Good Morning, my name is Thomas E. Sullivan, M.D., President-elect of the Massachusetts Medical Society (“MMS”), which represents over 18,000 physicians. I am a practicing cardiologist on the North Shore. I hold an appointment at the North Shore Medical Center, and maintain a solo practice at the Women’s Health Center in Danvers, Massachusetts. I am pleased to be able to testify here today before the National Committee on Vital and Health Statistics’ Subcommittee on Privacy and Confidentiality and thank you for providing me with this opportunity. On my own behalf, as well as on behalf of the Massachusetts Medical Society, I would like to extend a thank you to the Committee for holding these Hearings on Privacy Rule Implementation Efforts - as I believe there are a number of areas which can be addressed to assist solo practitioners, such as myself, and small group practices with coming into compliance with the HIPAA privacy regulations.
I consider myself to have probably more than the “average” exposure to the HIPAA regulations, primarily because of my keen interest in the application of technology to health care. Over the course of recent years, I have been actively involved in several different professional associations and activities, and have devoted a significant amount of time to various organizations focusing on these types of issues. For example, I presently serve as chair of the Confidentiality and Security Steering Committee at Partners Healthcare System, as chair of the American Medical Association’s e-Medicine Advisory Committee; and I was the recent chair of the MMS’ Committee on Information Technology. In the past, I was an active participant in the Massachusetts Health Data Consortium’s Privacy and Confidentiality Workgroup and the Clinical Dataset Workgroup. I also have held advisory positions with several health care technology organizations. In 1995, I convened an educational meeting of the MMS on the topic of Privacy and Confidentiality, one year before the passage of the HIPAA law. Under my name, my committee requested the president of the Medical Society to convene a task force to address issues of Privacy in the electronic age. The final result was the creation and adoption by our House of Delegates of what I believe to be the first state medical society modern policy on Patient Privacy and Confidentiality. I am delighted to be able to say that in these various roles I have both received, as well as provided to others, a tremendous amount of information regarding HIPAA compliance issues.
While I can probably do a decent job of telling physicians what the privacy rules are, how they came to be, and how they have evolved over time – I am at the same time having some difficulty in preparing my own private office for the April 2003 compliance deadline. Today I am here to speak of my own personal compliance efforts, and to identify those areas with which I am grappling as a solo practitioner in private practice.
Quite generally, the complexity of the regulations, the lack of adequate time to implement the now “final” privacy rules, and limited resources cause me a great deal of concern. I am concerned obviously not only for myself but also for my similarly-situated colleagues who will be working on implementation as will I, on a much smaller scale with a much smaller budget, and much less time to get up and running before spring of next year. Despite all of my HIPAA knowledge, I have yet to prepare any forms, reconfigure my office, draft a final privacy notice, or specifically train my staff of one, a certified medical office assistant who is my office manager. I have, however, at least designated myself as the Chief Privacy Officer, and the Chief Security Officer and I have obtained a secure password for my office manager to log on to the networked hospital system and access patients’ medical records on a “need to know” basis. I have also obtained a secure messaging website with the assistance of the AMA and the Massachusetts Medical Society. Finally, I have made it a practice to verbally inform my patients of the new privacy rule on a face-to-face basis, one by one, even though I have not consistently documented it in the chart.
I would like to focus on four areas that I think should be addressed by Health and Human Services by way of educational material, information outreach, technological support or other appropriate formats. These areas include the need for:
I have worked on and created numerous model forms in my position as chair of the Confidentiality and Security Steering Committee at Partners Healthcare System. In fact, we have been preparing forms for years now for the integrated group practices within the Partners System, yet only to find ourselves having to revise and restructure the content and format of these documents – due to the “ever evolving” privacy regulations. As you might well imagine the constant revisions have caused a great deal of frustration on many levels.
As for my own practice, I feel as though there is a lack of information about what exactly the required forms should look like for the smaller groups. This lack of information has precluded me from being able to go forward and begin drafting my authorizations, Notice of Privacy Practices, Office Procedures, and Business Associate Agreements. I feel extremely hesitant, even at this late date, to write my own final privacy policy and begin handing it out to my patients. While the regulations are quite detailed as to the required content of these various legal documents, smaller operations such as my own really need model forms to guide us in drafting these documents so that we are confident that we are complying with the law.
