The National Association of Chain Drug Stores (NACDS) appreciates the opportunity to testify before and submit written comments to the National Committee of Vital and Health Statistics (NCVHS) Subcommittee on Privacy and Confidentiality concerning the impact on chain pharmacies of the HIPAA minimum necessary information disclosure privacy requirement.

Founded in 1933 and based in Alexandria, Virginia, the National Association of Chain Drug Stores (NACDS) membership consists of over 180 retail chain community pharmacy companies. Collectively, chain community pharmacy comprises the largest component of pharmacy practice with over 100,000 pharmacists. The chain community pharmacy industry is comprised of more than 20,000 traditional chain drug stores, 7,800 supermarket pharmacies and 5,300 mass merchant pharmacies. The NACDS membership base operates over 33,000 retail community pharmacies with annual sales totaling over $400 billion, including $160 billion in sales for prescription drugs, over-the-counter (OTC) medications and health and beauty aids (HBA). Chain operated community retail pharmacies fill nearly 63% of the more than 3 billion prescriptions dispensed annually in the United States. Additionally, NACDS membership includes over 1,300 suppliers of goods and services to chain community pharmacies. NACDS international membership has grown to include 126 members from 31 foreign countries. For more information about NACDS visit www.nacds.org.

NACDS written responses to the
NCVHS Subcommittee on Privacy and Confidentiality
Hearing Questions: MINIMUM DISCLOSURE

NACDS was asked to address one or more of the five specific Hearing Questions in our 10-minute presentation. All five questions are addressed in writing below. These five questions are easily identified… they are bulleted, bolded, and underlined.

NACDS was also told that, "The Subcommittee is interested in practical issues related to the implementation of the rule, problem areas and proposed solutions, as well as suggestions for possible modifications of the rule." These issues are addressed in the comments to the third Hearing Question below on page 4 entitled, "Where should the line be drawn in determining what is reasonably necessary?," which I will now address.

Others reading this testimony would also be well advised to begin reading at the third Hearing Question, which will put NACDS' responses to the other Hearing Questions in the proper context.

• What are the anticipated benefits of the minimum necessary standard?

From the NACDS chain member perspective, there would be benefits for consumers, PBMs/claims processors, and community retail pharmacies:

Consumers: Consumers would benefit from the peace of mind of knowing that only the minimum amount of personally identifiable health information is allowed to be electronically requested, disclosed, or used. In addition, many consumers already use a common electronic minimum necessary information disclosure model that works. Consumers live the minimum necessary financial disclosure paradigm every time they use a charge card to make a purchase. Their charge card number and expiration date is all the information that is necessary to adequately identify the cardholder to authorize the purchase.

Consumers are very concerned about identity theft and many have purchased shredders for home use to shred personal documents containing their name. These same individuals can be expected to be just as concerned if their names would be unnecessarily disclosed by pharmacies on electronic payment claims to payors… usually to the payors' agents (e.g., PBMs/claims processors)… who may not even be known to the consumer. There is not a direct face-to-face relationship between patients and the payors' PBM/claim processor agents. The number of these electronic payment claim disclosures would be huge… over 3.5 billion per year.

PBMs/Claims Processors: PBMs/claim processors would benefit because they could use the minimum necessary privacy request and disclosure requirements as reasons why their client employers/payors must provide them the necessary dependent level patient information. Today, employers/payors do not submit this level of patient information to their agent PBMs/claims processors from 25-30% of the time.

Dependent level patient information is necessary so that the payors' PBM/claims processor agents can assign dependent patient codes. Patient codes would make it unnecessary for pharmacies to disclose the patient's name on the payment claim to identify the patient.

Today's "best practice" is for a PBM/claims processor to insist that their employer/payor clients provide this level of patient information, but because of the stiff competition between them, some PBMs/claims processors don't even ask for this information, and probably very few insist that it be provided.

