that was approved by the Centers for Disease Control, and it was only when a doctor who was treating one of these patients for something else mentioned to an AP reporter what was going on that the public had a chance of finding out what was going on. When AP published that story, it took a week for that experiment to be over.
That is something that that doctor might or might not tell a reporter about today, because these penalties go right to that health care professional who gave that information to the press, and caused a much-needed change.
A more recent example occurred in a fertility clinic at the University of California-Irvine, which was selling embryos. This is a horrible thing to happen. The people who worked in the clinic notified the press, worked with the reporters who covered the story, which was an award-winning story. The reporters themselves went through some psychological training in how to approach the parents of these embryos to tell them what had happened as they were covering this issue. Of course, as soon as the story was reported, that situation stopped.
These are the kinds of things that we don't hear about now. We don't hear people saying that HIPAA has caused these problems, because we don't know what we are hearing about, what we are not hearing about. We don't know what effect we are having on whistle blowers.
The other thing that we want to mention in our testimony today is the real need -- and Tonda and Barbara talked about this at some length -- to dispel the widespread fear among bureaucracies that they might also be covered by these penalties, so they can't talk to the press, either. Certainly we would prefer to get medical news from medical professionals than to get it from policemen and firemen, but if we can't get it from medical professionals, at least we could find out something about what they observed and be able to provide that information to the public, which in many cases really needs to have that information.
In our comments which we made among the 52,000 or so that were made in 2000, we articulated a number of concerns that we had about what these rules were going to cause for reporters. I think those concerns hold today. This is going to eliminate any undercover reporter by reporters who are not willing to also pay fines. Reporters who posed as nursing home assistants, for instance, are not going to do that, because they will undoubtedly be subject to these penalties as well.
There are some stories that can only be reported by undercover reporting, as heinous as some of us find that kind of reporting. In our comments that we made in 2000, we talked about a story of an abortion clinic in Chicago that was doing abortions on women who were not pregnant. To get inside and see those medical records was the only way that the reporter who did that story could get the story. She needed to know who the patients were by name, even though she published no names, in order to do the story and also to protect herself from liable claims. So we can imagine that these rules will affect that kind of reporting.
They make no provision for disclosure of the health of the officials. They make no provision protecting information about candidates. We have heard some discussion here about the New York Congresswoman who suffered from depression and had that revealed, and was nonetheless voted into office. I think that fact says something to us as well. I think it says that the public is able to digest information and address it in a sympathetic way. No one has a monopoly on how to be sensitive to these concerns. Yet it is a concern when your public official suffers from depression and tries to commit suicide. It is unfortunate, and I am certain that there was pain caused by the revelations, but traditionally in tort law, these are public figures, and they are, to be quite crass about it, fair game for reporting, and that is a good thing, because it tells the public things that they public needs to know.
While we are on the public figures area, I think it is also important to remember the circumstances of reporting Arthur Ashe's AIDS disease. This was something that was done very carefully and with a lot of discussion in the newsroom. This is a much-loved public figure whose life had been exemplary. The press did not punish the Ashe family for any kind of wrongdoing that it saw; it simply reported that this is a man who has AIDS, and it reported it at a time when people saw some kind of a social stigma to having AIDS. If you had AIDS, it meant that you were sexually promiscuous, that you had somehow -- that you used needles and shared them with other people. There was a tremendous stigma at that time to the public's understanding of what AIDS was.
I think if the public is going to fund research, health research, it needs to know something about how far these kinds of diseases go, and if they can touch an exemplary figure like Arthur Ashe, then that is important, too. So the press has taken a lot of hard knocks for that story, but I think it is one that needed to be told.
These rules don't allow any publication of information about health care of people who we trust our lives to. It says nothing about the health care of pilots. Are we supposed to be able to find out that pilots have alcohol problems? Are we supposed to be able to find out that bus drivers have drug problems? These are points that the public has a lot of interest in, and the public cannot get this kind of information from whistle blowers, if whistle blowers are going to be facing these huge penalties.
There is no provision for disclosing information on persons who benefit from prosecutorial decisions made on the basis of their bad health. The example that we gave in our 2000 comments was the decision of the British government not to prosecute Pinochet because they said he was not able to withstand prosecution, and then would reveal no details that satisfied a public that was hungry to know whether or not they were giving a buy to Pinochet in this or not. So there are lots of interests here.
We heard some testimony -- and I'll close quickly, because I think Barbara and Tonda and I have had many of the same concerns -- we have heard some testimony that police and firemen don't get it right. So there is a reason not to have them give out information, and a hint that maybe if they think they are subject to these rules, that is just as well. That is not the case, in my thinking. I think that it is very important for HHS to make clear to those entities who are not covered by these rules that they are not covered by them, that the penalties will not apply. We need that in order to be able to report the news that you need to have from us.
Thank you very much.
DR. ROTHSTEIN: Thank you very much. Our next witness is Debra Goldschmidt. Are you online?
MS. GOLDSCHMIDT: I am.
