Statement of Alissa Fox, Executive Director,
Office of Policy and Representation, Blue Cross and Blue Shield Association
Testimony Before the Subcommittee on Health
of the House Committee on Ways and Means
Hearing on the Confidentiality of Patient Records
February 17, 2000
Mr. Chairman and Members of the Committee, I am Alissa Fox, Executive Director for the Blue Cross and Blue Shield Association. The Blue Cross and Blue Shield Association (BCBSA) represents 49 independent Blue Cross and Blue Shield Plans across the country, covering over 74 million Americans - or one in every four individuals.
Thank you for the opportunity to testify today regarding our major concerns with the proposed regulations setting privacy standards for individually identifiable health information issued by the Department of Health and Human Services (HHS) on November 3, 1999.
BCBSA believes that safeguarding the privacy of medical records is of paramount importance. All consumers should be confident their medical information is kept confidential. For BCBS Plans, there is no question as to whether patient records should be kept confidential, but only as to how this should be accomplished. We look forward to working with Congress and the Department of Health and Human Services (HHS) to implement practical privacy protections that:
· allow for the timely delivery of and payment for health care services;
· facilitate efforts to deliver safe and high quality care; and,
· minimize costs and administrative paperwork for consumers, providers and others in fulfillment of the objectives of Health Insurance Portability and Accountability Act's (HIPAA) Administrative Simplification provisions.
It is clear from the proposed regulation that HHS sought to balance the need to safeguard medical records with the ability of the health care system to provide health care services efficiently. We recognize that the staff of HHS has worked long hours in an attempt to develop regulations that would not impede our modern health care system.
However, despite their efforts, we remain concerned that the proposed regulation needs significant revision. Without substantial changes, the proposal is operationally infeasible and extremely costly. It would slow the delivery and payment of care to providers and consumers, threaten the assurance of quality, and exacerbate the cost of health care.
My testimony focuses on five key areas:
I. Scope of the Regulation
II. Key Concerns with the Regulation
III. Positive Aspects of the Regulation
IV. Cost of the Regulation
V. Recommendations
I. Scope of the Regulation
HIPAA provided HHS the authority to promulgate privacy standards for consumer health information if Congress did not pass legislation by August 1999. The statute directed HHS to issue rules governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a)" - certain standardized transactions for claims payment and other functions. This directs the Secretary to develop a narrow set of privacy rules for the specific transactions that are developed and transmitted under Administrative Simplification. However, the proposed rule establishes standards that far exceed this mandate. The proposal would affect virtually all players in the health care industry as well as many other organizations - such as schools, employers, and accounting firms - and the vast majority of information.
The proposal would require covered entities (i.e., health plans, providers, and clearinghouses) to:
· Obtain new authorizations from consumers before using or disclosing information, except for purposes of treatment, payment, health care operations and other limited circumstances;
· Allow individuals to inspect, copy and amend much of their medical information;
· Track all disclosures made other than for treatment, payment and health care operations;
· Recontract with all business partners to require them to use and disclose information according to the new privacy rules and assure that business partners are complying;
· Institute procedures to assure that only the minimum information necessary is used or disclosed for a given purpose;
· Designate a privacy official and train staff;
· Follow specific rules before using protected health information for research; and,
· Develop a host of new policies, procedures and notices.
In understanding the full scope and implications of the regulation, it is important to be aware of the following:
· The Regulation is Not Limited to Electronic Records: Many news accounts describe the proposed regulation as applying to electronic records only. This is far from accurate. The regulation specifically applies to electronic records, as well as any format of a record that has ever (or will ever be) electronically transmitted or maintained. This broad brush covers millions of paper records, oral records and other storage formats. In addition, because it would be so difficult to distinguish ordinary paper records from paper records that had been (or would be) electronically transmitted, the practical effect of the regulation would be that doctors, health plans and other covered entities would need to apply the protections to all of their records, of any format.
· The Regulation Affects Internal Uses of Information as well as Disclosures: A common misconception regarding the regulation is that it simply regulates the disclosure of information to a third party. In fact, the regulation actually affects the use of information internally within an organization. This means that organizations would be required to comply with all the rules even when they use information internally for treatment purposes, claims management, utilization review and other routine health care purposes.
· The Regulation Affects a Broad Array of Organizations and Information: The definition of "covered entity" in the regulation is broad in scope - including not only doctors, hospitals and health plans but employers operating their own health plans (insured/self-funded), laboratories, pharmacists and many others. Many organizations that are not included specifically as a "covered entity" are indirectly subjected to the privacy rule through a new requirement that all covered entities must regulate their "business partners." For instance, lawyers, accountants and other non-health oriented organizations could fall into this category.