Chain Pharmacies: Chain pharmacies would benefit from the minimum necessary privacy disclosure provision because it would minimize their legal liability for any breach of patient confidentiality that was a direct result of such a disclosure to the employers'/payors' agent PBMs/claims processors or any taking of patient identifiable information by a switch company connecting the two electronically. Since the minimum necessary doctrine is also common in state privacy laws, chain pharmacies are not only concerned about complying with the HIPAA privacy regulation's minimum necessary information disclosure provision, but are also concerned with any existing or future state minimum necessary information disclosure laws. The weaker the federal minimum necessary standard, the more likely states will be to enact more stringent privacy laws.

• What are the costs of applying the minimum necessary standard?

The costs of applying the minimum necessary standard will be much higher IF the resolution of what is the "minimum necessary information" that must be disclosed by pharmacies on the NCPDP v5.1 payment claim standard format is not quickly resolved. Application of the minimum necessary information disclosure provision must be clarified so pharmacies can begin implementation of v5.1 and that provision of the HIPAA privacy rule.

The longer pharmacies must wait for clarifications, the less time there will be to implement before the April 14, 2003 deadline. Congress indicated that the covered entities would have two full years to implement the HIPAA standards. However, the actual implementation time will be much less as the final HIPAA privacy regulations (effective April 14, 2001) go through more steps of finalization without any concomitant advancement of the implementation deadline.

Some chain pharmacies have already developed v5.1 payment claim software and expect to begin testing with PBMs/claims processors in October, 2001. However, they will be testing the "wrong" standard. The NCPDP v5.1, as adopted by DHHS as the payment claim standard for pharmacy contains many optional data fields. DHHS adopted v5.1 before it was ready to be implemented… before the optional fields were converted to situational, mandatory/required, or not used fields.

DHHS explained in the HIPAA privacy regulation that the HIPAA minimum information disclosure provision applied to those optional data fields in v5.1:

"Response: We make an exception to the minimum necessary disclosure provision of this rule for the required and situational data elements of the standard transactions adopted in the Transactions Rule, because those elements were agreed to through the ANSI-accredited consensus development process. The minimum necessary requirements do apply to optional elements in such standard transactions, because industry consensus has not resulted in precise and unambiguous situation specific language to describe their usage. This is particularly relevant to the NCPDP standards for retail pharmacy transactions referenced by these commenters, in which the current standard leaves most fields optional…" (Federal Register/Vol. 65, No.250/Thursday, December 28, 2000/ page 82,617… bottom of the 3^rd col.)

"Optional" means that PBMs/claims processors have the "option" whether or not to require that protected health information in a particular data field must be disclosed by the pharmacy. "Situational" means that IF the situation exists, the information in that data field must be disclosed by the pharmacy. Situational fields are "rules driven"… not PBM/processor driven.

However, since consensus has NOT been reached at NCPDP meetings, nor is it likely to be in the near future… the DHHS exception to the minimum necessary information disclosure provision has not been earned.

The optional v5.1 fields must be modified to earn the exception to the minimum necessary HIPAA privacy provision, to reduce the costs of both implementing the HIPAA pharmacy transaction standard and the HIPAA minimum necessary information disclosure provision.

• Where should the line be drawn in determining what is "reasonably necessary?"

The July 6, 2001 Guidance for the HIPAA privacy regulations addressed this question in a number of different ways… some of them can be read as inconsistent:

1. "take reasonable steps to limit the use or disclosure of, and requests for protected health information…" (Top of page 15.);
2. "Reasonable Reliance… In certain circumstances, the Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure… Such reliance must be reasonable… The rule does not require such reliance, however, and the covered entity always retains discretion to make its own minimum, necessary determination for disclosures to which the standard applies"; (Top of page 16.)
3. "First, we clarify some of the issues here, including the application of minimum necessary to specific practices, so that covered entities may begin implementation of the Privacy Rule"; (Bottom of page 16.)
4. "This is not a strict standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers today to limit the unnecessary sharing of medical information." (Top of page 17.) (Emphasis added.)
5. "The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI." (Middle of page 17.) (Emphasis added.)
6. "Q: What happens when a covered entity believes that a request is seeking more than the minimum necessary PHI? A: In such a situation, the Privacy Rule requires a covered entity to limit the disclosure of the minimum necessary as determined by the disclosing entity. Where the rule permits covered entities to rely on the judgment of the person requesting the information, and if such reliance is reasonable despite the covered entity's concerns, the covered entity may make the disclosure as requested.