DR. ROTHSTEIN: I am going to ask you if you could hold your testimony for just a minute. I want to go slightly out of order, because Sara Howley has a plane to catch. So I want to ask the members of the subcommittee if they have any specific questions for Ms. Howley before we get your testimony. Then we will have questions for the entire panel. So are there particular questions for Sara Howley?
DR. HOUSTON: Especially in light of what I heard from Barbara Cochran and Rebecca Daugherty and Tonda Rush, you had said you had a media summit. Clearly there is a lot of interesting discussion here about what the media's rights are. Did any of this come up, and what type of solutions maybe were discussed at that summit regarding the issues that they described?
MS. HOWLEY: The media summit that we had was prior to the implementation of the HIPAA rule on April 14, 2002. What we did was, it seemed to me that we introduced a lot of new information at that point to the media that they were not otherwise educated was going to happen. Also, we were able to clarify some issues to them.
We have however -- about two months ago, we had a media meeting to discuss some issues with just a few of our local affiliates and newspaper publications, and HIPAA was very much -- and patient privacy was very much an issue that they wanted to discuss and had concerns about. A lot of it had to do with the consistency of how hospitals were responding.
I think that actually, we are planning on doing another one. We are going to invite everyone to it, kind of a followup a year later, to really get some good information and find out what we can do to work better.
I go back to the fact that I think we do need some more education. A benefit to us in this field would be some real-life scenarios, some more direction. Some of what we are told to do is use our best judgment. I can tell you that as our first priority on patient privacy, use the best judgment might be to err on the side of caution because of what the implications might be. Nurses, doctors, a lot of people I work with would feel that way. There are a lot of areas where use the best judgment, if we had a little bit more direction on that, we might be able to work a little easier and much better in certain situations. We see 210,000 emergency room visits in our system a year, and a very small portion of those are ones that we would have to -- or inpatients, 60,000 a year -- are ones that we would have to deal with the media. At each one of those situations is a different scenario. As we are entering and getting over this first year, we are realizing education on real-life scenarios, but also education to the media and the general public, also to some of the advisors to the hospital might be helpful as well, people who are advising the hospital need to be consistent as well, as the media says some hospitals do this and others err on the side of caution and won't say anything.
DR. ROTHSTEIN: Thank you. Dr. Harding.
DR. HARDING: Does your hospital system have a different HIPAA standard for VIPs, athletes, politicians or victims of terror, compared to the others?
MS. HOWLEY: No, it is all handled under one policy. I do have copies of the policy, but it is all handled under the one policy which is very -- patient information is HIPAA compliant. So there is no difference. If someone were to enter our hospital or we knew that they were there, we definitely would contact them, but everything goes back to them signing off on consent before we would release additional information, other than a one-word condition, unless they opted out.
DR. HARDING: So if the governor came in with chest pain, you would not say anything. There would be no release of information.
MS. HOWLEY: He would ask the governor if he would like to opt out of having information released, and we would work directly with his press people as well.
MR. FANNING: One factual question. I take it that your district does not itself run ambulances?
MS. HOWLEY: No.
DR. ROTHSTEIN: Other questions?
DR. HOUSTON: I have one more, Mark, just briefly. You indicated that the media has used other means to access patients. Have you found any cases where the media has actually impeded patient care by the way they have gone about trying to access patients?
MS. HOWLEY: Not that I am aware of. It is more of a -- obviously with even the domestic security standards that we have in place at the hospital, you have to show an ID to enter. We have ha a few situations where they have shown an ID, but not their press pass, just their common ID, to say that they are going to visit a specific patient. The patient is looked up in the system. They had not opted out of the directory, but they also -- we require us to escort the media and ask the patient first when they have shown up in a unit. Usually, I have to say our nurses and our staff are very, very aware, and just ask that they leave, or we go ahead and ask the family if they would like to talk with the media. But we have those rules and regulations in place as well.
DR. ROTHSTEIN: Other questions? Thank you very much, and if you have to leave before we are done, I understand.
MS. HOWLEY: Thank you.
DR. ROTHSTEIN: Ms. Goldschmidt, thank you for being patient, and we will be happy to have your testimony now.
MS. GOLDSCHMIDT: Thank you, Mr. Chairman and members of the subcommittee. My name is Debra Goldschmidt, and as a graduate student of the Columbia University Graduate School of Journalism, I spent the 2003-2004 academic year researching and tracking the impact of the HIPAA privacy rule. I looked at many different areas, including police investigations, fundraising research, media access and more.
As a working journalist with more than eight years of experience, most of it specializing in health and medical news, I experienced first hand the tide change that came with the April 2003 compliance deadline, while working as a medical producer at CNN.
Today I have been asked to provide an overview of the impact the privacy rule is having on medical archives. This is an area many people do not realize is being affected. Archivists and librarians are struggling with the law and feel their issues were overlooked when it was created.
