More information on HIPAA from AAPS

Let’s talk about HIPAA, which passed on the federal level in 1996 with a big splash on the portability piece. In Arizona, it was pretty painless to implement [the portability provisions of] HIPAA because so much of it, particularly the small-market reform issues had already been dealt with in 1993 by legislature here. But snuck in, in the last 400 pages, was the privacy piece that we're going to talk about tonight.

That piece had a trigger such that if Congress didn’t pass privacy rules by summer of 1999, the Dept of Health and Human Services at the federal level would be give power to adopt a set of national rules that would apply to medical privacy. Congress didn’t pass legislation, and in the fall of 1999 the Dept of Health and Human Services did publish their proposed rules.

Those proposed rules received tens of thousands of comments that ultimately resulted in another privacy policy in December of last year that became the final rules. The final rules then as we have seen in the media have received a lot of attention because when President Bush came into office he first suspended or signaled that he would suspend many if not most of the federal rules that the Clinton Administration pushed through during its last days in office. This was ultimately not one of the rules that was put on arrest. But after it was determined that the rule was not going to be held off, the discovery was made that the publication in the Federal Register that signaled the finality or effectiveness-a publication that is required-wasn't done, and the rule was republished in February. At this point another round of discussion took place about whether the rules would still be suspended, and then on April 14 Tommy Thompson announced, much to the surprise of many folks because an announcement had been made three or four days prior that the rules were going to be suspended, that the rules would be implemented. So the limbo that the rules were in and has been resolved that, and we'll learn about the nether world that we're going to enter into.

If you read through the roughly 1,000 pages that the Federal Register contains synthesizing the arguments that were made for and against different pieces of the rules, describing what the rules are in depth, and telling why changes were made from the proposal in the final rules, [you'll see that] there were three purposes that HHS had in mind: (1) consumer access and control over their health information; (2) reinstilling trust in the privacy of medical records and thus in the health care system and improving quality; (3) channeling the use of electronic methods for billing purposes would bring some efficiency in the market.

Compliance Deadline

The compliance date is two years from the date that the rules became final, April 14, 2003. For small health plans there is a later compliance date. At the federal and state level there is generally a requirement, before rules are implemented, to at least give some thought to the effect of rule on small business. That doesn't reach down, as I understand it, to include small employers like the small providers that many of you represent.

The other thing that is clear from the rules is that the consents and authorization that you have on record that were obtained before the compliance date remain effective, but if you've got information that isn't covered by a prior consent or authorization, that data-past, present, and future-is all covered by the privacy rule, and that's a situation you'll have to deal with.

Who Owns the Record?

We will ask why these rules are here, and where did they come from. Every bit of your work today is filled and has been filled with concerns about how you make sure that the patients are best taken care of and how you deal with not only caring for your patients but making sure that they get follow-up care and that the record is kept and is designed to be kept in a certain way so you can do your job. These rules have in a way prompted a discussion on the focus of the records and who is the guardian of the record. You have the political and professional responsibility to maintain the confidentiality of records and information about the patient. The rules really signal a shift in thinking that is being thrust on us from the top down, in other words. It's not the old way that you have been used to and performed regardless of trust, but one which-although it didn't go as far as was proposed initially to establish a private cause of action on the part of those individuals whose lives you have seen and charted and followed-but it clearly carries with it a thrust that it is the individual who controls their records and not you who own the record. So it raises some issues about ownership of records, and about control of the record, and it also raises interesting issues because as you all know in your practices there are also state laws about confidentiality, privacy, and access. There is that whole Medical Records Act that is in state law that was amended last year to extend the record retention period. So you have all that to make sense of as you process and analyze these new rules.

Definitions

There are a couple of key concepts in the proposed rules. These include what is protected health information, what is a covered entity, what is a business associate. And in the last piece, if you’re involved in any way in data aggregation, research information, or if you are going to find ways to pull out the personal information so that you can publish this data, there are a whole host of rules to look at to see whether what you’re dealing with really is deidentified health information.

So, let’s talk first about the covered entity. The definition is pretty broad. It includes health plans, health care providers, and health care clearing houses and the clearing houses would include what I guess might be a TPA or third party administrator, people who are involved in billing services. The health care providers that don’t transmit their records electronically, don’t fall within the definition of covered entity by the rule. But the issue about what is electronic transmission and the other issue about how much control you have in your practice about whether your data is or isn't transmitted electronically, they leave you with less room to think about whether you will ultimately be seen as a covered entity.

Legislation passed by the House signalled the notion that electronic billing may be made mandatory, and some third parties already have penalties in place.

The concept of the Business Associate in essence is people who are hired by a covered entity to assist with the functions that make the covered entity a covered entity, such as billing purposes, treatment decisions, quality review, and utilization review services. These are the people that would also have to comply, and, as we will talk about it in a few minutes, the rules established some responsibility for the covered entity to make sure that the business associates with whom they deal follow the federal rules. Part of the way that the federal rules deal with this is to require that the contractors covered under these business associated be enlightened. It isn’t just that they have written contracts, the rules go on to articulate in tremendous detail what things need to be covered in the contract. The contracts have to include such features as (1) a method to provide assurances that protected health information would be safeguarded, (2) how the confidential protected health information will be used and disclosed, and (3) the processes by which the use and exposure will take place.

The contract has to permit, much as you may have seen or may have experienced with the Fair Credit Reporting Act, that if a credit report has a mistake you can correct your credit report, a method whereby a patient can access and see that record and petition to have that record corrected. So you have to have a piece of your contract with your business associates on that as well. There is a whole process on audits: consumers and individuals can ask to see their records and see the docket sheet that you have maintained that reflects the times and circumstances in which you have allowed all the third parties to have access to the health records. There has to be a process for business associates that takes care of that as well. There has to be a provision of the contract that calls for either return or destruction of protected health information at the end of the term of the contract with Business Associates.