   "Nothing in the Privacy Rule prevents a covered entity from discussing its concerns with the person making the request, and negotiating an information exchange that meets the needs of both parties . Such discussions occur today and may continue after the compliance date of the Privacy Rule." (Bottom of page 20 and top of page 21.) (Emphasis added.)

The underlined "Emphasis added," immediately above in number 6, could give the wrong impression that compliance with the Privacy Rule is only about the needs of the person requesting and the person disclosing the patient's protected health information. However, the quoted material in the bullet immediately above it… number 5, places the focus of the Privacy Rule on the patient, "The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI."

According to this quote, the practices, including "best practices," may need to be changed to fully encompass the new requirements of the HIPAA enabling legislation and all the regulations emanating from it. To simply apply today's practices to tomorrow's enhanced HIPAA privacy protections makes no sense and certainly makes no real progress towards increasing the privacy protection of health information.

However, the highlighted quote from number 4 above, "calls for an approach consistent with the best practices and guidelines already used by many providers today…." It is NACDS' position, that today's "best practices" may need to be improved to reflect the new patient privacy requirements of the HIPAA privacy regulations and more stringent state laws.

Impact on chain pharmacies of implementing the HIPAA minimum necessary information disclosure requirement as it relates to implementing the HIPAA v5.1 pharmacy transaction standard.

The relationship between the HIPAA privacy regulation minimum information disclosure requirement and v5.1 was first identified by DHHS in the HIPAA privacy regulation:

"Response: We make an exception to the minimum necessary disclosure provision of this rule for the required and situational data elements of the standard transactions adopted in the Transactions Rule, because those elements were agreed to through the ANSI-accredited consensus development process. The minimum necessary requirements do apply to optional elements in such standard transactions, because industry consensus has not resulted in precise and unambiguous situation specific language to describe their usage. This is particularly relevant to the NCPDP standards for retail pharmacy transactions referenced by these commenters, in which the current standard leaves most fields optional…" (Federal Register/Vol. 65, No.250/Thursday, December 28, 2000/ page 82,617… bottom of the 3^rd col.)

No consensus has been reached… the NCPDP membership, including chain pharmacies, software vendors, PBMs/claims processors, and NACDS have been meeting for about the last six months trying to convert the optional fields into either situational, mandatory/required, or not used fields to earn the HHS "exception to the minimum necessary disclosure provision." Unfortunately, industry consensus has not been reached to yield the required "precise and unambiguous situation specific language."

In general, pharmacies contend that PBMs/claims processors are requesting more information than is reasonably necessary and the PBMs/claims processors believe that pharmacies now want to disclose less information than they do currently.

The most contentious issue… is what is the minimum necessary information that a pharmacy must disclose, in the v5.1 format standard, to adequately identify the patient so that payment to the pharmacy can be authorized by the payor's agent PBMs/claims processors, without incurring legal liability for noncompliance with either the HIPAA privacy regulations or more stringent state privacy laws.

The PBMs/claims processors want pharmacies to disclose the patient name before they will pay the claim. Pharmacies refuse to disclose the patient name because they believe such a disclosure is unnecessary and that such a disclosure, if it was the direct cause of a breach of patient privacy, could greatly increase their legal liability under both the HIPAA privacy regulations and any more stringent state privacy laws.

Pharmacies argue that disclosing the patient's name is unnecessary and will be unlawful because the PBMs/processors already have that information from their clients for 70-75% of the claims and should be able to get the remaining 25-30% from their employer/payor clients.

The HIPAA privacy regulation that these pharmacies are relying on is section 164.514(d)(3) on page 82,819… toward the bottom of the first column:

"For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure."