This first came to my attention when I read a story written by Julie Bell in the November 13, 2003 edition of the Baltimore Sun. The headline on the article read, privacy of dead perplexes living, new rules meant to guard health reports could block some historical research. This prompted my own research on the issue.
The August C. Long Health Sciences Library at Columbia University is home to an extensive collection of archives which document the history of medicine. Included is the collection of Dr. Jerome Webster, who founded the Department of Plastic Surgery at Columbia Presbyterian Medical Center. His collection contains patient files and photographs of his work. This is the kind of information historians and researchers rely on to write books and conduct historical research.
Stephen Novak, who is the head archivist of this library, believes that access to this collection and much of the contents of health science libraries is in jeopardy because of HIPAA. The problem is that many of the records contain protected health information. Archivists have always been sensitive to people reviewing records that contain patient information. In fact, anyone wanting to has to sign an agreement that they will not use any names or personally identifying information. But this is not enough anymore.
There are two professional organizations representing archivists and librarians who work with medical archives, the Society of American Archivists and the Archivists and Librarians in the Health Sciences. They sent a joint letter to Secretary Thompson in October, expressing their concerns over the impact of the privacy regulations. The groups expressed their frustration about ambiguities in the law that have caused confusion over access to records. There is even a question as to whether or not these libraries are covered entities.
At Columbia, for example, the library is part of the medical school, and the hospital, therefore. So hospital attorneys say the library is a covered entity and must comply with the law. However, at Harvard, the Francis Countway Library of Medicine is part of the university and not part of the hospital, so they consider themselves exempt.
Differing institutions are interpreting the rule as they see is appropriate. The result is confusion. As is the case for many other issues talked about today and in previous hearings, some institutions are suffering from overzealous application and interpretation of the law, because they are simply playing it safe. According to the letter the archivists sent to Secretary Thompson, certain aspects of the privacy rule will lead to simply denying access to any records that might contain protected health information. One specific question, is this law retroactively applied and if so, how far back does it go? Another is, if a letter written by a doctor contains a patient name, does that count as protected health information? And can consent be assumed for the use of photographs previously published, even if the original consent form is missing? The letter asks the Secretary for clarification in hopes of ending the confusion.
According to Nancy Parkin-Belmont, who is the director of the Society of American Archivists, they have not gotten a response. In the meantime, at the Columbia University Health Sciences Library, requests for records containing protected health information are now reviewed on a case by case basis by a hospital's privacy board. Mr. Novak said he had one request recently, but when the person heard about the new process he has to go through, he said, forget it. The concern is that this is the response others will have, too, and the rule could discourage historians from using the valuable archives.
The law does have an exception for research, but Mr. Novak is skeptical about the amount of leeway it provides, given the decision last fall by the Department of Health and Human Services. Two biographer/historians requested the records of two deceased individuals from the National Library of Medicine under this exception, and they were told that historical research did not meet the criteria for research as defined by the privacy regulations.
Mr. Novak said if that is the case, he and his colleagues may as well lock the door and shut the lights off, because they can't show their collections to anyone. He also fears that valuable records that are not already part of archives may be destroyed, because the small practices or town halls that have them may feel the prudent step is to get rid of them. Archivists say this will be a real loss to future historians.
The archivists and historians are a small group compared to police, hospitals and other much larger groups, but their concerns are real. Archivists worry about having to de-identify records that would leave historians with incomplete research, as well as having to seal records of deceased patients who are identified in journals, letters, papers and photos. They feel HIPAA is standing in the way of history.
Thank you very much.
DR. ROTHSTEIN: Thank you very much. That is an issue that is very interesting, and many of us have not given adequate thought to. Before this hearing, there was some discussion about whether we need a separate panel, separate hearings on the issue of medical archives, and we certainly can take that up in our committee discussion period, as to whether we should do that.
But we are ready now for questions from the subcommittee members, and we will start on my right this time, Harry or Richard.
MR. REYNOLDS: Very interesting testimony. This is a tough one. I was just drawing myself a chart here, trying to categorize this and think it through. If you listen to the testimony we heard, when you talk about information, we heard all the way from none to all. Then when you talk about the status of the person, we talked about an unemployed story versus a public figure. The issues you talk about, an entity says we have a problem and they disclose it, versus a whistle blower. You take normal currents versus a disaster, and you take identity and location, where the family is known and the person is known, you get them together, versus a John Doe. So that is a lot. That is great information, but that is what privacy has created.
You have all made recommendations, but it is really difficult to sit and deal with the individual person's privacy and what we just want to be able to say right up front about. So mine is not so much a question. I have heard a lot of testimony, but it is what we face over here. You see the rule and you deal with it, but adjusting it is a very fine screwdriver that can push it one way or the other pretty easily. So you can shed any -- a lot of information, so if you don't have anything to add, fine, but any insight on how to adjust -- this is a tough one. That screwdriver is a little bit like a lot of things. You turn it a little too far and you throw these continuums and this whole thing sideways.