Which leads us now I think to our next question about what is protected health information? Looking at the proposed rules suggested that protected health information would only be information in electronic form. The final rules as published said that it would be information printed or sent in any form including orally. So any information that you receive from a patient in the treatment room that you write down in the record- if you are a provider that ultimately transmits patient protected health information electronically-this information that you have received orally is protected health information. If you keep it in handwriting, keep it in typed notes, computer notes, whatever the mode of recording, that information becomes protected health information. That includes information that you have either created or that you have received, so if it comes in from the outside-say you have referred the patient out for some other treatment, or you receive it from another source which may not be a medical source-that information also would be covered by the rules. Any information that identifies the individual or creates the reasonable presumption that in fact somebody could look at the data and say, “Hey I can tell who this is because of how old they say they are, what their zip code is, and what they know,” is protected health information.

So, [the definition] includes any information that relates to an individual’s mental or physical condition, that relates to the provision of health care, or that relates to the payment for the provision of health care. Even if you strip out most of the personal data, and have a separate code for a particular treatment, that information would be subject to the protection of the rules.

Let’s turn to de-identified information. We will spend just a few minutes talking about that. Whether you are in research, or somebody calls you up for research, or you want to collaborate with another patient or another professional-not because they're involved in the actual treatment or indirect treatment, but you want to talk with them about maybe a project that you are working on or a case that you’re working on-you really need to think about how this rule works because if the method and the content of the information you’re providing doesn’t meet the definition of de-identified health information, then for the disclosure or the conversation that you have, the publication that you make, whatever form it takes, then you have to follow through the other hoops that we are going to talk about in depth in terms of either consent or authorization from the patient to get the release.

So de-identified information does not identify the individual, and there is no reasonable basis for a way that could be used to identify the individual, and you have a process in place to ensure that when you are parading what you believe to be classified information that you are following that process. And if there is a key, if there is a method to break your code to find out who the people are, then the information isn’t de- identified. So, basically, if there is a key out there then you need to lock it away because if you give the data with the key you're back in the business of getting consent for identifiable patient information.

Permitted Uses and Disclosures: The Consent Process

The rules are laid out on the page and we are going to run through each of these. A whole series of patient rights and protections are set forth. We will run through these individually, but you can see they cover a wide range of topics, some of which track one another identically in terms of your federal authorization form and some of which are going to require a fair amount of staff work on your part as you work with the patient. The permitted uses or disclosure of protected health information: you can disclose any protected health information to the individual if he asks for access to his medical record. I have right to my own record under state law and so the process of authorization under the rules that applies to third parties doesn’t apply to me. If you’ve got consent or authorization that covers the disclosure, that is as far as you need to go, but you need to follow the rules on consent or authorization. If you have an agreement for disclosure-and that agreement might be severed from the consent or authorization-that is another case in which you may use the disclosed protected health information.

We are going to talk about a couple of other issues along the way that might come to mind, like what happens if you get a subpoena or what happens if you have a public health issue and how to obtain consent and authorization.

The rules also state that you have to comply with the minimum necessary standard. Say the patient authorizes disclosure for payment purposes, how much of the medical record do you need to give to the insurance company or AHCCCS or to whomever is involved in the payment scheme? The rules say that you have to make reasonable efforts to limit the use of disclosure of protected health information to the level that is necessary. Finally, this is going to create tension with the payer requirements in terms of what is a clean claim and their request for additional information. This tension is going to play itself out here and other places where again we are coming up on the first round of reports on the prompt pay bill that the legislature passed in the 2000 session. But these two concepts are clearly going to butt against one another and there is going to be some dialogue if nothing else.

The standard applies even to covered areas of disclosure of information to another covered entity. So there will be other tensions as with hospital rules, and adjustments will have to be made for special hospitals, general hospitals, and rural hospitals. Those rules contain a component that is under discussion now that will require that when a patient is transferred or referred out that the record, whatever the record, has to accompany the patient. So this rule which requires minimum necessary and this proposed state law rule which requires "the record" are clearly in conflict. So that is an issue that will I’m sure be resolved as the adjustment continues to work through its process but there is also a process that we are going to talk about at the end of my comments about preemption, and how do you make a judgment about what law applies, whether the state or the federal.

The minimum necessary standard doesn’t apply to disclosure to health care providers who are involved with actual treatment, but then I think we still need to think about this: notwithstanding the reference in the rule that says it doesn’t apply, if you only refer the patient out for treatment of condition A, when the patient has A, B, and C, does the [non- applicability of] the minimum necessary standard only apply to all the medical records related to condition A or does it encompass all the issues? That is an issue that we will focus on a little further.

The minimum necessary standard doesn’t apply to disclosure to the individual and doesn’t apply to disclosures that are made to the Secretary, say if the Secretary of Health and Human Services comes to your door or your neighbor's door and says, “Hey I would like to see how you’re doing with these privacy rules?” you have to show them everything and not just the minimum necessary.

The consent process is really [crucial?] [Tape incomprehensible-- as are the rules --Ed.]. The rule states that consent can be used by covered entities other than providers, but [as currently written, the rules are directed] toward those in the field in the trenches as we go to war to provide the care. These consents address treatment, payment, and health care operations. The rule states specifically-because I think there is a recognition that if the patient’s insurer is not going to pay unless they get information, and you are not going to get paid unless you can give to the insurer the information about the treatment you provided-the rules expressly permit you to condition your willingness in general to provide treatment on their execution of the consent. Don’t ask me about ER treatment here; obviously, given EMTALA, [this discussion] doesn’t apply here. In that situation you can’t wait to decide whether you are going to treat until you find about ability to pay. This deals with the ordinary business in your offices and in your clinics and not the emergency room.