Pharmacies also argue that it is also unreasonable and will be unlawful for PBMs/processors to request information that they already have or should be able to obtain from their employer/payor clients. The HIPAA privacy regulation that these pharmacies are relying on is section 164.514(d)(4)(i) on page 82,819… about half way down the middle column:

"A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities."

Chain pharmacies' fears about future increased legal liability… the payor's PBM/claims processor agents have been incredulous when they hear that chain pharmacies no longer want to disclose the patient's name. They ask, what has changed?

Chain pharmacies have responded… the federal privacy laws have changed and state privacy laws are also very likely to change. We don't want to be sued for a breach of a patient's privacy… either under the HIPAA privacy regulations or state privacy laws. Not only don't we want to be sued, but we also don't want our chain name associated with any allegations of a breach of a patient's privacy on the front page of a major newspaper.

There currently exists an electronic minimum necessary financial disclosure model that is used millions of times a day… the ubiquitous credit card. Consumers use credit cards everyday to authorize purchases, which require only the cardholder number and expiration date of the card… it is unnecessary to disclose the cardholder's name. This minimum necessary credit card payment authorization information is frequently compared to what should be an adequate patient identification to authorize the payment of an electronic health care claim. It will not take the average consumer or average attorney long to question whether or not it is reasonably necessary for a pharmacy to electronically disclose a patient's name to get paid by a third party.

Is chain pharmacies' fear about future increased legal liability realistic?

The major reason pharmacies have taken the position of not wanting to disclose the patient's name, is their belief that unnecessary access to the patient's name will increase the chances of breaches of patients' privacy. Pharmacies fear being sued, either under federal (HIPAA privacy regulations) or more stringent state privacy laws, for any breach of patient privacy that results from disclosing more than the minimum information "reasonably necessary to achieve the purpose of the disclosure." NACDS believes that chain pharmacies' fears about increased legal liability from federal or state lawsuits for electronically disclosing more than the minimum necessary health information to get paid is very real.

The widespread pharmacy concern is evidenced by the August 3, 2001, Retail Pharmacy Position Paper attached. The first position set out at the bottom of page one states that:

"To provide sufficient information to allow a claim to be adjudicated and paid while disclosing only the minimum information necessary for the following reasons:

1. To protect patient identifiable health information;
2. To limit the liability of retail pharmacy for the disclosure of information on retail pharmacy billing claims; and
3. To minimize the states' concerns that more stringent privacy regulations are necessary, that would supercede the HIPAA privacy regulations."

   HIPAA fines of up to $250,000 and 10 years in prison for knowingly disclosing individually identifiable health information are very real and have gotten pharmacies' attention:

   "Wrongful Disclosure of Individually Identifiable Health Information"

   "… A person who knowingly and in violation of this part--

   1. uses or causes to be used a unique health identifier;
   2. obtains individually identifiable health information relating to an individual; or
   3. discloses individually identifiable health information to another person,

   shall be punished as provided…

   … A person described shall--

   1. be fined not more than $50,000, imprisoned not more than 1 year, or both;
   2. if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
   3. if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both. (HIPAA, Public Law 104-191--Aug. 21, 1996, 110 Stat. 2029)

Why are chain pharmacies concerned about the HIPAA legal liability provisions for wrongful disclosure when all they have to do is reach industry consensus by agreeing with the payors' agent PBMs/claims processors to earn the DHHS v5.1 exception to the HIPAA minimum necessary requirement?

Chain pharmacies believe that if they disclose more than the minimum necessary information to identify a patient (i.e., the patient's name) states will be very quick to act to pass more stringent privacy laws and that the HIPAA exception would not insulate them from the legal liability from these more stringent state privacy laws. The HIPAA privacy regulations don't preempt more stringent state privacy laws.

What have pharmacies offered to disclose on v5.1 to break the adequate patient identification impasse?

For those 70-75% of claims where the PBMs/claims processor already have the dependant level patient names, pharmacies have offered to submit the person code (assigned by the PBM/claims processor) and date of birth as a check. A person code would even identify same sex multiple births on the same day.