MS. RUSH: Let me try a conceptual approach to this, if you don't mind, recognizing that we are definitely looking at this from the point of view of a public viewer and not as the custodian of a record. Obviously if you are a physician or you are an attorney, as several of us are, and you have got to pay attention to specific professional obligations, you have got a different view of things.
One of the things that we are seeing going on that Mr. Reynolds has identified, and I think quite succinctly, is that we have very gradually in the area of computerization and the concern about privacy been shifting away from an open society to a need to know society. Once you go down that slippery slope, you find yourselves in exactly the position that I think this panel may have found itself in.
It reminds me very much of the debates that I hear some of the environmental groups talk about with respect to the Amazonian jungle. If we are going to destroy it and we are going to put houses there, and move cultures and take away all the plants, are we going to be able to go through one by one and identify which plants we want to keep, and justify why we want them? And of course, the folks that understand the value are wanting to say to us, you don't know the value. You don't have any way to predict what use this plant may make. It is too soon. You are going to be destroying something that you will never see there again, and you don't even know what you would have used it for, because it will cease to exist.
I think very often, for those of us who are in the world of trying to understand public information and private information, we are in that kind of a situation. It feels to me -- and I have practiced in this area for almost 25 years now -- that we have very gradually and almost imperceptibly made a shift into this need to know situation, precisely because fears about access to greater amounts of information in the computer age has caused us to think differently about information.
The case that was cited in testimony a few moments ago, about the rap sheets and the Supreme Court case, was absolutely a computerization case. Every record that was being sought in that case would have been available on paper, if you wanted to trot around to 5,000 different courthouses and look them up. It was the existence of the compilation in the computer file that changed the way the public information looked to the Court.
HIPAA, I believe, was the medical record analog to that. I went through -- many years after the Kennedy-Kassebaum Congressional debate, I went through to read what I could of the Congressional debate there. There really isn't very much there to enlighten what Congress really meant to come out of the privacy aspects of this. It was a very belated thought, after the fact, pitched it to the agency and said, it is too hard, Congress can't agree, and you guys figure it out without very much guidance, which the agency did. I think to its credit, it took the best it could understand and took some basic principles that the agency believed in about the right of a patient to control records, and installed a standard that Congress had never really debated.
Now you have got it. Now I think the agency is hovering around the idea that the should patient have as absolute control over those records as possible. Then you carve out from that those who need to know. That is exactly where I think you are right now.
Who needs to know this? The medical researchers need to know it, and clearly the law enforcement people need to know it, and people investigating child abuse need to know it.
You start to make that list, and I will tell you where it is going to end up. We have seen this from a number of privacy statutes. You will wind up with such a Swiss cheese of people who really do need to know, that the consequences are, now there are a whole bunch of people that need to know, that you can't possibly control, and the media are going to go to them as third or fourth hand sources of information, and whatever information does reach the public record will be even more distorted and even more confused, because it came down through a chain of need to know people out there, who get increasingly further away from whatever the essential purpose was.
I don't know how you go back from need to know. It is not even right to know, because most of this information was never required on public record. You might go back at least to the point where it has been required on public record, and try to look at the state public records laws, and go back at least to that point and say, what have we done here? What have we done here to try to make what about have been just a free-flowing information society, that mind you, had tort law to protect information that was truly intimate.
What have we done here to try to defeat the purposes that were meant by the public records laws by at least those agencies that had responsibilities to the taxpayers through the services that they are performing? If I were tackling this problem, I think I probably would begin there. I'm not sure I would end at that point, but that is probably the easiest of the problems to try to attack.
DR. ROTHSTEIN: I want to respond to that before I recognize Dr. Harding for his question. I would respectfully disagree with your framework, because I don't believe that the change in the way we view medical records and privacy really started with HIPAA. I think it is a 50-year trend in American health care that we see in research ethics, that we see in patient care. It is conferring greater autonomy on individuals to decide who should have access to their information and what sort of medical care they consent to, what sort of research they consent to, et cetera.
So there may be problems with HIPAA in where the balance is drawn in one respect or another, and we will try to work with you on that. But I don't think that HIPAA and the philosophy underlying HIPAA just showed up in the year 1996 or 2003 or any other time. I think if you go back to the Nuremberg trials, it starts in 1947, really. We are now placing a greater public primacy on the individual and the individual's right to control medical information.
So with that aside, I will now recognize Dr. Harding.
DR. HARDING: I'd like to ask Ms. Stewart and Ms. Daugherty, you both brought up the issue of Arthur Ashe. When you were both talking, I was thinking about the issue of the greater good, the individual versus society. You are saying that the thrust to destigmatize AIDS and so forth in 1992 or whenever that was, '88, trumped the individual's desire and right to have privacy about a medical condition that was stigmatizing, and that someone made that determination in the press that it was the greater good to release the information against the individual good of the person who obviously didn't want that to happen, and probably hastened his death, I would think, in that process, with the pain and anguish that the person went through.