This applies only to the uses and disclosure for those specific purposes, and any other use or disclosure of information requires a specific separate consent and authorization, unless there is an exception to the authorization requirement, and again we’ll talk about those later.

The rules go on at great length about what needs to be in the consent, and you have dealt with these consents in other settings if you have dealt with patients who have come to you for an HIV test or if you have dealt with patients who have come to you for drug or alcohol trouble, who are covered by other federal rules. It is just that this is yet another set of rules that we have to follow in perhaps a context in which you have not previously had to deal with it. Some of these issues will not be of any great surprise to you: it's got to be written in plain language, it has to be signed and dated, it has to state the purpose for which the protected information might be disclosed, and it has to provide notice of your general practice concerning the use or disclosure of protected health information. If you have in your office protocol a plan to reserve your right to change your privacy practices, which you may well do, you have to say we may change these and if we do will notify you. The patient can say, "You’ve got my information and you have these federal rules, and I want you to have additional conditions A, B, and C, applied to my health care records." You don’t have to grant those additional requests, but if you do you’re bound and if you violate those additional terms it’s as if you violated the rules. So, you may well want to set up additional requirements that you want to follow in your office, but once you do remember that you are bound to follow them.

Finally, the consent has to state that the consent can be revoked. But the revocation of a consent carries with it the prospect of, as we talked about at the beginning of this, that if you don’t have a consent for a release then you have lost your right to get paid for the care you are giving, so you can at that point refuse further treatment. The exception to revocation applies if you’ve already sent the records out. It’s like a bell, you can’t unring if you’ve already sent the records out. So, if you’ve relied on a consent and released that information you are in any trouble for having released it in reliance on the consent.

You may in your practice want to do combined consents that may be either informed consent or assignment of benefit that you want to have executed. The rules allow for multiple consents to be executed, but you’ll see from the bullet points here that consents have to be separately signed so you may be able to put them all on one piece of paper but you are going to have three separate consents. You can’t have just one signature for all consents.

The rules address, as you might hope, the [release] of information without a consent. The circumstances here would be inadvertently if you’re in the emergency room or providing emergency care in your office. If you are required by law to release the information either because, for example, you’ve got a medical issue or a public health issue, or you’ve got a response to a court order that follows the procedures that allows the court order to be issued, then you can release the information. In general, check the state law on this; the rules allow the release of that information without a consent.

Finally, if you have an indirect treatment relationship for that individual-say you are a radiologist and a practitioner refers that issue out to you-you don’t have to get consent from the patient to send the information back to the first doctor or to bill the insurer for the care that you provided. The indirect treatment relationship is one that is fleshed out a little bit of the rules, and this is one in which there is no face-to-face contact between the patient and the indirect provider, the radiologist or pathologist, who is outside of the sight and sound of the patient.

There are other instances where consents are not required. These are circumstances that I urge you to presume generally don’t apply to your practice, and that is where you can’t for some reason get consent from a patient because of substantial [barriers?] and, second, in your judgement, that consent is necessary for carrying through on your treatment options. This part of the rule book is distinguished from the part that we just talked about, as emergencies in which care is required by law. This is a situation in which we may not necessarily be dealing with an emergency. If you get into a situation where you think you fall under this part, stop and take a look and read the rules and give somebody a call because chances are the distinctions between the situation we were talking about and this situation are night and day, and you may not fall into this category. When you do decide that you don’t need a consent you need to document your efforts to obtain a consent for use or disclosure of information, and you have to limit use or disclosure to treatment, payment, and health care operations as we talked about before.

Authorizations

Let’s turn now to authorizations. This is sort of the flip side or the extension of the consent process. This is another circumstance where you are getting permission from the patient to release the information. The authorization can be used to disclose health information for reasons other than the reasons that we talked about, or for reasons other than treatment, payment, or health care operations-those are the reasons for which you would need authorization. The covered entity can’t condition treatment or payment on the exercise or the execution of the authorization. The exception primarily would be that you are a research-related treatment program, and I haven't completely looked at the details that I would need so that I can talk fluently about this, but one would imagine a clinical trials program where there are other issues going on other than payment or treatment. If you need their data to continue with the problem that you are working on, and they won’t authorize that release then you can say, “Sorry, I can’t continue let you in this program.”

The authorization here, again, as with the consent, needs to be in plain language, needs to be signed and dated, and needs to describe what we are going to do with the information. This needs to identify either the person to whom you’re going to disclose the information or the classes of person to whom you’re going to disclose the information. This amounts to informed consent about to whom information is being given . So you could say I’m going to give it to this group, and this is what they are going to do with the data," and [the patient] may decide, "Sorry, I don’t want you to give that information out," and that is part of the rationale for this level of specificity.

Then, as with other authorizations that have come down from either the state or federal level that you have seen again for the drug or alcohol treatment record authorization or the HIV treatment record authorization, it's got to have an expiration date, it's got to have a statement of the right to revoke, it's got to notify the patient that once the information is passed on to a third party who is not a business associate that the information may no longer be protected, and it may find its way out into the public domain. Then you have to disclose whether there is any payment coming back to you as a result of the release of information by the authorization-in other words, if there is any benefit that will inure or will come back to you other than payment that you received for the treatment.

The hospital for instance maintains a directory for when you call up and ask whether so-and-so is a patient. The rules address the narrow framework for the hospitals to maintain a list of who is in the hospital, where they are, and what their phone numbers are, and they're designed so as to allow caregivers and friends to visit. The rules now address this directory but also require that on admission the patient, if the patient can address this issue, is allowed opt out, to say, “I don’t want my name on the directory.”