For those 25-30% of the claims, other than same sex multiple births, where a PBM/claims processor has not requested or has not been provided dependant level information necessary to assign a person code, pharmacies have offered to submit the cardholder ID, sex indicator, and date of birth.

Proposed Solutions, as well as Suggestions for Possible Modifications of the Rule.

The solution that is necessary to resolve the issue of whether or not sending the patient's name on an electronic payment claim is reasonably necessary is the availability of a patient number that can be used in place of the patient's name… as is the credit card number.

This solution could take at least two forms: 1) a number for every patient assigned by the payors' agent PBMs/claims processors, or 2) a national unique individual identifier as required in the 1996 HIPAA legislation.

Request for Assistance from NCVHS/DHHS… Is there anything NCVHS/DHHS can do to require, in the name of Administrative Simplification and reducing the breaches of patient privacy, that employers/payors must convey sufficient detailed patient data (e.g., dependant name, DOB, and relationship code) to their PBM/claims processor clients so they in turn can assign a person code, which can be placed on the pharmacy benefit card?

Or, in the alternative, is there anything NCVHS/DHHS can do to convince Congress that the HIPAA unique Individual Identifier is essential for Administrative Simplification and will be adequately protected from misuse by no later than April 14, 2003, when the HIPAA privacy regulations must be implemented. This alternative solution will only work if the HIPAA final transaction standard is delayed until the HIPAA privacy regulations are fully implemented.

How can the concept of minimum necessary be explained with greater clarity to those who will be affected? Give specific examples.

Section 164.514(d)(3), the minimum necessary disclosure requirement is very straightforward:

"… For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure." (Federal Register/Vol. 65, No. 250/Thursday, December 28, 2000/page 82,819… bottom of col. One.)

Section 164.514(d)(4)(i), the minimum necessary request requirement is equally straightforward:

"A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities." (Federal Register/Vol. 65, No. 250/Thursday, December 28, 2000/page 82,819… about half way down the middle column.)

The minimum necessary disclosure problem for chain pharmacies is not understanding the concept of minimum necessary. The problem, as discussed in depth in the third Hearing Question immediately above, is what is the minimum necessary information that a pharmacy must disclose, in the v5.1 format standard to adequately identify the patient so that payment to the pharmacy can be authorized by the payor's agent PBMs/claims processors, without incurring legal liability for noncompliance with the HIPAA privacy regulations or more stringent state privacy laws.

Does applying the minimum necessary standard internally in an institution make sense?

Yes. Consumer perception is again critical. If, for example a consumer conveys certain sensitive health information to a health care professional during a face-to-face conversation, that consumer expects that only the minimum necessary information will be shared by that health care professional with others in that institution. An extreme example helps make the point… the consumer would not expect that the sensitive health information that was made available to the health care professional would also be available to the cleaning staff. The use of individual identifiers would go a long way in reducing the consumer's concern of having "everyone" employed by the institution having access to their sensitive health information containing their name.

Another positive affect of removing the patient name, would be to avoid any possible discrimination against various ethnic names.

The July 6, 2001 Guidance of the HIPAA privacy regulations also seems to acknowledge that the minimum necessary standard can be applied within an institution:

"Therefore, the covered entity can develop role-based access policies that allow its health care providers and other employees, as appropriate, access to patient information, including entire medical records, for treatment purposes." (Bottom of page 17.)

Conclusion

NACDS and its chain pharmacy members want to reiterate our commitment to strong, federal privacy standards to protect the privacy of medical records. Chain pharmacies are trying every thing possible to try to resolve the disclosure of the patient's name issue with the payors' PBM/claims processor agents.

However, we would appreciate any help that NCVHS/DHHS can provide to help resolve this problem as set out in the NACDS response above on page 10 to the Subcommittee's question, "Where should the line be drawn in determining what is reasonably necessary?" NACDS also proposed solutions and suggestions for possible modifications of the rule in that same response.

Please contact me with any subsequent questions you may have about my testimony or written comments.

Thank you for the opportunity to testify and submit these written comments for the record.