That is a tough call, the greater good. How do you both look at that? Do you see it that same way, or when is it all right to release information against a person's wishes, individual's wishes, for the greater good? I guess that is why you do it, for the greater good of society. Isn't it?
MS. STEWART: First of all, I want to point out that in the Arthur Ashe case, there were actually a number of reporters who knew of his HIV status for years and chose, in order to respect his wishes, not to disclose that in the media. The reason why he was forced to is because the editors at USA Today did decide to go ahead and show up at his house.
I would say, in terms of Nidia Valasquez' situation, those records were from when she was 19 years old. I just wanted to point that out as well. Those situations occurred at least 20 years before that election. I would say that in this situation, it was most important for us to look at what is the greater good. We are looking at the HIPAA privacy rule. It is designed to improve public health.
I would say in the Arthur Ashe situation, outside of his individual right to be able to protect his own personal health information, to be able to protect his privacy, I think it is important to look at -- in terms of greater good, what kind of impact does that have on a public with such a stigmatizing disease which was on the verge of a greater epidemic in the United States? What kind of impact does that have on the public, when you read that somebody's HIV status was just disclosed, because they found out about it?
There have been cases, for instance, with the Planned Parenthood case in Iowa, where law enforcement had found a dead child, a dead baby, that had just been born in Iowa, and they tried to subpoena the medical records of every woman who tested positive for pregnancy in one Iowa clinic. That Iowa clinic, in that month, had a 70 percent drop in the women who came to their clinic, because women were afraid to go to the Planned Parenthood clinic. Especially with HIV-AIDS, you have a real need to convince people that their privacy is going to be protected in order to get them to come get testing. I think if you go to any AIDS clinic or you talk to any case worker in an HIV-AIDS clinic, they will tell you that is one of the most important things, because people are so afraid of that being disclosed.
So I guess in that case, I would say Arthur Ashe's individual right to medical privacy was compatible with the public good.
MS. DAUGHERTY: I would disagree. I think that it was important for people to know that Arthur Ashe, a person with Arthur Ashe's stature and character had this kind of disease. I think it educated the public about HIV in a way that countless lectures by countless physicians would not have educated them.
Do I think that everyone who has HIV should be outed? No, I don't. I think that this is the kind of decision that whistle blowers make. This is the kind of decision that editors make. There have been other cases where people who suffered from HIV were outed, and with good reason. There was I believe a very, very promiscuous young man in New York a few years ago who was actually indicted for trying to infect others with HIV. This is the kind of thing that is also newsworthy. It is very difficult to come up with these bright-line rules that say, if it is HIV, it is secret.
MS. COCHRAN: I think we are getting into a little bit of a red herring here. The Arthur Ashe story is a story that really is not the norm of what we are talking about. We are talking about being able to report who the victim was in the car accident on the bypass in a timely fashion on that night's news. I think you could make a couple of cases, one, that the Arthur Ashe story might be just as likely to come out now as it was then, depending on whether the person who had that information, how that information was obtained,whether it came from a health care provider or not. I think you could make a case that the Arthur Ashe story actually had the effect of -- as Ms. Stewart says, if it kept people from going and seeking treatment, you could maybe say that it had the opposite effect. We are not social scientists and we don't have the information, and we can't find that out right now.
Look what happened a few years later in the case of Magic Johnson. Someone who openly took control of the situation and announced his disease, and went on to become a great spokesperson for treatment and a cure, and to this day serves as an example of how that disease can be dealt with.
So I think it is very hard to take one isolated extreme example and try to make a policy based on that. I would urge us to focus on the day to day, bread and butter news coverage that before HIPAA was commonplace and the community was not outraged about, and was of great use to people living in their community, and that didn't really have very much to do with electronic recordkeeping, but that now, this kind of information has become much more difficult to access and is off limits.
DR. ROTHSTEIN: Mr. Houston.
DR. HOUSTON: I am troubled, I hate to say it. I parrot what Harry had said a little earlier. Being involved with research a good bit at my organization and the great pains that we take to protect the rights of human subjects in research and medical privacy, and the fact that a big part of why we have privacy in HIPAA is to allow patients to be confident that their medical information is going to be kept confidential, so to encourage them to seek treatment, it scares me that we bend at all with regards to the release of patient information.
I think that we have to look at the public good. The public good in my mind, as Emily indicated, the balance is far on the side of insuring that people feel comfortable seeking medical treatment. I think that a lot of what was described here as need could be accomplished through authorizations. Obviously there are cases where you have a disaster, and maybe there are narrow exceptions, and maybe there needs to be better coordination with public authorities to get information to public authorities so they can release it, but I'm afraid that we are going way to the other extreme.
Again, the best example I can think of as a barometer is the great pains that we go through when we are dealing with research data and research subjects, and insuring that their privacy protections are guaranteed. To look here and say here are great examples of why we think we need to have this information made available, and leaving the discretion in the hands of the press, personally I'm not convinced. I'm sorry, but this all very much concerns me.
MS. COCHRAN: May I?
DR. ROTHSTEIN: Yes, please.
