I am Sharon King Donohue, General Counsel of the National Committee for Quality Assurance (NCQA). On behalf of NCQA, I want to express my sincere appreciation for the opportunity to testify with respect to the consent requirements under the final HIPAA rule entitled "Standards for Privacy of Individually Identifiable Health Information."
NCQA is a leader in the effort to assess, measure and report on the quality of care provided by the nation's health plans. Established in 1990 as a not-for-profit, independent organization, NCQA's mission is to improve the quality of health care for people everywhere. In its first decade, NCQA has accredited half of the HMOs in the country, representing 75% of the enrolled population in HMOs. NCQA's efforts are organized around two activities, accreditation and performance measurement, which are complementary strategies for producing information to guide employer/consumer choice of health plans. NCQA's work has demonstrated that health plans can play an important role in improving the quality of care for their enrolled populations. NCQA is also currently working on performance measures at the physician level.
NCQA commends DHHS for building a federal framework for privacy protection through promulgation of the "Standards for Privacy of Individually Identifiable Health Information." HIPAA's call for administrative simplification and using technology to speed the electronic transmission of health information makes protection of personal health information an even greater societal concern. Congress recognized that administrative simplification without privacy protections could not succeed. The public policy challenge becomes how to strike the appropriate balance between protecting the privacy of a patient's health care information and ensuring that we do not adversely affect the complex flow of information throughout the health care system necessary to advance the nation's quality agenda.
From its inception, NCQA has realized the importance of patient privacy and confidentiality. NCQA recognizes that consumer trust in safeguarding the appropriate use of individually identifiable information is critical for advancing quality measurement and improvement. NCQA accreditation standards include essential privacy and confidentiality protections that are consistent with many of the specific requirements of the final rule. We have also been committed to bringing stakeholders together through public forums to continuously rethink needed privacy and confidentiality protections in the context of an ever-changing and complex delivery system. Most recently, with private foundation support, we joined with the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO) to co-sponsor a national conference on patient privacy and confidentiality.
While NCQA supports DHHS's commitment to protect medical information privacy and much of the content of the final rule, we believe there are aspects of the final rule that must be reconsidered, otherwise consumers will be harmed. Several provisions of the final rule may have the unintended result of preventing the sharing of health information that fundamentally advances the health plan's role in facilitating improvements in quality health care for consumers. NCQA fears that one of the underlying assumptions of the final rule is a view that health plans are limited to financing and health insurance functions. This assumption flies in the face of a philosophy, first rooted in the original Federal HMO Act, that health plans are important coordinators and managers of health care delivery for defined populations.
Over the past decade, and in part stimulated by the demands and expectations of employers, the Medicare and Medicaid programs, state and federal regulators, and private accreditation groups like NCQA, health plans have attempted to build integrated and accountable delivery systems among network providers. As best articulated by the Institute of Medicine in its recent report entitled, "Crossing the Quality Chasm," information is the means by which integration of providers and plans can effectively be deployed to deliver high quality care. It is only through collection, analysis and action upon information that our health care system can also hope to reduce medical errors such as those described in the Institute of Medicine's report, "To Err is Human," which estimated that medical errors contribute to the premature deaths of between 44,000 and 98,000 people a year in US hospitals.
Today's health plans do not merely pay bills as many consumers believe, they anticipate care needs through careful analysis and feedback of medical information and direct outreach to enrollees for the purpose of promoting prevention and disease management. Health plans actively organize and design quality assurance, quality improvement, and patient safety programs to encourage network providers to use evidence-based practice guidelines and reminders in improving care for patients. Health plans oversee the medical appropriateness of treatment decisions through utilization management programs. Health plans subject themselves to rigorous external scrutiny through private accreditation programs that measure a plan's contribution to improving the quality of care for its enrollees while setting standards for internal plan structures and processes, including medical record documentation. Health plans make investments in performance measurement systems such as the collection of HEDISÒdata at both the provider and plan level because there can be no quality improvement without a commitment to measurement.
