EGGLESTON & CRAMER, LTD.

Mr. Chairman and Committee Members:

I am Anne Cramer, one of fourteen lawyers with the law firm of Eggleston & Cramer located in Burlington, Vermont, which serves as legal counsel to the Vermont Association of Hospitals and Health Systems ("VAHHS"). VAHHS has 16 member hospitals which include 14 acute care facilities, a psychiatric hospital and the Veteran's Administration Center. Eleven of the hospitals have 75 or less licensed beds, with the smallest licensed for 19 beds. Our firm also provides counsel to the Vermont Health Care Association, the Vermont Counsel of Developmental and Mental Health Services and numerous individual providers including hospitals, nursing homes, physician practices and community mental health service agencies. My remarks today will focus on HIPAA privacy rule compliance and implementation issues faced by Vermont hospitals. I thank you for this opportunity to testify on their behalf.

Although in spirit and in principal the HIPAA privacy rules do not drastically change the long held tenets of patient confidentiality to which Vermont hospitals are accustom, the level of nuance, detail and complication, combined with the failure of the rules to preempt state law, results in a challenging workload for the already over-extended staff of Vermont's small hospitals. More technical and financial resources are needed to assist them in their efforts. Given the lack of guidance and the monumental task ahead of overhauling policies and procedures and training workforce and medical staff members, more time needs to be allotted for providers to implement the HIPAA privacy rules. Any enforcement of rule compliance should be rolled back to a date no less than six months to a year following April 14, 2003.

The HIPAA privacy rules have not brought clarity or certainty to the law regarding the confidentiality of health information. Although the HIPAA rule modifications finalized on August 14, 2002 clearly improved the rules, they still require significant analysis before policies

EGGLESTON & CRAMER, LTD.

can be established, especially since Vermont law is not preempted. As background, I first started providing counsel and lecturing on Vermont and federal law relating to health information in the late 1980's. From the beginning, policy interpretations have had to be practical because the Vermont rules have to be pieced together from many laws, such as the patient privilege statute, the patient bill of rights provisions, medical malpractice statutes, licensure statutes, public health reporting statutes, mental health provisions, minor and parental rights statutes, etc. Few of these laws use terminology that translates easily to the other statutes.

Now, since Vermont law is only partially preempted by HIPAA, the bulk of material needed to interpret the rules in Vermont has just become larger and more complicated. A provider must know every provision of state law and every provision of the HIPAA privacy rule and determine, under the circumstance at issue, which controls. Again, the terminology does not translate easily. (For instance, the words "waiver," "consent" or "authorize" may be interchangeable or have distinct meanings depending on the topic and the statute.) With the potential for real penalties and the likelihood of private litigation based on the new federal standards, compliance with health information confidentiality rules has become significantly more burdensome. "Administrative Simplification" has not been achieved. We will be puzzling over what the governing rules are in Vermont for some time. Thus, full implementation and compliance with HIPAA privacy rules by April 14, 2003 is daunting.

A snapshot of the most difficult implementation hurdles is as follows.

1. Startup Issues.

Although many hospitals started the process prior to the announcement of the final rule, others waited for that event in order not to have to redraft policies and procedures. (It does not help that a consolidated final rule was not printed with the rule changes.) There is difficulty in determining how to get started and keep momentum going. Determining who will be responsible for leading the implementation work throughout the organization is in and of itself a problem. Responsibilities for using, disclosing and managing health information are dispersed throughout the hospital. Most small hospitals lack an existing central structure for HIPAA privacy rule implementation, and few of them are able to designate a privacy officer with the sufficient time and resources to fully take charge and devote a continuous effort to drafting and implementing HIPAA privacy policies and training the work force of the organization.

To fully implement the HIPAA privacy rule, each organization needs to do a massive review or audit to find out all the different uses and disclosures of information which routinely occur. This level of examination far exceeds efforts of the organizations in the past to implement changes such as corporate compliance plans, or to prepare for and avoid Y2K failures. A proper analysis and review to prepare for compliance with the HIPAA privacy rules needs to scour every aspect of a hospital's operations. Theoretically, each hospital could simply dictate that every

EGGLESTON & CRAMER, LTD.

department shall take whatever efforts it needs to identify uses and disclosures of health information and related data and consider what changes need to be made to comply with the HIPAA privacy rules. The reality is that this requires significant resources to both understand the HIPAA privacy rules as applied in Vermont and spend the time reviewing current operations in that context to revise and implement new policies. The rule is not user friendly.