Marketing and fundraising issues: there was a fair amount of discussion between the proposed and the final rules on this point about the ability to use information in your files or in the hospital's files to conduct marketing or fundraising. Again there has to be an opt-out provided to the patient for the patient to consider before this information is used. The information has to be specifically related to marketing or fundraising. The materials that include protected health information have to identify that they are marketing material and who they came from, and they also have to state whether compensation is being paid to the covered entities for the use of the protected information. There are limits about the specific type of information that can be disclosed, and included here is the name, address, and date of service, but you have to keep in mind that treatment issues are not on the list and also that, if you are in specialized treatment clinic where there may be protected health information about the folks that are coming to you for care, it may be that this fundraising and marketing opportunity is unavailable to you because your use of their name in fundraising may alert the world to their health issues.

You have to prepare a notice and the italicized type here has to be included as a minimum in the notice that you provide. This notice describes how medical information about you may be used and disclosed and how you can access this information, so please read it carefully. That specific language needs to be included in your notes. You also have to include information in your notice, this is again separate from the consent because remember the consent specifically referred to the notice about the uses and disclosures of protected health information. The notice has to include a statement about what are your legal obligations, the summary of your obligation to maintain the privacy of information, about when you may or may not use the disclosed information, and your obligation to seek authorizations that can be remote. Your notice also has to describe how the patient can get access or a copy of these medical records or amend their information, how they can receive accounting of the access of others to that health information, and how they can ask for as we talked about a minute ago their ability to ask you for further restriction beyond those that are applied by rule, again that you have the right to accept and if you do accept you are bound to abide by it until you get their agreement to change those rules.

The rules not only say that the notice has to be given but the time in which it has be given. This notice is going to have to be given the first time you deliver care in general after the compliance phase after April 14, 2003. You have to give it to these patients individually, you have to post it in your office, if you have a web site you have to put it on your web site, and then if you make a material change in your notice after the first issuance then you need to recirculate the notice again, put it on your web site, post it in your office and go through the whole process again.

Access and Accounting

The access and accounting part describes generally the rights of patients to again gain access to and copy their records. You have been dealing with this because the medical records statutes in Arizona law already provide a right of access, already dictate who has to pay for copies, already dictate that when treatment provider wants a copy of the record what you need to do, or tell you in general how much you get paid or how much they charge us. What is probably going to be new for you here is the accounting information, that basically you have to have an in-and-out log. Anytime someone goes into a file and makes a copy of the records and sends them out to a third party you need to keep a record of who it was that asked for it, what was sent out and when, and there may be other information, but at a minimum this information has to be maintained in a log which will require you to make, among other choices, do you make a separate copy of everything you ship out to show what you sent out; or do you Bates stamp all your records and keep a log of which pages in your file you kept; or else specifically how are you going to identify to whom the records were sent. The patient can ask six years back in your records about who you gave information to, and so these records are going to have to be kept for a long period of time, and so I think that is part of the process even as they were announced in December last year to give two years to implement this because of the time frame and the tremendous effort that will be required to comply.

If you get a request for access, you have 30 days to respond, and you have 60 days to respond to a request to amend or receive an account of protected health information.

If you for some reason make a judgement that the request that has come on either the request for access or request to amend or get an accounting should be denied, you have to put that down in writing, explain why you denied it, and if there are any applicable review rights or appeal rights that the patient might have to challenge your decision or at least have a conversation with you about the decision, those also have to be included in the denial.

You can’t deny a request for an accounting. I presume it is the patient that has asked for the accounting. You need to look carefully at the source of any of these requests because you don’t want to inadvertently disclose information to somebody that isn’t entitled to it and doesn’t have the appropriate consent and authorization.

The accounting rules are to take account of some of the issues I know you all have thought about because you are thinking that every day a lot of paperwork goes out of your office, or a lot of electronic files out of your office that contain protected health information for payment or treatment or for other purposes such as responding to a patient request for a copy of his records. You don’t have to, at least in this part of the rules, keep track of those disclosures for purposes of the accounting.

That is going to be a part of the compliance issue because you are going to have to deal with the people in your office and have processes in place to be sure that people can distinguish between disclosures for purposes that don't have to be kept track of under the accounting law and disclosures that do have to be kept track of. Presumably, the second category, those that have to be kept track of, are going to be a much smaller universe of records, but still a process is going to have to be kept and we are going to talk a little bit about the training requirements that you have to follow because that is another piece of your obligation under these rules. Records that were disclosed before the compliance date likewise don’t have to be kept track of under the compliance and the accounting rules.

Additional Protections

We talked as much as we need to about the request for extra protection. If you get a request in, you can accept or reject it, and if you accept it you have to follow it in general except in the case of an emergency.

Psychotherapy notes have received separate treatment in the rules because of a couple of issues: first, the condition of the patient. I think if you read through the rules, under "comments," that part of what you know from your treatment of patients who are undergoing psychotherapy is that there is something about their condition that requires a different frame of analysis, in contrast to setting a broken leg. The rules actually deviate from what we talked about already. In general, if I am a psychotherapy patient and I come in and say I would like a copy of my records, there actually is a process that allows you to refuse that request. If I am a psychotherapy patient, you have additional responsibilities for use and disclosure here that require the exercise of the discretion that you all can well appreciate given the patients that you are dealing with. There are certain circumstances here that are special: circumstances under which disclosure is more specifically outlined and permitted, depending on legal action brought by the individual, or permitted by law for oversight. Again, as I already said, the individual has far more restricted rights to gain access to his own personal psychotherapy notes or to make changes to those records.

Disclosures without Authorization (as when Required by Law)

When we talk about disclosures without written authorization, we really in a way are talking about the same issue we talked a few minutes ago concerning consent. Is the disclosure required or permitted by law, and what is the specific information that may be disclosed? Examples would be vital statistics or communicable disease information. The DHS statutes, title 36, and the health code and administrative code contain a long list of health conditions that require information to be released without authorization or consent for public health purposes. Again, when you're making the revelation of that information, you need to look at the Arizona code and find out about what the minimum standard is, and whether information goes beyond what the statues require to be revealed-whether it is tuberculosis, rabies, or any other diseases that have to be reported. I think closely about deviating-at least without much further analysis-beyond what the statutes require you to disclose.

