Good afternoon, my name is Carlos Ortiz. I am Vice President of Government Affairs for CVS Pharmacy. I am a pharmacist and a resident of Amherst, Massachusetts. I appreciate this opportunity to testify before the National Committee of Vital Health Statistics Subcommittee on Privacy concerning the challenges CVS is facing as we prepare for the implementation of the new HIPAA privacy standards. CVS expects that we will be fully compliant with the new privacy regulation by April 14, 2003. However, the entire pharmacy community is facing many challenges as they prepare for meeting the deadline for compliance.
Some of the challenges include the following:
I would like to start by discussing the problem of ascertaining where a state law may be more stringent that the HIPAA regulations and thus be necessarily included as part of the CVS Notice of Privacy Practices. While our national trade associations and some private companies are working on this issue, I’m sure that Ellen and her firm would be more than willing to do the research for a price, the cost is VERY high. Our national trade association (the National Association of Chain Drug Stores) has estimated the cost at $1.4 million to do a nationwide analysis. Clearly, for small providers this cost would be prohibitive.
Our suggestion would be to have the Secretary of Health and Human Services (Tommy Thompson) work with 50 state Attorney Generals to post on their state website an explanation and analysis of what they deem to be the additional information that will be required as part of the Notice of Privacy Practice for their state. Without this assistance/opinions it will be almost impossible to do a complete analysis. Pharmacy privacy laws are included in many different sections of the various state statutes and regulations. In some states they are part of the Pharmacy Practice Act or regulations, in some states they are part of the Department of Health laws, in other states they are part of the Insurance Department laws, and so forth.
The Notice of Privacy Practices content requirements are quite extensive. As an example, a very preliminary draft of the CVS Notice of Privacy Practices will comprise both sides of an 8.5x11 inch, double sided, small print, tri-fold. This Notice of Privacy Practices pamphlet will have to be printed and distributed to CVS’ 42 million pharmacy customers. Even if only 10% of our customers require an explanation of what the Notice of Privacy Practices means for them, the confusion that will occur at our pharmacy counters is a prescription for chaos. I would like to suggest to the members of this subcommittee, that if you need a prescription filled next spring, that you get it filled well before April 14th.
CVS would like to suggest that there is a definite role for the Department of Health and Human Services to conduct a campaign to educate the American public about what the HIPAA regulations means for them AND what their health care providers will have to obtain from them in order to comply. We suggest that HHS should undertake a public relations campaign, including frequent public service announcements, early next year. We recognize that this additional attention to the HIPAA requirements is a two edged sword, that might in fact create additional burdens for health care providers, but we believe that it is necessary. We only hope that any such campaign will include a component that educates the public about the burdens/requirements being placed on their health care providers and what they will need to obtain from their patients.
CVS also believes that the of the Notice of Privacy Practices should be as reader friendly as possible. The requirement in the regulation that we include a description of all permitted uses for personal health information, makes the simplification of the Notice of Privacy Practices very difficult. We would like to be able to publish for each and every customer, a “brief summary” of (i) how a pharmacy generally uses PHI and (ii) what their rights are under HIPAA. Then have this summary Notice direct them to additional detailed information available on a website, or upon request via a toll free phone call, or if absolutely necessary in a printed form.
The requirement that CVS must make a good faith effort to obtain an “acknowledgement” that the patient has received a Notice of Privacy Practices, creates another challenge. What constitutes a “good faith effort”? How many times must we make a “good faith” effort?
The requirement that we have obtained an acknowledgement, or that despite our good faith effort that we have not obtained an acknowledgment, mandates that CVS create a specific patient tracking system for the acknowledgement. We are exploring several options for obtaining and tracking the acknowledgement.
All of these options require a significant investment of time and money in order to complete the necessary system changes. Each change triggers another change.
How do we motivate the patient to sign the acknowledgement? With over 40% of all prescriptions picked up by someone other than the patient (i.e. family, friends, neighbors, sometimes even a taxi cab driver) does sending the Notice of Privacy Practices home with the “caregiver” constitute enough of a good faith effort?
Once again a well-constructed public education campaign would go a long way toward helping pharmacies deal with this problem. This is a unique pharmacy problem because pharmacy is the only health care service where the treatment can be provided to someone other than the patient.
CVS will need to create a Central Processing Privacy Office to implement and execute an array of patient’s rights under HIPAA.
Clearly, the largest challenge, in the patient rights area, is the right of the patient to obtain an accounting of all “non-routine” disclosures of that patient’s personal health information. This concept is completely new to pharmacy providers and creates several problems:
The training of employees will create its on set of challenges. We would like to deliver the training via CD-ROM, as this method is best suited to address this training need. However, the cost involved, along with the human resources and development time required, will pose a great challenge. Additional challenges are addressed below.
We will need to train different audiences at varying degrees based on their roles. Therefore, different versions of training will need to be developed to address all audiences. This includes 12,000-15,000 pharmacists, 25,000 pharmacy support staff and 4,000 management and front office employees. We anticipate that the training will take approximately 2 hours per person. The payroll cost will easily approach $1 million.
· Large numbers of people to be trained in a short period of time
In the past, we have used CD-ROM to deliver training to address this challenge. We are researching the cost and development time in order to use this delivery method for this training initiative.
There are still some unknowns, including but not limited to system enhancements that may be required to support HIPAA regulations, which will make it difficult to develop training around those areas while decisions are being made simultaneously.
The Pharmacy Training Department will need to review all existing training materials to ensure compliance with HIPAA regulations. Unscheduled revisions may be necessary to ensure compliance, which will result in the need for additional resources (people and money) that were not budgeted.
The training is estimated at this time to be approximately 2 hours. Hourly employees are paid for the time it takes them to complete training.
The challenges identified in this testimony represent only a few of the challenges that will be faced by community pharmacy. Without the personnel and capital resources available to a large retail pharmacy chain, such as CVS, to deal with these challenges, additional significant challenges will be presented to small chains or independent pharmacies. The HIPAA regulations envisioned that some of the cost incurred would be offset by the savings generated from having a standardized electronic submission of health care insurance claims. These saving are not available to community pharmacies. Community pharmacy was already highly automated and insurance claims were already routinely submitted electronically prior to the implementation of the HIPAA standards.
I would like to express the appreciation of the pharmacy community that the National Committee of Vital Health Statistics Subcommittee on Privacy is conducting these fact-finding hearings to ascertain the challengers facing the provider community regarding compliance with the HIPAA privacy regulations. I hope this will be a continuing dialog.
Thank you.