Good morning my name is Saliha Khaja. I serve as Associate Counsel to the Massachusetts Medical Society, and generally provide in-house advice and representation to the Society on a wide spectrum of corporate matters and health care related policies, programs and projects. My legal practice areas include regulatory compliance relating to HIPAA, Fraud & Abuse and Board of Registration in Medicine requirements. I sit on the MMS Interdepartmental HIPAA Workgroup and represent the Medical Society on the Boston Bar Association’s HIPAA State Preemption Task Force. I also work on antitrust and professional liability matters. I am pleased to be here today on behalf of the Medical Society, and to share with you our efforts and experiences to date in educating Massachusetts’ physicians about HIPAA and the regulatory compliance requirements. The Medical Society applauds the Committee in holding these hearings and is grateful for this opportunity to testify before you.
The Medical Society has long supported strong privacy legislation at the State and Federal level, as a result of membership concerns over the erosion of the patient-physician relationship. Our Government Relations Department has also worked hard with the Massachusetts Congressional Delegation to introduce legislation to allow small physician practices, which may have difficulty implementing these regulations, the same delayed compliance deadline of 2004 that small health plans were given. We are also working on including the costs of HIPAA in the practice expense component of the RBRVS payment formula.
As for our message to our members, we are striving to impress upon them that regardless of HIPAA, electronic transference of health information is a reality. In light of this, we need protections and standards to guard the privacy of this information and to ideally create universal forms for administrative and billing transactions. The Medical Society’s focus has in large part been on bringing the small to mid-sized group practices and individual practitioners up to speed on what they need to do in order to be HIPAA compliant, based on the best information available to us at this time. Compliance with the HIPAA regulations certainly comes at a cost to physicians and in most instances will require changes in current practice and/or office policy.
In order to accomplish the Medical Society’s goals of providing the best and most accurate information to our members about HIPAA in a useful and pragmatic manner, we formulated a Massachusetts Medical Society Interdepartmental HIPAA Workgroup comprised of staff members from the Office of the General Counsel, the Department of Health Policy/Health Systems, the Government Relations Department, and Membership Services. Together this working group has met and discussed what would be most beneficial for the smaller to mid-sized entities, and we have worked to keep a steady stream of up to date information flowing to Massachusetts physicians.
Last year, the Medical Society offered a number of district-level Continuing Medical Education programs addressing HIPAA. In presenting to some of these groups we found a varying level of understanding about HIPAA by the attendees. Interestingly, the attendees who were staff members in physician offices, such as the office managers, seemed to have had more exposure to the HIPAA requirements than the practicing physician attendees. There was a great deal of frustration expressed by physicians at one meeting, targeting the outright complexity of the regulations and the associated difficulty in being able to understand what exactly needs to be done by the smaller to mid-sized group practices. There was also a great deal of irritation over the birth of a HIPAA consulting industry that offered very expensive services – similar to the Y2K phenomenon.
Early this fall we are sponsoring two comprehensive educational programs entitled, “Positioning Yourself for HIPAA” which includes the following objectives:
We plan to follow up these programs with some additional educational seminars to be held early next year before the April 2003 privacy compliance deadline.
Members of the Medical Society’s HIPAA Workgroup have also partnered with a number of legal experts to conduct several grand rounds educational sessions at various institutions. We worked with Massachusetts attorneys who were familiar with the local medical and legal issues facing physicians practicing in the Commonwealth to present basic HIPAA compliance information. The program included aiding attendees in developing and executing a timeline for assessments and implementation in their practice.
These sessions were held throughout the state at over twenty-five locations, and proved to be very successful. There was no set format or curricula, but many presenters chose to use the hypothetical scenario of a patient entering a physician office in order to teach by way of example. This methodology we found to be extremely helpful to the attendees as it helped them to understand how the regulations would impact their day-to-day medical practices not only in the office setting, but also during hospitalization up through discharge of a patient or even after a death has occurred.
We received an interesting range of questions during these sessions, running the gambit from the straight forward yes or no questions (e.g. “Can pathologists provide any information to family members of deceased when performing autopsies?”) to perhaps the more philosophical ones such as, “If physicians are not required to adhere to a patient’s request for restrictions on the release of his/her information, doesn’t that drive a wedge between the physician and the patient?”.
The Medical Society HIPAA Workgroup has been diligently vetting HIPAA toolkit type products for our members, to be offered at a reasonable cost. We are seeking a scaled down product that addresses the basic compliance issues as well as provides the necessary forms that can be modified for individual use. Unfortunately, we are finding that most vendors and HIPAA consultants do not offer practical products that focus on the smaller to mid-sized group practice needs. Not only is this reflected in the product content itself, but also certainly in the pricing as well. In light of what I call the HIPAA consulting boom and the associated insensitivity to financial burdens placed on smaller to mid-sized group practices, it would be extremely helpful to have some of the legal forms issued by Health and Human Services or the Office for Civil Rights. Our experience is not only that physicians are unable to spend exorbitant amounts on implementation costs in light of the significant financial constraints they are currently experiencing, but also that they simply feel more comfortable using documents issued by the government.