I had an interesting issue come up, and you from time to time may have had to face this issue in your practice. It shows how the whole privacy debate has changed in Arizona and at the national level with regard to how we are thinking of shifting about your responsibility and even my responsibility, if I’m representing you in your practice forum and I have the obligation to look at your records, because these rules even reach your retention of a lawyer. The lawyer becomes a business associate, at least within the reading of the rules. So if you hire a lawyer to represent you in either a compliance matter or regulatory matter, a negligence matter, you name it, the rules need to be looked at because the thinking until now has been that the lawyer was simply an expansion of you and the attorney-client privilege bound the lawyer to keep the information at least as private if not more private than you were obliged to keep it. The rules, at least according to a number of folks who have looked at them, take a different cut at that and are going to have to inject a degree of friction into the physician-patient relationship. You are going to have to say, oh and by the way in addition to the insurance company, I also want you to authorize me to send these records off to my lawyer. That will, in short, make the treatment a pretty happy experience, as if it wasn't already. [Audience laughter]

Here's the experience that I have to deal with-you all may never had the opportunity or difficulty to deal with this-but I was representing a provider who was trying to get licensed in Arizona from another state. And there had been-as happens because you know how hard it is to file a complaint in a malpractice action, it doesn’t take much-an action in the provider’s home state that had been resolved, and resolved satisfactorily. The board here wanted to look at the treatment record of the patient who filed the complaint against the provider. Well, it’s an easy question if the provider’s licensed in Arizona because most of the practice statutes say basically that the doctors or nurses or dentists have to give up the records to the licensing board. The licensing statutes in the other states had the same answer that to that licensing board you have to give them up. Well, this provider wasn’t licensed in Arizona, and this provider wants to get licensed in Arizona. This provider doesn’t want to go back to this patient that has filed a complaint of malpractice action against him and say, oh by the way I would like to give your treatment records over to this other licensing board, you don’t mind, do you? He doesn’t want to do that. I posed this question to the assistant attorney general representing the licensing board to say help me out of this box and how do I solve this problem. They were at once sympathetic to the dilemma that the provider faced because the doctor does not want to get in trouble in his home state for breaching confidentiality requirements in his home state. He also does not want to set himself up for an unprofessional conduct filed here because he took records that were confidential and disclosed them to a person to whom disclosure wasn’t authorized. The agency’s perspective was, well if we don’t get them then we won’t allow you to get licensed; we are going to deny your application.

So, nothing happens without a price and nothing happens without a cost, and here it’s pretty simple and easy to resolve- at least it ought to be an easily resolvable example of how our heightened attention to privacy just creates these unintended consequences that, as you know, create the presumption that if you don’t want to give it up then you have something to hide. So if you don’t want to give it up then there must be something else going on here. So, there’s another tension that we are facing here as we look through here in Disclosure Without Authorization under the rules, the law requires disclosure to licensing bodies in connection with audits and investigations. But again you have to look through and see, is this disclosure required by law, and can you verify the identity of the person who is asking for the records? So, if a request comes through from the lawyer or subpoena from the agency, is that good enough? What if it comes in to get records that aren’t within the jurisdiction of the agency, and but for lack of that little technicality, disclosure would otherwise be required?

All these issues are going to have be dealt with, and they are going to have to be dealt with in the context of thinking that if you don’t want to give it up you have to have a reason not to give it up and that you are not being cooperative.

Other examples of the rules: the statutes address a number of required reporting in instances of abuse and neglect of an adult or child. In looking through the Disclosure without Authorization section, think about the public policy that supports this and the other issues that are involved here. The rules specifically comments about whether [the disclosure] serves the greater good in terms of public health oversight or the organ donation issue-which is one that is probably not far from any of your thoughts as we hear again and again about how in this growing community organ donations are not where we think they ought to be. The last is one that is difficult for even me to talk about, and I’m sure it is for all of us. That is the funeral arrangement scenario where there may be certain information that needs to be disclosed to the funeral director who is getting ready to bury your loved one, family member, or friend. They may need information as they do their work, and what do you do without an authorization or consent? The rules make clear that even after death the consent and authorization requirements still continue to apply.

The Compliance Process

We’ve now talked about the easy part of the rules, we are now getting ready to talk about the hard part, and this is compliance. The compliance process is the one that is probably going to require all of your attention in the next couple of years as you go to work on this. Covered entities have to appoint or designate a person on the staff that is going to be responsible for compliance. She is going to be the contact person for complaints or questions from the regulators and the public. You are going to have to have a process for training employees. You are going to have to adopt policies that will address what to do about either inadvertent or intentional disclosures of protected health information and in this case intentional and wrong disclosures. You are also going to have to have a process to address intentional and correct disclosures. You are going to have to have a process in place for patient complaints about your violation of your policy rules. You are going to have to have a policy in place that says how you are going to sanction your employees for violation of the rules. You also have to have a process that when you discover that a mistake has been made what you are going to do to mitigate or ?.. TAPE WHEN BLANK FOR A COUPLE OF SECONDS?... in the [case of a violation by a business associate], what you are going to do about the business associate. Remember back to the one of the early screens that we looked at when we talked about your relationship with your business associate. You have an obligation under the rules to provide in your contract a process for performance by the business associate. You know or should have known that the business entity was violating your rules, and you have to take action. Part of that action may be reporting them to the Secretary, part of that action may be terminating the contract, but you can’t sit back and say it’s not me, it’s them because either way that is you. You have to have a process to make sure that there is not going to be any retaliation either against your patients or against your staff for complaints or reports about compliance with the rules. You have to have a process for implementing any changes to your privacy policies with respect to information.