· In addition, the definition of "protected health information" (PHI) in the regulation is much broader than what most individuals consider their health information. The definition of PHI goes beyond an individual's medical records to include insurance records and status, oral information, demographic data, and insurance status.
V. Key Concerns with Regulation
Today, BCBSA submitted over 50 pages of detailed formal comments to HHS on a whole host of important operational issues. This testimony highlights the four most problematic provisions in the regulation.
1) Preemption of State Law
We believe doctors, health plans, and other covered entities will be unable to navigate the labyrinth of state and federal privacy laws under the complex construct of the HIPAA regulatory model. The regulation follows HIPAA regulatory construct in that state laws are preempted only if contrary to the regulation, and less stringent. In addition, the regulation specifically "saves" certain state statutes from preemption, such as those relating to health surveillance.
Everyone in the health care system needs a clear understanding of the rules that guarantee privacy. We are concerned that the lack of a complete preemption over state law creates a serious problem for consumers, doctors, health plans and other covered entities.
Doctors, health plans and other covered entities must determine, on a provision by provision basis, which parts of state law would be retained, and which would be replaced by federal law. This is further complicated by the free flow of patients and information in today's health care industry. For instance, an individual may live in the District of Columbia, work in Virginia, and visit a physician located in Maryland. Covered entities dealing with this individual must evaluate the interplay of three state statutes with the federal law. In addition, covered entities also must factor in the interplay of other federal laws relating to privacy. Even if each covered entity engaged an attorney to prepare a preemption analysis, different attorneys would prepare conflicting interpretations - leading to costly litigation with the states, the federal government and consumers.
This regulatory construct particularly will be confusing for consumers. Instead of facilitating an individual's ability to know their privacy rights, this complex preemption process is sure to confound patients. First, individuals will be hard pressed to determine which aspects of the state and federal privacy laws apply to them, so it will be impossible for them to determine if in fact, they have been wronged. In addition, consumers will not know where to direct complaints if they do feel that their rights are violated - Maryland? Virginia? The District of Columbia? The Secretary of Health and Human Services? It is likely that consumers will be bounced from one jurisdiction to the next until the consumer locates the one which has the law that has been violated - or the consumer becomes frustrated and terminates the effort.
We recognize that a complete preemption of state law is outside the statutory authority of the Department of Health and Human Services (HHS). Therefore, we recommend HHS prepare a detailed privacy guide for each state on how existing state laws intersect with the new federal rules. The guide should also address whether a privacy provision is triggered by a consumer's residence, location of provider or other criteria. HHS should prepare the guide in collaboration with state government officials. HHS should assure this guide also incorporates other federal privacy laws, such as the Federal Privacy Act. As part of this process, each individual state should certify agreement with HHS' analysis so everyone has a clear understanding of the rules.
It is imperative that this legal guidebook is prepared well in advance of the final regulations. Doctors, health plans, and other covered entities will need this completed analysis before computer systems can be redesigned, forms and notices are changed, consumer brochures are modified and updated, and other procedures can be brought into compliance. Bringing plan and provider operations into compliance with these complex new regulations will be expensive, so it is critical that these entities only have to modify systems and other items once. Therefore, we recommend that the analysis be provided two years prior to the effective date of the regulation.
The business partner provisions of the regulation require that doctors, health plans and other covered entities enter into prescribed contracts with all of their "business partners" to assure these partners follow specific HHS privacy rules. The doctors, health plans and other covered entities would be considered to be in noncompliance with the regulations and could be subject to penalties and/or litigation if they "knew or reasonably should have known" of certain privacy violations of their business partners. We believe these provisions are unworkable, as well as outside of the authority of HHS.
The definition of business partner is so broad that physicians could be the business partners of independent laboratories; health plans could be the business partners of their lawyers and accountants; and hospitals could be the business partners of independent physicians that practice within their walls. Doctors, hospitals, Coordination of Benefit (COB) partners, and health plans could all be construed as "business partners" of each other. These provisions also could result in unworkable relationships between government agencies. For instance, we believe the Social Security Administration - who makes eligibility determinations for the Medicare program - could be interpreted to be a business partner of the Health Care Financing Administration (HCFA). Medicare contractors could be business partners of HCFA, subjecting HCFA to the fines and penalties under the regulation.
The potential liability is likely to force all of these doctors, health plans, and other covered entities to monitor each other (as well as sub-contractors). This would result in an enormous amount of duplicative monitoring and auditing, making it likely that all members of the health care industry would be monitoring each other (including covered entities) - an obvious conflict with the efficiency and cost-saving goals of the Administrative Simplification provisions of HIPAA. Moreover, these costly actions would provide little or no real benefit to consumers since most of these entities already would be covered by the regulations.