For example, the dramatic impact that health plans have had in improving quality can now be demonstrated by looking at HEDIS rates from 1996-2000. During that time, the rate at which Beta Blockers are prescribed for cardiac patients has improved from 63% to 89%. Cervical Cancer screening rates have gone from 70% to 78%. And in only three years, the Chicken Pox Vaccine rate has increased from 64% to 71%.
While these important plan functions are appropriately recognized in the final rule's definition of health care operations, NCQA does not believe the rule recognizes nor appreciates how these functions are dependent upon the flow of personally identifiable health information from the individual provider level to the health plan.
Concern: Preamble language and the recent policy guidance issued by the Office for Civil Rights indicates that, even if the written consent is captured for health care operations, the final rule only permits protected health information to be used in support of the provider's health care operations and not the health care operations of other covered entities.
Recommendation: Guidance is needed to clarity that under the rule a health care provider may, without individual written authorization, disclose to a health plan protected health information necessary for the plan's health care operations.
The HIPAA privacy rule permits a covered entity to use or disclose protected health information for purposes of treatment, payment and health care operations, including quality assurance, performance evaluation and accreditation activities (section 45 C.F.R. § 164.502(a)(1)(ii)). The rule makes clear that a provider may disclose information for the purpose of taking action related to its own health care operations. The recent policy guidance and the preamble to the rule interfere with the flow of vital information to the health plans for purposes of the plan's health care operations and effectively create a shield whereby the providers can refuse to give the health plans access to personal health information. In fact, in the most recent round of HEDIS data collection, some providers have already refused to supply health plans with HEDIS data.
The preamble of the regulation states:
"In the final rule, we do not change the general approach of defining health care operations: health care operations are the listed activities undertaken by the covered entity that maintains the protected health information (i.e., one covered entity may not disclose protected health information for the operations of a second covered entity); a covered entity may use any protected health information it maintains for its operations..." 65 FR 82490 (emphasis added).
The policy guidance reinforces the preamble by stating:
"…because the consent is only for a use or disclosure of PHI for the TPO purposes of the covered entity obtaining the consent, an authorization is also required if the disclosure is for the TPO purposes of an entity other than the provider who obtained the consent… Rather, an authorization, and not a consent, would be the proper document for the plan to use when requesting such a disclosure." Policy Guidance p. 8 (emphasis added).
The regulations define health care operations as those "activities of the covered entity to the extent that the activities are related to covered functions," including quality assurance, performance evaluation and accreditation. Under the current health care delivery and payment system, the health care operations of a health plan are directly related to the health care provider's activities and functions. Health care providers may be part of a plan's network through which the providers receive referrals and render treatment to the plan's members. In addition, providers submit claims for reimbursement to the plans and are often responsible for implementing plan requirements, benefits or programs, such as disease management. The activities of these providers are an essential part of the health plan's health care operations. Moreover, the quality assurance, performance evaluation and accreditation of the plans are directly related to the provider's activities and the provision of treatment by the provider to the plan's members. Finally, as part of the accreditation process, plans are required to submit to the accrediting body information that includes, or is based on, protected health information obtained from providers that provide health services for which the plan pays.
Clarification is needed to ensure that the privacy regulation does not prevent plans from getting information from providers that they need for accreditation and other health care operations. Health care providers must not be able to use the HIPAA privacy rule as a shield which "prohibits" them from disclosing protected health information for the plan's health care operations, absent individual authorization. If providers are in fact prohibited from disclosing to health plans the protected health information necessary for these activities, the quality, accountability and oversight of health plans will be seriously jeopardized.
For example, absent protected health information obtained from providers, a plan could not show that it has met the accreditation standards requiring plans to improve the health status of members with chronic conditions. In addition, HEDIS performance scores that rely on complete and accurate information from defined patient populations would be rendered unreliable and in some cases meaningless. This data can in large part only be collected through access to individual medical records. Administrative data and billing systems are not accurate enough to generate meaningful quality data and comparable results among plans.