You have to have a training program for your employees, and the training program helps to address the organization privacy policies. Then, when material changes occur, you have to be prepared to have a training program to address these changes in policies as well.

Pre-Emption of State Law

The pre-emption issue is one that we may deal with from time to time to some degree with ERISA about whether the state insurance laws apply for payment purposes or grievance review, or whether there is a mandate or not. We have a whole separation preemption test here about whether the federal rules apply or whether the state law applies. The rules like the federal statutes, and generally state laws are preempted. A state law is going to be considered preempted if it is contrary to the federal rules, and the test for whether it is contrary is that you can’t comply with both. Determining you can’t comply with both isn’t the end. If there is a state law that addresses fraud and abuse, or insurance regulation, or reporting on health care delivery, those reports are going to be subject to state law assuming that there isn’t some other federal law that preempts the obligation over the state law. So if you have ERISA law that preempts insurance, then even though you have an insurance law that otherwise preempts a piece of this, ... well, I don’t need to make this even more confusing than it already is. [Audience laughter]

State laws that regulate controlled substances in general will not be preempted by federal law. If you have state privacy laws that are stricter than the federal rules, which would make compliance with both not possible because you have a less strict federal law and you can’t comply with a less strict law and more strict law and be in compliance with them both, you can comply with the state law on privacy.

I would note just as an aside that in addition to the Arizona federal action here on HIPAA there was another set of laws that acted in the financial modernization realm, the Gramm Leach Bliley law that repealed a previous law [unintelligible] and allowed integration of banks and insurance companies, and that there is another set of rules that the Federal Trade Commission has adopted that addresses financial institutions, which in general excludes health insurance but not always.... [I think he refers to a recent issue of Business Insurance that runs through examples in which some thought Gramm Leach Bliley applied, but one had to look at the other set of rules as well.]

And then state laws that relate to public health, funding of health plans, and licensing of facilities are also preempted. Federal rules establish a whistleblower provision that allows your employees or others to file complaints with the Office of Civil Rights within the Department of Health and Human Services to have issues heard. Enforcement action and interpretation for all issues that involve the effectuation of the rules is given to that part of the department. That department then has authority to impose civil penalties here for violations. They also have the authority to seek criminal prosecution for violations that run all the way up to 10 years in prison if violation occurs where there is active marketing of protected health information for commercial purpose or commercial advantage. These are initial issues that will need to be developed into your compliance training program.

Organized Health Care Arrangements and Hybrid Groups

There are issues here that address health systems and medical groups. There is a whole new category for an entity called Organized Health Care Arrangements: for example, multiple providers in a group practice and hospitals that are getting together for integrated care. You have a joint practice arrangement. You have a group health plan, two or more health plans, you’ve got either employers or insurers that are getting together and pooling their information. They can comply through this joint arrangement, this Organized Health Care Arrangement, and have one integrated system for compliance which will allow joint notices, a uniform consent form, a uniform authorization form, a uniform record-keeping system, all the issues we have been talking about. What you will see is that, as you make the concession in this setting that you are part of a joint force or effort or you are organized together, [this may create problems concerning] the efforts you may have made in another setting to avoid antitrust [violations] or to avoid other issues about reporting requirements, whether they are holding company requirements or reports to shareholders or whomever. Those issues need to be looked at here because solving the joint notice and authorization problem may create a whole host of other issues for you.

Now, let’s talk about hybrid entities. Let’s say an employer has an off-site clinic as a part of the overall operation. The assumption that we talk about here is that the rules specifically say that the record-keeping requirements or reporting requirements apply only to the health plan part of the operation; that for other pieces of the manufacturer's operations, they don’t need to comply with the HIPAA privacy rules. But, to the extent that there is any sharing of information that is flowing in, a close look needs to be taken just to decide first if that needs to happen, and second if it does whether the assumption ought to be that records that are flowing in are all subject to a stricter reporting requirements.

As we talked about with regard to the organized health care arrangements, entities that are already together and clearly affiliated and that can [designate?] themselves as a single covered entity, can adopt joint notices and consent forms, [but] they have to comply separately with the rules regarding disclosure between and among entities. In other words, they have to, if there are in fact separate processes, have to see to it that they are each individually met. You can't say "we've done it at the top and we don't have to see to it that it is carried through down below." You have to follow through and see that it's done at all levels.

Conclusions

As if I didn't need to say this: There's lots of hype and concern about privacy at all levels of the health care system. It reaches all the way from the top to the bottom, wherever that is. There are discussions going on at the payer, regulator, and other levels. I have covered a number of points here, probably 2000, including a number with enough detail to give you the information that you need to take home with you and to your practices. Part of the reason that Steve and you invited me here today was to bring these issues more closely into focus for your attention to give you the opportunity to give this thought and to talk about these issues.

Questions from the Audience

Q: Do these regulations refer to chiropractic or osteopathic or naturopaths or any other types of health care provider?

A: Your question is what providers do the rules apply to? As far as I understand, it applies to all health care providers. MDs are not singled out or singled in. Everybody that is a health care provider is covered by these rules. Nurses would likewise be covered. As you anticipate, this is going to raise issues because you have state and federal laws on educational privacy issues.

Q: What about situations involving workman’s compensation?

A: Workman’s comp in general is not included. It is interesting to think about worker’s comp not as health coverage but as a casualty coverage. The carriers that like workman’s comp coverage have been primarily principally dealing with worker’s comp issues through Gramm Leach Bliley analysis and not HIPAA. HIPAA only applies to health coverage, which, curiously, worker's comp is not.

Q: Does it apply only to health care coverage?

A: I guess I need to step back here a bit. As far as the carrier that issued that, the providers that are providing worker’s comp coverage are going to need to look at both worker’s comp statutes and these rules to make a judgement about disclosure. As we walk through certain disclosures that have to be made by law and a part of that treatment process-I mean when they are coming in for treatment for worker’s comp they are there generally not on their own nickel, they're there because the employer is paying for it- this raises other issues as far as employers' insurance paying for that. So there are ways again to address again certain consent for treatment payment issues to ensure that disclosure can be made as a condition for treatment.