The contractual specifications included in the regulation compound the problems in the unworkable business partner framework. For instance, one of the specified contract standards in the regulation is that doctors, health plans, and other covered entities require business partners to either destroy or return all protected health information (PHI) when a contract is terminated. But clearinghouses, for example, keep health data on file for some time to respond to disputes and complaints. Health plans, employers, and other covered entities and business partners must maintain PHI in order to provide HIPAA certificates of coverage and protect themselves from legal disputes, complaints, etc. In addition, some health plans are required by state law to keep information for a certain period of years for state purposes. This is only one of a number of examples demonstrating the operational infeasibility of the contract provisions. In our detailed comments, we identified a number of other.
And finally, we believe the business partner provisions are outside of the statutory authority of the Department of Health and Human Services. HIPAA clearly delineates the covered entities subject to HHS oversight: health plans, clearinghouses, and providers conducting standard transactions. Attempts to indirectly regulate other organizations - through doctors, health plans and other covered entities or otherwise - is an overreach of regulatory authority. We believe recent District and Supreme Court cases support this premise as well as the viewpoint that inherently federal powers cannot be delegated to non-federal authorities.
The proposed regulation instructs doctors, health plans, and other covered entities to use or disclose only the minimum information necessary to accomplish a given purpose and discourages the exchange of the entire medical record. This requirement also implies determinations should be made on an individual basis. At first blush, this standard seems to be a perfectly reasonable, common sense provision.
However, upon an operational implementation perspective, it becomes increasingly clear that it would be impossible to implement a legal standard that only the minimum information is used or disclosed. First of all, it is important to recognize that this standard applies to the use of information as well as disclosure, and that the definition of disclosure includes broad terms such as "provision of access to." We believe this standard would require a massive reorganization of workflow, as well as possible redesign of physical office space and would jeopardize the quality and timeliness of patient care, benefit determinations and other critical elements of the health care system. For instance:
· As part of the description regarding the minimum necessary standard, the regulation includes a strong discouragement regarding the release of entire medical records of patients. The complete exchange of medical information is absolutely critical to assuring a patient receives the right treatment at the right time. The recent Institute of Medicine report, "To Err is Human," highlighted the medical mistakes that are common in our health care system today. The IOM report states that errors are more likely to occur when providers do not have timely access to complete patient information. The discouragement of complete medical records would make it more difficult to guard against these problems. One covered entity may determine that a subscriber's prescription is not relevant to be released. Further down the line, that lack of information may impede clinicians' decisionmaking.
· It is well documented that fraud and abuse is a costly element of our health care system. The Medicare program as well as private health plans have made combating fraud and abuse a priority. However, the minimum necessary standard is likely to impede fraud detection, because fraud and abuse units may be accused of using more than the minimum information necessary. Any impediment to fraud detection would increase the cost to consumers.
· Health plans and providers actually may be forced to redesign their facilities to comply with the minimum necessary standard. For instance, when visiting friends in maternity wards, there generally is a white board describing all of the patients and their medical needs. Any visitor may view the information on the board. Or take an orthopedist's office, where a x-ray lightboard is centrally located outside of the patients' rooms for easy access by the physician. Anyone in the office could view the x-rays, and x-rays are identifiable information. Would the regulation require these providers to renovate their facilities to comply with the regulation?
These are a few examples of the types of activities that could fall awry of the proposed privacy regulations. If implemented, this would impose incredible costs on consumers - not just in dollars and cents - but in lives as well.
One of the fundamental building blocks of the regulation is its definition of health care operations. Items that are listed in this definition are exempt from the requirement to track disclosures of protected health information, and do not require a separate authorization from an individual. As changes are made to the final regulation, we expect the definition to continue to play a key role.
We believe the current definition of health care operations misses important functions. As a result, covered entities may have to solicit authorizations for certain functions or track disclosures as part of routine operations. The end result would be that health plans could encounter major obstacles to conducting these activities and could be discouraged from conducting these important functions. The following is a sample of overlooked functions:
· Disease management, case management, risk assessment, epidemiological studies and drug interventions. Many of our Plans conduct these important programs that benefit consumers through improved health care, better outcomes, and lower cost. For instance, the Blue Cross and Blue Shield Federal Employee Program provides disease management services to improve care for patients with respect to congestive heart failure and diabetes as part of its benefit plans. When claims are processed, the names of enrollees that could benefit from disease or case management are compiled. This information also may be used to conduct epidemiological studies of particular populations within FEP or to implement drug intervention programs.