MS. COCHRAN: But before HIPAA existed, you didn't have problems. You didn't have reporters crawling all over and trying to get your confidential patient information.
DR. HOUSTON: I'm not sure that is the case. I think there are examples of that. I think Rebecca even described the needs of the media to get at information, and that does concern me. I'm just voicing a concern. I think what Rebecca described in her testimony concerns me.
MS. COCHRAN: Do you think it was improper to disclose the syphilis study at Tuskegee?
DR. HOUSTON: I'm not sure what the best way to handle a lot of these things are. I believe in a lot of cases you can damage peoples' lives. Arthur Ashe may be a great example where, had it been another public figure, and had the circumstances been different, that would have really been an invasion. Maybe in other cases it would have been more appropriate for somebody to work with the public authorities in the case of Tuskegee and try to get that information out in a different avenue.
But again, I am very concerned about what this means to people and their willingness to go and seek health care.
MS. RUSH: Let me try to draw some bright lines here. I think that one of the things that -- it is difficult for people who are schooled as licensed professionals, and I don't know if there is anyone on the panel who is not either a physician or an attorney, but all of us who owe allegiance to the court or to the medical society -- journalists are usually real people or something akin to it. I have been both in my life, so I tend to look at it through two different lenses.
When you are accustomed to working within a world that is codified and licensed, and you get specific duties and responsibilities, and someone is holding you to those by your license, it is very difficult to put those things aside and look at them the way journalists look at them. It is very natural for an attorney to say, if you have got a problem with the way an institution works, you should go to the official channels and tell them. There are channels to do that, that are bound to protect the privacy. A journalist will tell you, you know what? That doesn't always work. Sometimes the people in the official channels are the problem.
I have many times thought back to a case -- I'm almost afraid to say it, because it reveals my age here, but there was a New York Times reporter that spent a number of days in jail not too awfully long ago. His name was Myron, and Rebecca is going to have to remind me of his last name, I have forgotten it now. He had a source inside a nursing home who was presumably a low-level worker. I don't think it was a nurse and I don't think it was a physician, who knew that a doctor was injecting elderly with a muscle relaxant. Their complaint had been made through the nursing home channels, and had been made through the medical society, and nothing had been done.
Myron Farber, thank you very much. See, aren't you glad it wasn't three a.m. when I thought of this and I called you all up?
The story was told, and of course, the physician was taken up on licensing procedures right away and eventually charged with homicide. And of course, the attorney subpoenaed the reporter to find out which worker had disclosed. In that case, one has to presume that the story would never have been told, and the patients would have continued to die, if someone there hadn't been courageous enough to go outside the official channels and talked to the reporter.
It is easy for us all to pick those heroic examples. The Tuskegee is another one. Somebody really took a risk there to say, these institutions aren't doing what they are supposed to.
But I think if we try to take the Arthur Ashes and the Tuskegee and the Myron Farber case and try to make our policy around those extremes, we are going to get ourselves into some real difficulty. We are once again going into that need to know.
I don't think that in most cases what we are talking about here is the kind of thing that I think Mr. Rothstein is addressing, about the trend toward giving patients control over their information. Usually that has been in the context that I have studied, in the context of their trust relationships with the professionals who are caring for them, or in a network of people that are supporting the care. Without getting into personal views about whether that is appropriate or not, that clearly has been a trend, and I think a lot of the privacy law has developed around that, and the HIPAA privacy rule sprung from that.
i understand the origins of it. I don't think that is exactly what the press organizations are talking about in this case. I think what the press organizations are talking about is when you draw too widely the net of protecting all the incidental information that might fall within that ambit. You are moving very quickly from privacy into secrecy, in a society where you want the press, whether it is doing it for good motives or ill, you want the press to be paying attention to what is going on there.
We hear all the time, people saying how come the press doesn't cover this, and how come the press doesn't cover that. One of the reasons the press doesn't cover more what people would like it to cover and scrutinizing what goes on in the world is, it is very difficult to do, and privacy rules are sometimes one of them.
So I'm not sure you were taking issue with my trend thing. I was talking more about common law privacy, where an individual might complain about disclosure through the media of something that wasn't revealed by a physician or an attorney or something like that, that something came through an unofficial source. Privacy law I think has struck a reasonable balance.
DR. ROTHSTEIN: I was talking in general terms, to try to ut the privacy rule in context. But now I'd like to get to a much more concrete level than we have been talking about, and see if we can work out some recommendations that are satisfactory.
One thing that I think we all need to keep in mind is that the privacy rule only prohibits covered entities from making certain disclosures. It doesn't mandate that a hospital provide you with information if they don't want to. The fact that traditionally they have done so, HIPAA is not going to be the source of that.