Q: What about situations in which the physician is not acting as a health care provider?

A: The rules address activities of the health care provider, which include utilization review and quality management. And as we saw a couple of years ago, a thing consistent with the line of thinking on the rules was the Arizona Court of Appeals decision the Murphy case involving Dr. Murphy and Blue Cross [?], on whether his action of giving a second opinion fell under BOMEX jurisdiction when he was not giving actual treatment but making a judgment about the extension of coverage. The same thing applies as the worker’s comp unit is subject to these rules about the disclosures that can be made using the minimum necessary standard and who it can be disclosed to. There may be disclosures that can legally take place between the carrier and those involved in administering the clinic. But there is the whole rest of the world....

Q: What about the situation in lawsuits, where exhibits are made of medical records-when medical records were made public in a public setting.

A: If they have already been made public in that setting, you have a couple of issues. You certainly have the presumption that by bringing a claim there is a waiver and the patient agreed to the use of those records. From the additional analyses that I've looked to, [you need to ask] is there a statute that requires the disclosure and a process that provides for that mandatory disclosure? If you are brought to BOMEX because of a complaint about treatment in a worker's comp setting, BOMEX has subpoena power-BOMEX has wide-ranging authority to look at records and get them from a doctor and in fact if the doctor doesn’t turn them over, they'll talk to the doctor about that too. So I think part of what this two-year interregnum or delay allows between the time of formal publication and review is to stop and look at all the different systems that are affected. Because your question is one that at first blush says this has got to be the answer but we get into more and more layers and we need to think about this and that thinking starts a lot of discussion and made a lot of us think that the rules might not apply immediately. It has also sparked a number of rumors or beyond rumors about bills being introduced into the congress to either repeal parts or delay the whole thing, and we will see how that all plays out.

Q: Is there an intention in the rules to allow patients somehow to amend our office charts?

A: The question is about is there an intention to allow amendment of the records. I think there clearly is an intention to permit the patient to correct errors in the record.

Q: If the author sends them to dictation and he is signing them, and the patient doesn’t like those findings then they can just change?

A: The process contemplates just that kind of dialogue. The process also contemplates your ability to reject that proposed change and that you also know from your own practice performance that if you go back and review your records, you on your own without a request, make the judgement to make a change that you don’t make the change by pulling out the page; you make the note to reflect the change, initial what has been deleted, and date the note that makes the change and reflects why it was made. [Audience laughter.] This just raises, as you anticipate, a whole host of difficulties and if we can spend some more time I would welcome the chance to talk about specifics and have about 500 pages to show you exactly what kind of detail you've got to have here.

Q: Do you think that on a point of disagreement-like if the doc says I'm ugly and I say no I'm not, and the doc says no, I was right the first time- do you anticipate there being some specific provision such as in the data bank where you get to put in your 2 cents worth? Say you get to look over your record, but the record's going to stay the way it is. Is that something you see?

A: As I have read the rules, I didn’t see a contemplation that the give and take needed to be reflected in the record. The rules contemplate that ... if you had a review process or at least contemplate having a review process, that you comply with it. From a business standpoint, stepping aside from the medical standpoint and dealing with your customers and having them refer patients to you, you will of course want to talk your patients the first time and maybe even the second time, maybe not the tenth time, but I don’t see anything as I have read through it that said you have to say, well, "Greg says he’s not, and I say he is, and how do I get to make the final call?" The rules as I read them say that they can request it. It probably is a good idea to keep the documentation of the record but not make it a part of the record but put it in the file so that that issue won’t haunt you down the road-you have to try to keep a paper trail.

Q: If it turns out that the doctors offices do a lot of administrative work and they have a lot of patients who want to look through their records, is there no provision for billing for that?

A: These rules don’t specifically address billing. I think billing is a state law issue. As I understand the state law issue, patients can be billed for [inspecting or copying] their own records. I am going back to look at title 12 and I think in 2291 in that range in the statutes, my recollection is that the statutes are pretty clear about how much they can be billed. Even if you got a subpoena at $10 an hour and $ .10 cents a page, that is not going to keep you going. You can’t pay your office staff enough money to get them to do that. I don’t recommend that anybody go into business and make this sort of a profit center.

Q. [Unintelligible].....

A: I'm sure this will give the opportunity for more dialogue than you want. [Audience laughter]

Q: Suppose the patient comes to the office, and the staff shows them the list of authorizations and consents that they want them to sign, and the patient says, “To hell with you; I don’t want to sign any of them.”? The physician speaks with the patient, and he says, "This has nothing to do with our relationship, and I’m not going to sign it," can the physician then and there, without subjecting himself to charges of abandonment, tell the patient that he is not going to be accepted as a patient.

Some unintelligible remarks, with much laughter: "I told you I didn't want to talk about EMTALA."

A: The rules in general state that if the patient refuses to sign the consent you can refuse treatment. I think the general answer to your question would have to be, yes, if the patient refuses to sign the consent then in that circumstance the doctor can refuse to accept the patient. The other would be if the consent is revoked and then you have an issue that comes more sharply into focus. There are particular circumstances such that there is not a consent on file, and it's an existing patient and they now come to you, that is another situation that the rules don’t address, and my guess is that in that setting it is not going to be as clear and easy to say, "I’m not going to see you anymore." But for patients who have seen you that long there may be other issues that you want to at least spend a minute rather than call the cops right away.

Q: After seeing a patient for many years and you have established a relationship with them and they come in and say "I'm not going to sign that," can you still take care of them?

A: That is a business issue. How are you going to get paid? If the payer says we are not going to take records except electronically, you can’t disclose this information to the payer in any other way, and you can’t disclose it to them without authorization.

