|
The National Committee on Vital and
Health Statistics (NCVHS) has released recommendations on HIPAA Privacy
implementation, following lengthy public hearings held in August. The
recommendations, which are documented in an October 1, 2001 letter by the
Subcommittee on Privacy and Confidentiality to HHS Secretary Tommy Thompson,
address several issues including Emergency Access, First Encounters, Revocation
of Consent, Consent by Minors, Disclosure for Accreditation and Health Care
Quality, Involuntary Commitment, Minimum Necessary, and Defensive Practices. In
addition, the sub-committee recommended that HHS issue advisory opinions, best
practices information, and model policies, procedures, and forms related to
HIPAA compliance. The group expects to issue additional recommendations in the
future, addressing research and marketing under the Privacy Rule.
The full text of the letter to
Secretary Thompson, detailing the NCVHS recommendations, follows:
October 1, 2001
The Honorable Tommy G.
Thompson
Secretary
U.S. Department of Health and Human Services
200
Independence Avenue, SW
Washington, DC 20201
Dear Secretary Thompson:
As part of its responsibilities under
the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the
National Committee on Vital and Health Statistics (NCVHS) monitors the
implementation of the Final Rules that adopt the health data standards required
by the Administrative Simplification provisions of HIPAA.
On August 21-23, 2001, the NCVHS
Subcommittee on Privacy and Confidentiality held public hearings on the
implementation of the final rule for the “Standards for Privacy of
Individually Identifiable Health Information” that was published on
December 28, 2000. More than 30 people, including health care providers,
payers, researchers, members of professional organizations, other users of
health care information, and members of the public testified on four key issues
identified by the Department of Health and Human Services Office for Civil
Rights (OCR) and the NCVHS: (1) the requirement for consent in order to use
protected health information for treatment, payment, and health care
operations; (2) the requirement that covered entities make reasonable efforts
to limit the use and disclosure of protected health information to the minimum
necessary; (3) the regulation on research; and (4) the marketing provisions.
Oral testimony was provided by both invited witnesses and the public;
additional written comments also were submitted.
This letter addresses the first two
issues, the consent requirements and the minimum necessary provisions. NCVHS
will address the research and marketing issues in a future letter. The OCR
attended the hearings and received copies of all the written comments,
including comments that addressed issues that were beyond the scope of the
hearings. Therefore, the OCR will have the opportunity to address additional
issues and concerns not covered in this letter.
The focus of the hearings was to
explore practical issues in implementing the final rule, including unintended
consequences of the rule, possible inconsistencies, and areas needing further
clarification. Panelists were asked to provide specific suggestions for
possible modifications of the rule. Testimony in each of the four areas
represented a broad range of opinions. Many panelists expressed their
appreciation for the clarification provided in the Department of Health and
Human Services (HHS)/OCR guidance.
Several speakers expressed concern
about the difficulty of coming into compliance when parts of the rule may be
amended. A few witnesses suggested that the compliance date should be delayed
until two years from the date of the final revised rule. There was also
testimony that the compliance date should be postponed until all the HIPAA
standards are published. These specific issues, however, were not part of the
Subcommittee’s request for testimony, and therefore, contrary testimony
was not solicited. Consequently, NCVHS will not address them in this
letter.
NCVHS will continue to seek public
comments on the implementation of the HIPAA administrative simplification
provisions. In light of the widely voiced concern about the lead time needed
for implementation, NCVHS respectfully recommends that modifications to the
privacy rule be made as expeditiously as possible.
Consent
Testimony on the consent requirement
represented a wide range of perspectives from those urging HHS to delete the
mandatory consent requirement and make consent optional for all covered
entities to those requesting more stringent provisions. Many panelists
expressed concern about the administrative burden involved in obtaining consent
and then storing, tracking, and updating it to reflect restrictions or
revocations. Several panelists asserted that the rule already has sufficient
privacy protections without the additional requirement of consent. There was
testimony that the consent provision does not provide patients a truly informed
and voluntary choice, and that the requirement will provide an unintended but
significant barrier to the effective delivery of health care services.
Others testified that the consent
requirement is essential and an integral part of patients’ privacy rights.
There was testimony that the requirement is not stringent enough because it
does not protect disclosure to third parties, and it permits providers to
refuse treatment if patients do not consent. There was also testimony that the
rule coerces individuals into sharing their personal health information and
limits individuals’ autonomy and their ability to control access to
intimate details about their personal lives. Some panelists expressed concern
that individuals will stop seeking treatment for fear of breach of
confidentiality by covered entities.