· Private accreditation by organizations such as National Committee for Quality Assurance (NCQA), as well as auditing, evaluating and accreditation functions performed by other private entities, such as associations. The NCQA and other private accrediting organizations sometimes require the review of information that could be considered as protected health information. In addition, other private entities - such as associations - sometimes perform auditing and evaluation of their members as part of membership or other standards.
· Routine Plan operations such as "security activities", data processing activities and general maintenance: Some health plans conduct a series of security activities designed to assure that employees are complying with corporate privacy policies. For instance, they may monitor "same name" look-ups, to guard against employees checking the records of family members, or monitor access to celebrity files, as well as other initiatives. With regards to computers, "live" data is often used in order to assure that system changes and upgrades have correctly been made. Health Plans also must conduct a number of routine operations, for instance the printing of ID cards, etc.
· Health promotion and other educational activities. For instance, FEP has established a 24-hour nurse hotline, Blue Health Connection. Enrollees' PHI may be disclosed to the vendor responsible for Blue Health. This information is used to provide enrollees with health education, treatment options, and assistance with questions for enrollees to ask their physicians. We also may notify enrollees - or require our physicians to notify patients - regarding mammography screenings or immunizations.
· Insurance underwriting and other activities: While the regulation does specify insurance underwriting, we believe the proposed definition may be deficient because it relates only to the renewal of a contract, and to the protected health information of individuals already enrolled. This could inhibit our ability to develop an appropriate premium for group coverage as well as the ability of covered entities to obtain stop-loss coverage or reinsurance.
This is only a sample of the types of functions that have been overlooked. We believe many more items will be discovered as doctors, health plans, and other covered entities begin implementing the regulation. In addition, we believe the definition is static, and cannot reflect the new roles and functions that health plans may develop in the future that benefit consumers, improve quality, and reduce costs. For instance, if this definition had been developed ten years ago, disease management programs would not be as common as they are today. We are concerned that such strict definitions could limit health plans' roles as they seek to redefine themselves to meet consumer demands of the 21st century. We believe a static definition of health care operations will squelch innovation because health plans will not invest in development unless they know the new program would fall under health care operations.
III. Positive Aspects of the Proposed Regulation
Clearly, we believe there are significant issues in the proposed regulations. However, the regulations did include certain provisions that demonstrated interest in balancing operational impacts with the overall goal of privacy. We have urged HHS to retain these provisions in the final regulation. In particular:
· "Statutory" Authorization for Treatment, Payment and Health Care Operations: The proposed regulation does not require a new authorization for treatment, payment, and health care operations. We believe a "statutory" authorization, meaning that covered entities may use or disclose protected health information (PHI) without authorization as matter of law, is imperative and would oppose a requirement for new authorizations for these vital activities.
Requiring health plans to obtain a new authorization from current subscribers would require numerous mailings and phone calls from health plans -- a process akin to a "late bill" collections process -- in order to obtain the new authorizations. In the interim, subscribers and providers would experience delays in payment and other services and confusion in the health care system.
· Tracking of Disclosures, Other Than For Treatment, Payment and Health Care Operations: The proposed regulation requires tracking of disclosures made for purposes other than treatment, payment or health care operations. This requirement is operationally more feasible than a requirement to track all disclosures. We would oppose any expansion of this standard. Expanding the tracking standards would result in duplicative and unnecessary tracking of millions of routine transactions that occur every day (e.g., Coordination of Benefits, lab disclosures to physicians, etc.) and a blizzard of paperwork for all, especially physicians. However, we remain concerned that this more reasonable tracking standard is undermined by provisions in the amendment and correction standard that requires doctors, health plans and other covered entities to notify previous recipients of information. If the amendment and correction standard is not modified, we believe it would have the operational effect of a "de facto" tracking standard for all disclosures, even those made for treatment, payment, and health care operations.
· Inspection And Copying Of PHI Contained In A Designated Record Set: The proposed regulation allows consumers to inspect and copy those records retrieved from a designated record set used to make substantive decisions. Using a designated record set standard is operationally more feasible than requiring access to all protected health information. Expansion of this standard to all records would result in reams of meaningless information being retrieved and copied at a great cost to the health care system. We oppose expansion of the current standard.
IV. The Cost of the Regulation
The proposed regulation includes an estimated total cost of $3.8 billion over five years. We think this figure greatly underestimates the cost of implementation. The regulation itself indicates the HHS cost estimates are incomplete. The proposed regulation itemizes 10 standards for which HHS was unable to complete a cost analysis, noting that "the cost of these provisions may be significant in some cases...". The minimum necessary standard, business partner monitoring, designation of privacy officials and privacy boards, and creation of de-identified information were all items excluded from the HHS cost estimate.