The Medical Society is of course marshalling resources on its own end in an attempt to address the cost issue, and by preparing and compiling helpful HIPAA compliance information for distribution at no charge. The Medical Society has prepared its own “Free HIPAA Resource Kit” that is a compilation of what we have found to be the best “free” information presently accessible. Some groups have prepared credible information on HIPAA compliance that can be shared with our members without the associated financial burden.
We are also in the process of drafting our own “Free HIPAA Guide” that will contain various forms and documents that members can use to assist them and guide them in drafting their own documents. We have stumbled across some rudimentary forms that were at one time part of the proposed privacy rules, but then never made it into the final version. Perhaps HHS could revisit those forms, revise them as needed, and make them available to smaller to mid-sized physician practices for their use. Of course we always recommend to members that they consult their own legal counsel for final review and approval of any document for their own individual office needs – reminding them that scalability is a consistent theme in the HIPAA privacy regulations.
The Medical Society has its own newsletter, Vital Signs, that is distributed to its membership of approximately 18,000 physicians in the Commonwealth. We have featured numerous articles in the newsletter focusing on HIPAA issues, including: important deadlines to be aware of; proposed changes to the regulations; and the need to file (if necessary) for an extension for compliance with the standard transactions and code sets requirements. Our upcoming issue of Vital Signs will have a feature article on the front page alerting physicians to the reality of HIPAA and topics such as: what to do about vendors; projected costs associated with compliance; and anecdotal feedback resulting from surveys of physicians from around the state.
In addition to our hardcopy newsletter, the Medical Society has a weekly electronic version of Vital Signs called, Vital Signs This Week. We also educate our members using this electronic medium to provide them with “HIPAA Tips” – notifying them of current developments; helpful websites; and other resources they should be turning to in order to learn more about HIPAA.
The Medical Society’s Department of Health Policy/Health Systems supports a HIPAA Hotline to answer general questions that physicians may have on HIPAA. This Hotline, as you might well imagine, has been very busy over the last few months and is a good way of providing personalized information to callers that may better address their individual needs. I have been designated as the “point person” in the Medical Society’s Office of the General Counsel to address any legal related questions from our members. Many of the questions that have come through to date, range anywhere from: “Why was HIPAA passed?” to “Will someone supply model forms or templates?” to “Will the MMS identify HIPAA compliant vendors?”
The President of the Medical Society, Charles A. Welch, M.D. has been extremely active in patient privacy related issues. He chaired the Medical Society’s Task Force on Patient Privacy and Confidentiality which resulted in a comprehensive privacy policy adopted by the Medical Society’s House of Delegates in 1996.
In August of this year, Dr. Welch wrote a letter to Massachusetts physicians specifically focusing on the issue of the new federal privacy regulations under HIPAA. He identified and highlighted the critical resources available to help physicians work on compliance and notifying them of the various items I have mentioned above which are available through the Medical Society.
Earlier this spring I was invited to speak at the Hampden District Medical Society’s Annual Meeting on the topic of HIPAA. The biggest hurdle, as you might imagine, was trying to teach physicians about both the final privacy rules – as well as about the then pending Notice of Proposed Rule Making changes to the final privacy rules. We are finding that with HIPAA, physicians are very reluctant to get bogged down with the finer distinctions and want the broader more sweeping concepts to implement. It was somewhat difficult to achieve this in light of the many changes that the proposed rules would have on the existing privacy rules.
The concern expressed at this event was primarily over the lack of information from the government on both the privacy rules as well as the security piece. These attendees were very interested in hearing how the two sets of regulations would relate to one another and whether compliance with one would satisfy some components of compliance with the other.
Further, there was a lot of discussion about how business associates should be handled. For example, does HIPAA consider the nightly cleaning crew to be business associates, and if so, what are examples of contractual provisions that would applicable to them – as opposed to other business associates. Additionally, should individuals who come into the office, such as a utility representative or landlord be escorted around the office to ensure that protected health information is properly safeguarded?
Finally, a number of our staff members participate in a variety of statewide workgroups focusing on HIPAA issues. These include: the New England HIPAA Workgroup, the Massachusetts Health Data Consortium’s Privacy and Information Technology Officers’ Forums, the HIPAA Education Coordinating Committee facilitated by the Massachusetts Health Data Consortium and the Boston Bar Association’s HIPAA Preemption Task Force. Sharing information with other outside entities has been incredibly valuable for us, and we will continue to join together with interested parties in devising feasible strategies for HIPAA compliance and other HIPAA-related matters.
The Massachusetts Medical Society has been very actively involved in introducing and raising HIPAA awareness in Massachusetts among the physician community. As I have mentioned, there are certain areas in which we can spend more energy with simplifying and demystifying the compliance process for the smaller to mid-sized group practices. To briefly reiterate, these areas include:
Once again, thank you for taking the time to listen to the Massachusetts Medical Society’s experiences and concerns. We are grateful to have had this opportunity to share them with your Committee.