So the only thing that we could do by way of recommendation is to clarify that HIPAA can't be used as a shield to protect people who don't want to disclose stuff to the press from asserting that. So in other words, if there is some public official who has information that is deemed by the pres to be newsworthy, not necessarily relating to any particular individual, and they want to assert, we can't give you that information about our hospital because HIPAA prohibits that, we can recommend that the Secretary have guidance out there and education programs or whatever to make it clear, so everybody knows that that isn't the case under HIPAA. We can't make recommendations that some local somebody answer all press calls.
There are a few things in the privacy rule that I would like to go over with you to see exactly what it is that you have in mind by your recommendations. The first one deals with the issue of whistle blowers. In terms of the whistle blower provision of the privacy rule, -- I have marked the page and lost the page. Well, until I find it, I'll just go with my best recollection of the whistle blower provision. There is a provision in the privacy rule that says that it is not a violation of the privacy rule for an employee of a covered entity to disclose protected health information about a patient in good faith, if it is part of a report to law enforcement officials, to a lawyer to represent that individual, to a regulatory agency, to an accrediting agency. I think those are the four exceptions or provisions.
Am I correct in assuming that the wording of that provision would be satisfactory to you if we added a fifth category under that, and that is the media? Is that what you have in mind?
MS. DAUGHERTY: Yes. And I don't think that is too far removed from whistle blower statutes that protect whistle blowers in other contexts.
DR. ROTHSTEIN: I just found it, so let me read the provision. Disclosure by whistle blowers. This is in 164.502 and it says, a covered entity is not considered to have violated the requirements of the subpart if a member of its work force or business associate discloses PHI, provided that the work force member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services or conditions provided by the covered entity potentially endangers one or more patients, workers or the public, and the disclosure is to a health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity, or to an appropriate health care or accreditation regulation for the purposes of reporting the allegation of failure in the professional standards, or to an attorney retained by or on behalf of the work force member, blah, blah, blah.
So if we added media somewhere along there, that would satisfy your concerns?
MS. DAUGHERTY: That would go a long way to tell whistle blowers that they would not be penalized for going to the media. The Tuskegee case is again the best example of this. In that case, both the AMA and the CDC had approved of these experiments, and I think it says that going to the public is going to invoke a different kind of reaction.
DR. ROTHSTEIN: It is my belief that there are in fact some whistle blower statutes that do mention the media or the press in there, either by statute or by regulation or certainly by case law. But I don't have those handy, and you might. Do you have access to that information?
MS. DAUGHERTY: We can find them and provide that.
DR. ROTHSTEIN: That would be very helpful to us in our work.
MS. RUSH: May I just jump in on this one point? I don't want to disagree with my media colleagues here, but federal laws and regulations that somehow distinguish the press from the public always make me a little uncomfortable. A friend from the hospital organization made the point that the press doesn't have any other right of access, other than what the public does. That has generally been true as a legal principle.
I don't necessarily know that it is necessary to carve out a press exception specifically to solve the kind of problem we are trying to address here. There are some whistle blower statutes in the context of occupational health and safety and fair labor standards that I think do go down that road.
The problem we get into is, what is the press? Is Matthew Drudge a member of the press? Is my nephew, who is doing a high school underground newspaper, a member of the press? Can he be press credentialed? At what point can he be regulated? That gets to be a slipper slope in a hurry.
I would rather -- and I have to say, I haven't ever finished the research project on this that I hope to start one day -- I would rather see the exception carved out to say members of the press or the public that are reasonably designed to lead to, and then fill in the blank, lead to prosecution or enforcement or something that is the desirable end of that.
DR. ROTHSTEIN: For purposes of bringing --
MS. RUSH: Yes, to bring it to light. I think you do want to leave that open door there for the circumstance where -- whistle blower really is almost too much of a pejorative to use for these people. I am talking about the person that empties the bedpan in the nursing home.
DR. ROTHSTEIN: Well, I appreciate that comment.
MS. RUSH: You may not necessarily be a glorified whistle blower in that sense, but you may see things going on there that would make me uncomfortable if it were my parent.
DR. ROTHSTEIN: I think there is a way that we can do that without opening it up to make any disclosure by anybody for any reason. So if we key it to who in reasonably good faith believes that such-and-such will happen as a result, I think that would be --
MS. RUSH: I think you have to recognize that if you talk to three media attorneys, you are going to get five different opinions, almost by definition. We have discussed this as a cure or an option. This is really off the top of our heads, but I think we probably all share some of the same values in this sense, and probably can work out some kind of ideas.
DR. ROTHSTEIN: Ms. Stewart, what is your thought on this? Is that opening --
MS. STEWART: I would have to look more at it and discuss it with Jan-Lorie, who knows the rule far better than I do. But I am going to say that my sense is that we would disagree with that. I don't really know in what way -- how do you prevent it from being a slippery slope? What does reasonably lead to law enforcement or what does corrective action meet, in a legal sense.
DR. ROTHSTEIN: Let me take up another specific provision. There is a provision allowing the reporting in emergencies to law enforcement officials. It would as you read it not apply to press coverage or publicity surrounding victims of accidents so that the family would find out or whatever.