Due to our concern regarding costs, we engaged the Robert E. Nolan Management Consulting Company to provide an independent estimate of several key provisions of the proposed regulation; the Nolan estimate is over $40 billion over five years to health plans, providers and other members of the health care community. These costs stem from:
· Business Partner Monitoring: The business partner provisions would make doctors, health plans and other covered entities liable for the compliance of their business partners, including lawyers, schools and other organizations. As a result, covered entities would monitor each other as well as their non-health business partners. This provision is estimated to cost about $4 billion over five years.
· Privacy Officials, System Changes and other Infrastructure: Doctors, health plans and other covered entities would need to retrain current employees and periodically recertify their employees, hire privacy officials, upgrade systems, and address other infrastructure issues in order to implement the proposed privacy regulations. This is estimated to cost about $23 billion over five years.
· Tracking and Disclosure: The amendment and correction provision requires covered entities to send amended records to previous recipients of the information. This could result in a "de facto" requirement to track all disclosures of information. As a result, this provision could cost as much as $9 billion over five years.
· Inspection, Copying and Amendment: Covered entities would have to allow individuals to inspect, copy and amend all information contained in a designated record set. The definition of accessible information extends beyond the traditional medical record to other electronic, or written information that includes an individual's name, social security number or other identifying feature. This provision is estimated to cost almost $4 billion over five years.
· Impact on Medical Management: Deficiencies in the term health care operations and other definitions could reduce the ability of health plans to conduct effective disease management programs. These programs improve the quality of care of consumers, and decrease overall medical costs. Less effective disease management programs is estimated to cost $3 billion over five years.
Obviously, estimates will vary depending on the final interpretations of the regulation, however we believe an estimate of over $40 billion remains conservative. For instance, it does not include the new liability costs that will arise from this regulation, the impact of underwriting changes, or the impact on health research. Ultimately, the additional administrative costs faced by providers and health plans will increase the cost of insurance coverage.
In general, the proposed regulation require doctors, health plans and other covered entities to implement complex new rules that require extensive new procedures, documentation processes, form specifications and notice standards. These requirements would require the re-organization of workflows as well as possibly the physical facilities of doctors and hospitals in order to comply with the law. We believe the level of documentation and procedures is unnecessarily excessive, and should be rewritten to reduce the complexity, burden and cost.
Specifically, we urge the following:
(1) Detailed Guidance on Preemption of State Law: While we recommend a full preemption of state law in the privacy area, we understand that it is outside of the statutory authority for HHS. In the absence of full preemption, we recommend HHS, working with the states, prepare a detailed analysis of state and federal law to provide a clear guide on all provisions affecting the health care industry.
It is critical that this guidance is available at least two years prior to the effective date of the regulation. Bringing operations into compliance with these complex new regulations will be expensive so it is critical that doctors, health plans, and other covered entities only have to modify systems and other items once.
(2) Removal of Business Partner Provisions. The business partner provisions should be removed from the regulation because they are:
· Outside of the Secretary's statutory authority
· Unworkable and would create expensive and duplicative monitoring between doctors, health plans, and other covered entities
· Unnecessary since the vast majority of protected health information is maintained by organizations that are covered by the regulation.
(3) Change the Minimum Necessary Standard from Legal Standard to Organizational Objective: While we believe the minimum necessary standard is a laudable goal, we are concerned that it would be impossible to implement this standard operationally and comply with a rigid legal standard. Therefore, we recommend that organizations include the minimum necessary standard concept as an objective, rather than as a legal standard.
(4) Revise Definition of Health Care Operations: The current definition of health care operations is static and missing key elements. As the building block of the regulation, this definition is crucial because it triggers whether or not new authorizations are required, disclosures are tracked, and other important issues. Instead of using a narrow, prescriptive definition, we recommend inclusion of a definition that is flexible enough to incorporate the industry's current operations as well as new ones that develop as our ability to improve quality and other areas increase.
(5) Additional Funding for Medicare Contractors and other Government Programs. We also urge congressional appropriators to factor the additional cost of privacy compliance into budget development regarding the Medicare fee for service contractors, Medicare+Choice plans, the Federal Employees Health Benefit Program, and other federal programs.
IV. Conclusion
Once again, we appreciate the opportunity to testify before you on this critical issue.
We would like to continue working with you, and the Department of Health and Human Services, on crafting privacy rules that meet our common goals of protecting consumers, improving quality, and minimizing costs.
Thank you again for this opportunity to testify on this important issue.