I think it would be very important to see model forms issued by HHS or OCR simply because most of my colleagues do not have the number of hours in our day it would take, to sit down and begin reading the several hundreds of pages of regulations in order to glean what should be included in the documents. In addition, I don’t think we should be required to pay several hundred dollars for the so-called HIPAA “toolkits” currently being circulated in the marketplace. I hope it is clear to most, if not all of you, that similar to rising malpractice premiums, we are unable to pass these and other costs on to our patients, or to even negotiate with health plans to include them as a legitimate, necessary and mandated cost of our operations. At least if we had model forms to begin the process, we could then personalize these forms to suit our individual needs and office practices. There seems to be a continuous message from the Office of Civil Rights and/or Health and Human Services that the HIPAA privacy rules are meant to be “scalable” and enforcement of the regulations will take into consideration the covered entity’s compliance efforts as they relate to covered entity’s size and individual business practices. I think these forms would be very helpful to all of us in learning what kind of basic, and minimalist information needs to be addressed in these legal documents. Many of us appreciate the recent inclusion of Model Business Associate Agreement language in the privacy rules to aid us in drafting those materials. However, we still need more detail designed for small practices
Regarding the concept of scalability overall, I think it would be extremely useful for the Department to issue additional guidelines to clarify areas where the rules are “scalable” and specific examples of activities for smaller practices that would be compliant with the regulations. It is important to underscore that we commend the Department for acknowledging the differences between implementation for a large vs. small practice and want to be clear on the minimal requirements that physicians need to institute.
I think it goes without saying that it is difficult to get a good handle on how the HIPAA privacy rules will impact my day to day operations, without having the benefit of the final security regulation. There has been a great deal of talk that the final security rule will ultimately look like the proposed security rule, but at this late date almost four years after the proposed rule, we have no authoritative information. It would be tremendously helpful to see what the entire package looks like – especially because of the interrelationship between the privacy and security of protected health information.
My concern is that the security piece is so intertwined with the privacy piece that a substantial amount of the work completed on privacy compliance may not be sufficient to satisfy the eventual security requirements, and there will be a resulting lack of harmony between the two. We need to see the final security rule ASAP in order to feel comfortable and see what is practical for the small group practice. Right now we are operating at less than perfect information – yet required to start undertaking efforts to comply with the law in less than 8 months time.
There seems to be a lot of conflicting information out there as to whether phone, fax and e-mail transmissions of protected health information are considered standard transactions covered under the HIPAA regulations as they relate to the final Privacy Rule. For many small medical offices, billing transactions utilize the fax machine as well as paper and the postal service. I have heard from some sources that fax transmissions are not really included under HIPAA, unless there is a billing clearinghouse, and thus, one should not worry about them. Others have instructed that while it is unclear whether faxing is covered, one should go ahead anyways and consider faxing to be a transaction that needs to be in compliance with the regulations – just to be safe. Further, what about the physicians who do all their billing on paper, but need to fax PHI to hospitals or other physicians when one of their patients is being seen? This area needs to be clarified for us, especially because many of our office systems and procedures, as you might well imagine, are not that sophisticated and may in fact allow us to be exempt from the regulations altogether.
Many of us have also been wondering whether we will be exempt under HIPAA if we have less than 10 FTE’s on our staff. If that were true, this definition of a group would encompass more than 40% of the physicians in the country. Somewhere along the lines, I believe that there was brief mention that an office with less than 10 FTE’s would be exempt from the requirement of having to submit bills to Medicare electronically. I think that this “opt-out” provision has confused a number of practitioners who will, much to their surprise, continue be considered covered entities under the privacy regulations - regardless of whether they decide to opt-out of the Medicare billing requirements.
It would be helpful to have some clarification from HHS on this issue so that smaller group practices and individual practitioners are not penalized for not being HIPAA compliant due to a misunderstanding of the new federal laws in this regard.
In summary, let me make it clear that I am very much in favor of the new emphasis on Privacy and Confidentiality, and that it is a good thing for all of us that it has the force of law behind it. I am also a strong advocate of promoting the electronic exchange of billing information and also, in the near future, clinical information. I believe it will help us reduce costs in the long run and improve our care of our patients. Nevertheless, the short-term implementation costs and the complexity of the Privacy rule and the inexcusable delay in the release of the final security rule, need to be addressed expeditiously.
Thank you once again for the opportunity to present my opinion, with the perspective of a solo practitioner.