If we were to recommend some sort of exception to that, what would that be? In other words, I might be persuaded that in emergencies, there would be some limited exception to reveal minimal identifying information that Joe Schmoe is in Hospital X, and that's it. You are not going to get me to tell you what his condition is, or whatever.
For the benefit of family members and so forth, is it possible to craft some provision that would do that without opening up a can of worms?
MS. COCHRAN: I would say, yes, we would be glad to work on something. We don't have the language in front of us, but something that would make it clear that news media could be included in the group that information is released to in a time of emergency.
DR. ROTHSTEIN: I have one last question, and then I'll take some comments from my colleagues. You don't really, Ms. Cochran, recommend that I not be allowed when I go into the hospital to tell the people in the hospital, don't tell anyone that I am here, because I am a very private person? You don't mean to suggest that the hospital is required over my objection to tell anyone who calls that I am there, et cetera?
MS. COCHRAN: The instances that I think are the most difficult for our members are where someone has been brought to the hospital because of an injury or a crime, that that name may be known to the public safety officials, but that the hospital can't confirm that. I think that is an instance where if it is known to the public safety official, we would like to see it be confirmed.
DR. ROTHSTEIN: But your recommendation is much broader than that. It says the rule should not afford the ability to restrict public access to directory information. I just got off your bus on that one.
MS. COCHRAN: This is the number-one recommendation.
DR. ROTHSTEIN: No, this is number seven, on page 11.
MS. COCHRAN: I think, not being a lawyer, what we mean here is what I just said, but I cannot clarify that.
DR. ROTHSTEIN: I'll take that as a motion to withdraw number seven. Comments?
MR. REYNOLDS: I have another comment. First, I appreciate your labeling me as a normal person. I will take this testimony and I will use it in many ways.
I guess the question that I have, a lay person and all this, a person's health information -- I'll use me as an example. If a source gave you my health information, and you used it, you would have used my information, but my understanding is, you would protect the source. So when you think of the general public out there, and you think of people listening to it, my coveted information has been given by someone else that I may not covet and you may not covet. But yet, that person is more important to be protected in a private way than I am.
I'm not saying that is a fact. I am talking about a perception, and I am trying to understand where this thing gets back to my continuums again, all the way or not all the way. So in that case, it would seem like both of us were in it together. My health information is far more important to me than what they did or didn't have to say. So I'd love some comments.
MS. DAUGHERTY: Could I make the point here that there is a long tradition of tort law that protects against the publication of private facts, in circumstances where you have every expectation of privacy, and there is no public interest in disclosure.
MR. REYNOLDS: That is good information.
DR. ROTHSTEIN: Ms. Goldschmidt, are you still with us?
MS. GOLDSCHMIDT: Yes, I am.
DR. ROTHSTEIN: Would you like to comment on any of the discussion that we have had?
MS. GOLDSCHMIDT: Thank you. Back when we were discussing the examples of Arthur Ashe and of Tuskegee, I agree with what the members of the committee were saying. It is like one extreme to the other. It is like comparing apples and oranges, or not even two fruits. There are examples like Arthur Ashe, but there are also examples -- and this comes to the issue of what was said about what was happening before HIPAA and how much of an issue it was, that you had when Barney Clark was in the hospital with the artificial heart. You had reporters posing as doctors and nurses sneaking into the hospital to find out who he was and what was going on with him.
Then more recently, when you had the most recent cases with the Audiocorps artificial heart, it was much more strict, the facility was much more strict. Perhaps they learned from the example of what happened with people sneaking in, in the case of Barney Clark. But there are also -- like with the conjoined twins from Guatemala, who were separated at UCLA. That was highly covered by the media while they were there, while they were going through the surgery at UCLA. Over a period of time, they improved, they went back to Guatemala. Then a point in time came when the girls needed to come back to UCLA for further treatment, and when they arrived and they were at the hospital, the hospital spokespeople told us that they could not give us any information. They couldn't even confirm that the girls had indeed arrived back in the U.S. and at Mattelle's Children's Hospital, until they had a signed consent from the parents, because of the privacy rule, which had gone into effect. The parents were not with the children. They were back in a remote village in Guatemala, without a fax machine, and it was quite a struggle.
That was something where it wasn't a new case, it wasn't something new that had just happened. People throughout not just the U.S., but back in Guatemala and throughout South America were waiting to see, they had been following the progress of these girls, and knew that something may -- wanted an update on the progress. There was this long, long delay of many hours.
So there needs to be some sort of compromise, even if it is just troubleshooting. I admit, it is very difficult to try and put into words a policy that is going to encompass every possibility of what could come up.
DR. ROTHSTEIN: I want to thank you for your comments. Other staff or subcommittee members?
I want to thank all of you of your testimony. It was very stimulating. It is too bad that we are not at a J school or law school seminar. We could spend the whole semester on that. But we are not, so with that, we will adjourn today's meeting, and we will begin tomorrow morning at 8:30. Thank you.
(Whereupon, the meeting was adjourned at 5:05 p.m.)