Accordingly, guidance is necessary to clarify that under the rule a health care provider may, without individual authorization, disclose to a health plan protected health information necessary for the health plan's quality assurance, performance evaluation, accreditation activities or other similar health care operations.
Concern: The required written consent at the individual provider level may obstruct health plan access to information needed to support important quality of care functions (Section 164.506).
Recommendations: Permit providers to share individually identifiable health information to support treatment, payment, and health care operations without obtaining a written consent. Leave in place the requirement for written notice at the provider level to ensure that individuals are educated about the use of their protected information for treatment, payment, and health care operations.
The final rule requires providers to obtain the individual's written consent to use or to disclose protected health information for treatment, payment, or health care operations. This policy departure from the proposed rule may seriously impede the flow of information between provider and plans needed in support of the important plan functions enumerated above. Unlike providers, plans have limited direct access to patients and are reliant on network providers for information on a patient's medical history, current condition, diagnosis, and treatment. This is exactly the type of information that plans need to exercise quality improvement, patient safety, disease management, utilization management and performance measurement activities.
NCQA fears that the consumer's limited knowledge and understanding of the role of the health plan in serving these important quality enhancing functions might prejudice or bias the individual's view towards granting a consent, particularly for heath care operations. It is also expecting a great deal of individual doctors to spend the requisite time with their patients to explain these quality functions, particularly in the current environment of considerable distrust among providers and plans. Without a written consent, the plan is left with no recourse but to obtain the patient's written authorization, an expensive and administratively unrealistic alternative.
NCQA is already hearing from its accredited health plans that the required written consent is having a deleterious effect on the flow of individually identifiable information among network providers and health plans. If this becomes the prevailing trend, the role of the health plan will, once again, be limited to its financing and insurance function and we will have lost the unique capacity of health plans to marshal their considerable resources in advancing quality health care.
For these reasons, NCQA recommends that we adopt the original provisions of the proposed rule. This would permit providers to share individually identifiable health information in support of treatment, payment, and health care operations without obtaining a written consent. NCQA also recommends that the written notice be retained at the provider level. This would establish a communication mechanism that ensures that individuals are educated and are aware of the use and disclosure of their protected information for treatment, payment, and health care operations.
Concern: The "minimum necessary" requirement is a costly and administrative burden and will interfere with important health care operations (Section 164.502(b)(1)).
Recommendation: Provide an exception to the minimum necessary requirement for protected health care information used or disclosed for the purpose of health care operations.
NCQA is concerned that the "minimum necessary" requirement of the final rule will interfere with important health care operations. The final rule requires covered entities to take reasonable steps to limit the disclosure of protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request of such information. NCQA believes this requirement will be construed in ways that create a significant burden on important quality assurance, disease management, performance evaluation and accreditation activities of health plans.
Health care operations might be jeopardized as covered entities attempt to make a determination on a case-by-case basis of what is the minimum necessary information required for those activities. Defining minimum necessary for all of the potential uses and disclosures relevant to certain health care operations will be difficult and an administratively burdensome task. For many of the quality enhancing activities performed by health plans, it will be difficult to determine what individually identifiable information is relevant to the task at hand without reviewing the entire medical record. For example, attempting to appropriately match a plan's disease management program to an enrollee without complete knowledge of the individual's current medical condition and related or secondary illnesses would be impossible.
In making these minimum necessary determinations, covered entities or providers concerned over the ambiguity of the rule, coupled with a reasonable fear of enforcement action, may limit certain information below the level critical for quality assurance, disease management or accreditation. These incentives for disclosing insufficient clinical data could inadvertently thwart quality enhancing activities that are beneficial to consumers.
NCQA recommends that DHHS modify the final rule, at a minimum, to exclude quality assurance, performance evaluations, accreditation activities, or other similar health care operations from the requirement of the minimum necessary requirement. Otherwise, there is little, if any, assurance that covered entities and providers will comply with information requests to the extent necessary to improve the quality of health care for consumers.
Thank you again for the opportunity to lend NCQA's perspective to this difficult policy debate regarding the privacy standards. I would be pleased to answer any questions.