Q: [unintelligible]

A: It is more than just managed care. Even the indemnity companies are going through this same process. When this prompt pay bill went through, ... it swept in all carriers. I think your issue goes to sort of a broader question of the dollars now circulating through the system, and they are putting an inordinate amount of pressure on you and others who are a part of this. This is the wrong end of the equation that is dealing with this, and we have to pay for it. The answer, I think, in reality when we look at the rules is that for your practice, for your legal responsibility, your ethical responsibility under Arizona law to your profession and your patients that this rule applies to you and says that you have to do it, and the fact that it may have been served up by someone else doesn’t excuse you from performance. That is not a very happy answer, but I think we all want to know how we got here and now it’s a matter of soldiering on, either figuring out if there's a way to undo the process. But again even if we hear stories about whether the rules to be pulled back or someone is going to get a bill introduced, right now these rules are on track and you have to comply, and you have two years to comply. When two years comes, and the answer well I thought that somebody was going to pass a law to reject that, that is not going to be a very good excuse. And that is a sorry answer, I’m sorry.

Q: [unintelligible]

A: That must be one of the concessions that you can see in the rules. If you are a doctor running an office where you don’t take insurance, you just take cash and so you not sending information out to third parties or at least you have some control over the medium in which it goes out, then the rules carve you out. But, if you are a provider that takes payment from insurers and the insurer requires to submit electronically, or you are only an AHCCCS provider and the state requires you to submit information electronically, or you are in self-administered plans and it's not insured, but the TPA requires you to submit records electronically, [then you're in]. You can come up with any number of scenarios: you’re working through HIPAA, Medicare, some other state plans. If whoever it is that wants information about the patient care you are delivering wants that information delivered electronically and you deliver it to them electronically or you receive records electronically, I think the rules apply. It’s just a very narrow island of physicians or providers that aren't getting paid except in cash that basically do not require them to comply with these rules.

Q: [unintelligible]

A: Part of the thread that moves through here is this: is there a way that somebody can steal the information that is sent out? Whether it's sent out in a specialized data format or sent out in a standard form in a scanned document in Adobe Acrobat or whatever.... Over the fax line if people can at least in theory get at telephone communications. I don’t think it gets right to phone line communication. My understanding, and I will ask to be corrected on this, is that I would not assume that fax documents are exempted from the rule. Again, I would welcome to be corrected on that. I look through this and I expect to see that in a flashing light to say DOESN’T APPLY TO FAXES and frankly I didn’t run across that. That is a point that really requires more focus on my part. That’s all I can tell you.

Q: If everything generated out of your office is hard copy that is all mailed and there are at this point no electronic claims in your office, but there is some transmission to managed care- there's someplace you have to send it to and there's some electronic communication in that office, does that put you into the covered category.

Let me expand that. If you dictate in electronic format, so to speak, using verbal transmission is that considered electronic transmitted or a special concession?

A: Suppose the cassette tape on one hand, and some other electronic re-creation in the other, and again that is an issue that requires some reflection and I would have to spend a little more time looking up. I don’t know the exact answer to that question, but I think it highlights again the nuances here because it would be interesting to think that a recording on just a standard cassette tape would generate one answer, but if you have a digital recorder that will take a floppy disk then that generates another answer, and that may not be the case. I need to say one rule may not apply. I think to your question though that the answer is, if you’re not involved either directly or by contract in the creation or transformation of document into hard form then you are not required to adopt these compliances that I have talked about. The entities that are doing that are upstream from you or downstream depending upon how you want to phrase this or look at it. They are all covered entities that have to comply and they all have to keep their own requirements, including securing authorization for publication for the transmittal of the records including the potential responsibilities including right of access and notice and all the rest that we’ve talked about here.

Q: What approximately do you charge to get an office into compliance?

A: I think it depends upon what your practice is, how big your office is, and I would be happy to talk with you about what that. We would certainly welcome the chance to provide that advice. My purpose here really to alert you of the issue and then provide a framework. You may already have a lawyer that you are comfortable dealing with and I don’t want to interrupt that relationship, but our firm can do it.

[does not want to specify a price and invites private discussion] You wouldn’t want to say, this is how much I charge for this service, right? I wouldn’t want to get in trouble as well.

Q: Inaudible.

A: This is not going to be cheap.

Q: I’m confused about the accounting issue. Could you clarify? The accounting does not have to report any associated treatment or health care operations, so theoretically I guess every time that you have a chart sitting up on your rack everybody is going to request that information. Frankly what other scenarios in which we have to record in there. The patient is moving to another doctors office, etc?

A: I think part from what I read in the comments about the accounting was that there may be notes about how information flowed through the system. I encourage you to take a look at least the first part, for example, the federal rules as they tell you in the anecdotes that frankly I think it would not sit well with any of us where company A happens to have a bunch of old computers and they sell those old computers in bulk to another company and that other company pulls up patient profiles and pharmaceutical records, and that is the sort of thing that is bound to happen. We get now this in response to that and it works as a mismatch. I think that there is some sense that there may not be much to be accounted for, but if there is that falls outside those three areas then we will say that you have to keep a record of them.

Q: You could turn this around and use it very beautifully as a weapon. Say I've got 30,000 PacifiCare patients, and I call up PacifiCare and say I want a 6-year records of all the accounts. If they have to comply with this, you're talking about a financial nightmare with that information.

A: I certainly would think that if that kind of campaign or scenario were to play out that probably would be symptomatic of another issue and then maybe compliance with the disclosure issue is part of the issue the company would face. Frankly, it would be an interesting exercise to go through if you’re PacifiCare and somebody works out that campaign for bad purpose and not for good purposes because frankly how are 30,000 are going to think of that idea on their own? That is another issue that we can talk about.

Clapping. Thank you for coming. That’s it for tonight.