The Committee makes the following
recommendations related to the implementation of the privacy rule:
1. Emergency Access
Providers expressed concern about an
unintended and potentially harmful consequence of the rule. Under the rule, if
a provider learns that a medication is the subject of a Food and Drug
Administration recall or a life threatening drug interaction, the provider
would be unable to access the records of those patients who had not yet
consented or who had revoked consent in order to identify the patients and warn
them of the situation. Concern was also expressed about emergency situations.
For example, if an unconscious patient arrives in an emergency room and has not
yet consented or has revoked consent, a provider would have to treat the
patient without access to the medical record.
The Committee believes that there are
circumstances such as those above where records should be accessed without
prior consent. NCVHS recommends that the OCR explore the specific circumstances
where records can be accessed without the prior consent of the individual, and
modify the rule as necessary.
2. Continuing Use of Information
Obtained Before HIPAA
Several witnesses requested that the
rule be modified to permit the continued use of data collected before the April
14, 2003 compliance date, and require consent only for data collected after
that date.
The Committee believes that the
transition provisions in the rule (§164.532) are adequate. NCVHS does not
support a proposal that consent be required only for data collected after the
compliance date.
3. Initial Contacts and First
Encounters
Much concern was expressed regarding
the need to use and disclose information without written consent prior to the
first contact between a patient and a provider in order to facilitate the
timely delivery of patient care.
While the guidance clarified several
areas of concern to pharmacists, testimony indicated that some problem areas
remain. It was recommended that in addition to phoned-in prescriptions (already
the subject of a proposed change), the prior consent requirement should not
apply to prescriptions brought to a pharmacy by any method other than
face-to-face contact, such as prescriptions brought to a pharmacy by a
neighbor, friend, relative, etc. of the patient, or prescriptions transmitted
to the pharmacy by facsimile or electronic means. It was also requested that
the modification allow pharmacists to fill or refill prescriptions not received
by face-to-face contact after the compliance date if no consent is on file.
Pharmacists also expressed concern about their inability to disclose potential
adverse drug reactions to other providers, and their ability to meet state
compliance requirements.
Written testimony also recommended a
modification of the consent provision for direct treatment providers to whom a
patient is referred for the first time that would be consistent with the
Medicaid rule allowing a representative to sign for a patient who is physically
or mentally unable to sign a consent form.
We understand that the modifications
to the rule will allow direct treatment providers receiving a first time
referral to schedule appointments, surgery, or other procedures before
obtaining the patient’s signed consent.
The NCVHS recommends that the above
modifications be expanded to cover all first contacts when not face-to-face
(e.g. phone advice, scheduling without referral, new patients).
Testifiers recommended that continued
use of existing data be allowed until a patient makes a physical appearance and
is able to sign a consent form.
The Committee supports the
recommendation that the continued use of existing data be allowed until a
patient makes a physical appearance and is able to sign a consent form. NCVHS
recognizes and supports the HHS/OCR’s effort to provide additional
clarification or modification regarding first encounters, and urges a
continuation of these efforts.
4. Revocation of Consent
Testimony reflected several specific
concerns about the revocation provisions. Particular concern was expressed
about information from the individual patient record that has
“migrated” into other systems, such as registries for various
diseases and procedures. Data are often integrated into systems, and it is
difficult to redact information after a revocation of consent. In addition,
data are used in registries and other secondary databases for quality control
and improvement purposes, and there was concern that revocations would dilute
the usefulness of these registries and secondary databases for quality
purposes.
A number of organized health care
entities function as both providers and health plans. HIPAA provisions permit a
patient to revoke consent for treatment. If the patient revokes consent from a
provider, the health plan may want to disenroll the member. However, other
HIPAA portability provisions, Medicare rules, and Federal Employee Health
Benefits Plan rules generally preclude disenrollment of members from a health
plan except for nonpayment or fraud. In addition, state laws may prevent
disenrollment.
NCVHS recommends that HHS/OCR
reconsider and clarify the circumstances surrounding revocation, in particular,
the circumstances noted above.
5. Consent by Minors
Another area of concern involves
minors’ right to revoke parental consent at majority. Some providers
continue to rely on past consent; others seek consent from the young adult when
the adult comes in for care.
NCVHS recommends clarification
regarding at what point a covered entity must obtain consent from a person who
has reached the age of majority.
6. Disclosure for Accreditation/
Health Care Quality Purposes
Several panelists expressed concern
that the final rule may have the unintended result of preventing the sharing of
health information that fundamentally advances health plans’ role in
facilitating quality health care for consumers. Under the final rule, consent
for health care operations covers the provider’s health care operations;
it does not include the operations of the health plan. Frequently, the
information provided on claims is not sufficient for quality assessment and
related purposes; further, capitated providers may not provide plans with
encounter information for payment on a routine basis.