To implement the HIPAA privacy rule, small hospitals need to coordinate the effort of staff with different backgrounds, expertise and responsibilities who have little time and may not necessarily communicate very well, especially where a strong administrative leader is lacking. For instance, an implementation team by necessity may comprise the information systems director, the chief financial officer, the patient accounts director and the director of medical records - none of whom are necessarily used to working regularly with each other or are likely to advise medical and clinical staff on policies. Many small hospitals own physician practices and own or are affiliated with nursing homes, home health and behavioral medicine providers - all having different health information practices.

Every aspect of the rule implementation requires much analysis. If this implementation team is to determine "minimum necessary" use and disclosure policies for use throughout the organization or instruct staff on the disclosures needed to be tracked for an accounting as required under Section 164.528, they will need to engage substantial time and input from every department head of the hospital and related provider organizations, as well as, rule and policy interpretations and recommendations from outside counsel or consultants who better understand the rules. At the same time as this effort is required, this same hospital team is wrestling with the other aspects of "Administrative Simplification": the Transaction and Code Set Rules, given that everyone is requesting an extension, and trying to determine what are "reasonable safeguards" to secure health information under the administrative requirements of 164.530(c) (when the security rules have not been published as final and will have a two year implementation period).

A major startup challenge of the HIPAA privacy rules is that the rules contain concepts which are not readily assimilated. Without more thorough guidance on both the federal rules and state law, the list of complex decisions is tough for small hospitals to navigate. For instance, making a decision as to whether a hospital should be an "organized health care arrangement" or should act as an "affiliated covered entity," if applicable, needs consideration early in the process, especially since such designations may require corporate or medical staff bylaw and procedure change before HIPAA privacy rule implementation may begin.

2. Outside Guidance is Inadequate / Preemption Analysis is Lacking.

To date, there really has been little outside assistance from the State of Vermont or from the federal government to help small providers comply with the HIPAA privacy rules.

EGGLESTON & CRAMER, LTD.

Speculation as to changes to the Rules up through August 13, 2002 has not helped. Now, with the rule modification published, a great deal of resource materials need to be revised to incorporate the final rule provisions. Events sponsored by the Center for Medicare and Medicaid Services (CMS) are still pretty basic, and it has admitted that it is at the beginning of its work on HIPAA privacy rule compliance. The State of Vermont has been without resources to provide any guidance. Most state agencies continue to struggle themselves with their own GAP analysis and policy changes for implementation and are asking others for assistance.

Generally, small providers do consider the materials posted by the Work Group on Electronic Data Interchange/Strategic National Implementation Process (WEDI-SNIP) as a helpful resource. Unfortunately, it does not take it down to the level of detail needed. Obviously, myriads of vendors and consulting organizations exist, but they tend to be expensive, and they cannot eliminate the substantial internal input needed by individuals who work on site for a hospital or small practice to document existing health information practices and implement policy change. The opportunity to save time and money through the use of outside vendors and consultants is not realistic.

Lawyers, asked to advise on the privacy rules, can easily get caught up in wrangling with nuances in the Rules, such as the scope of who should be trained as "work force" at each hospital, the scope of services and communications included in "direct treatment," whether a hospital should designate itself as an "organized health care arrangement" or an "affiliated covered entity", etc. Given the prospect of enforcement and penalties, legal counsel may respond with "over conservative advice." The result is that the implementation efforts of hospitals then become paralyzed.

In Vermont, guidance regarding what is and is not preempted has not been forth coming from any state source, although several private attorneys are trying to map out the line by line interpretations of state statutes to the privacy rules. Vermont hospitals want to be able to rely on the HIPAA privacy rules alone. Thus, for instance, as they draft their notices of privacy practices and incorporate references to the permissive disclosure rules set forth in Section 164.512, we are now having to reeducate them to the fact that the Vermont patient privilege statute generally will preempt those provisions, and disclosures cannot be made unless expressly required by law.