National Committee for Quality
Assurance (NCQA) and Joint Commission on Accreditation of Healthcare
Organizations accreditation rules require that these bodies have access to a
random sample of charts to determine whether quality standards are being
adhered to. This type of review would not be representative if it could not
include data for members who had not yet consented or who had revoked consent.
Health plans participating in the Medicare + Choice program are required to
report Quality Improvement System for Managed Care performance measures to the
Centers for Medicare and Medicaid Services. Many state statutes require health
plans to report performance measures such as Health Plan Employer Data and
Information Set (HEDIS) for all health plan members.
Access to protected health information
held by providers for all the above accreditation, quality assurance, and
performance measure activities related to health plan operations would be
severely constrained if additional authorizations would have to be secured each
time from the patient. Concern was also expressed that health plans would be
unable to report accurate, statistically valid data if members revoke consent
and disallow use and disclosure of that part of their record.
NCVHS recommends that the rule be
amended to allow providers to disclose to health plans, without individual
written authorization, information needed for accreditation and health care
quality purposes. NCVHS recommends that provider groups also should have access
to the same data for quality improvement, provider monitoring and
credentialing, and health care operations, even if consent has not been
obtained or has been revoked.
7. Involuntary Commitment
There was testimony that the privacy
rule does not except from the consent requirements involuntarily committed
patients who refuse to sign a release permitting use and disclosure of
information. Although there is a legal duty to treat such individuals, a
consent requirement for access to their records would compromise the quality of
the treatment.
NCVHS recommends that HHS/OCR clarify
the situations involving the involuntary commitment of competent patients who
refuse to consent to treatment, and specifically address the issue of whether
these persons are covered under the exception for legally mandated treatment.
Minimum Necessary
Testimony on the minimum necessary
provisions reflected a wide range of views, from those who felt the rule
provides sufficient privacy protections without the requirement to those who
view the minimum necessary requirement as embodying the essence of the privacy
rule. While many panelists welcomed the flexibility inherent in the minimum
necessary provisions, there was also concern that the vagueness of the standard
might restrict the necessary flow of information, impede care, and lead to an
increase in defensive information practices (the withholding of information
important to health care for fear of liability). The rule’s use of terms
such as “reasonable efforts” and “substantial discretion”
were cited as examples of vagueness.
Several speakers expressed concern
about the increased cost and administrative burden associated with the minimum
necessary requirement; others stated that the cost in addition to existing
routine administrative costs will barely be discernable. One panelist
questioned whether the standard provides any advantage or protection for
patients; another panelist stated that the minimum necessary standard will
bolster the patient’s control of his or her medical information and
encourage patients to be more candid with their doctors.
NCVHS strongly reaffirms the
importance of the minimum necessary principle. The Committee would like to
facilitate the necessary flow of information and minimize defensive information
practices. The concerns and recommendations below address specific issues
related to the implementation of the minimum necessary requirement.
1. Determination of Minimum
Necessary
Witnesses differed over whether
determinations of minimum necessary should be made by the requesting party or
the recipient of the request. Many panelists found the guidance helpful in
addressing questions about the standard. However, unresolved questions remain.
It was suggested that the guidance could enumerate some disclosures that are
presumed appropriate.
Case by case determinations are only
required for non-routine uses of information. The holder of information is
currently able to rely on the determination of minimum necessary by a covered
entity and other entities identified in the rule.
NCVHS recommends that HHS/OCR provide
additional clarification on the issue of reasonable reliance. In addition,
NCVHS recommends that HHS/OCR clarify that a covered entity’s policies and
procedures may address the minimum necessary requirement for the routine use of
information.
2. Defensive Practices
Several panelists expressed concern
that unresolved questions about the standard, fear of potential liability, and
civil and criminal penalties could restrict the necessary flow of information,
impede care, and lead to defensive information practices.
NCVHS recommends that HHS/OCR provide
education to address the increasing concerns about liability and defensive
information practices that lessen the flow of information and impede care.
3. Opinions/Models
The ambiguity of the minimum necessary
standard and the cost and administrative burden of developing policies and
procedures and implementing the requirement were frequently cited.
NCVHS recommends that HHS/OCR issue
advisory opinions, publish best practices, and make available model policies,
procedures, and forms for various purposes.
We appreciate the opportunity to offer
these comments and recommendations.
Sincerely,
John Lumpkin, M.D., M.P.H.
Chair
|