3. Notice of Privacy Practices and Need for Extensive Patient Education.

Drafting an effective, but user friendly notice of health information practices is virtually impossible. First, implementation specifications for the notice under Section 164.520(b) require that the end document must be lengthy, detailed and technical. Second, as just indicated, there is no good resource which has defined which provisions of Vermont law survive preemption by the HIPAA privacy rules. Third, this notice is provided to hospital patients at registration when they don't want it, can't deal with it, and often find it harassing to be asked to sign an

EGGLESTON & CRAMER, LTD.

acknowledgment that they have received it. Nonetheless, the Notice will undoubtedly be an essential document in determining whether a hospital has appropriately complied with the privacy rules, including whether it might be exposed to private causes of action for privacy breaches based on alleged rule violations.

Providers should have a person available who can respond to questions regarding the notice and actual health information practices . Again, because of the complexity of the rules and the limitation of time and staff resources, this is a burden. It will be some time before sufficient training can be achieved to have a pool of people to field questions.

It would be greatly helpful if there was a concerted public education effort to help patients understand the management, use and disclosure of health information in hospital or group provider contexts in order to build reasonable expectations. Few people have any sense of the scope of use of patient information as part of health care operations. A Notice of Privacy Practices should not be a patient's sole introduction to the use of their health information throughout a hospital's operations.

4. Business Associate Contracting.

Obtaining Business Associate Agreements from all third parties who are subject to this definition will not be simple. In many instances, there have never been written agreements with these vendors or professionals. For those with written agreements, the third party may have an expectation that they can negotiate the terms. There are many professionals who in one context will not be a business associate but in another context will be. Right now, few understand who should or should not have a business associate contract. Meanwhile, hospitals will have to develop and implement screening procedures to consider whether the business associate rules apply which will require significant changes in procedure. Again, public education for the business and legal community regarding this aspect of HIPAA privacy rule implementation would be helpful.

5. Workforce Training.

Small hospitals are focusing on training department heads and managers while providing material via e-mail, bulletin boards and flyers to employees. A challenge is to update information to match the August 14, 2002 rule change as much of the material was developed before that date. There is also a great deal of misinformation regarding the rules and their scope that needs to be corrected.

EGGLESTON & CRAMER, LTD.

Vermont hospitals are conscientiously working to implement the rules, despite the above hurdles. An organization called NHVSHIP, the New Hampshire and Vermont Strategic HIPAA Implementation Plan has been a remarkable coalition established by the New Hampshire and Vermont state hospital associations and the Blue Cross/Blue Shield Plan of Vermont with the voluntary participation of hospital, physician and health plan personnel to try to consider and share strategies for compliance with the HIPAA privacy rules. Ideally, reliable "best practices" in Vermont and New Hampshire for implementing HIPAA will emerge. A steering committee and work groups on the transaction and code set, privacy rules, security rule and education meet monthly. Speakers are provided at many meetings, and materials, policies and procedures are posted on the NHVSHIP website with links to numerous organizations and resources. NHVSHIP specifically is not serving as a consultant, however. Hospitals participating in this organization have been vigilantly performing GAP analyses and drafting new policies and forms for HIPAA compliance. Unfortunately, many of the materials on the website need to be updated and replaced as a result of the August 14, 2002 rule change.

The ability of each organization to take resources obtained from participating in NHVSHIP meetings or accessing its website still leaves a large gap in translation to the education and compliance within an organization or a small practice. The level of administration in a small hospital often is not adequate to launch the overhaul needed for compliance with the HIPAA privacy regulations within the next seven months. Given that staff and workforce training should reflect the policy changes made to implement HIPAA, which need to reflect state and federal law interpretations, much work will need to be compressed into the short number of months ahead.

Thank you for this opportunity to set forth my view from Vermont on the challenges of implementing the HIPAA privacy rules and the areas where further assistance at the federal or state level would be very welcome. I can be reached or contacted at the following address: Eggleston & Cramer, Ltd., 150 South Champlain Street, Burlington, Vermont, 05401, (802) 864-0880, e-mail address: acramer@ecvtlaw.com.

cam\AC\VAHHS\Testimony.9.10.02