Good morning. My name is David C. Kibbe, MD. I am the Director of Health Information Technology for the American Academy of Family Physicians, AAFP. I am also the President of the North Carolina Healthcare Information and Communications Alliance, better known as NCHICA, a WEDI SNIP affiliate, an organization that is well known for its work on HIPAA, and which has been involved in model health privacy policy and legislative activity since its inception in 1994.
I am very pleased to be here today, and on behalf of the American Academy of Family Physicians’ 93,000+ members let me thank the members of the Privacy and Confidentiality Subcommittee for this opportunity to address the important issue of HIPAA Privacy Rule implementation. The timing is excellent, having just held our Annual Scientific Assembly two weeks ago in San Diego. This is the Academy’s major annual conference, attended by over five thousand member physicians, and an occasion that affords us an opportunity to converse with members about the important issues to the specialty as a whole, and to take the pulse of the membership over a very active week.
During the Assembly, I presented lectures on HIPAA that were attended by over a quarter of the participants; we held a Town Meeting on HIPAA implementation that was moderated by Academy physician leadership, and there were several other sessions covering one or more aspects of HIPAA standards and their implementation. I can assure you that HIPAA is an active and much debated item among the AAFP leaders and members.
What is the availability of HIPAA resources for our members, most of whom practice in solo practice or small groups of five or fewer physicians? First, let me address our own education and implementation program for action. Over a year ago the Board of Directors of the AAFP approved a detailed HIPAA action plan including:
During the course of the year, the Academy has done the following to make progress in meeting these commitments:
The Academy has produced a “How To Guide” for implementing HIPAA Privacy, available to members for a minimal cost in print, CD-ROM and downloadable from www.aafp.org/hipaamanual.xml . For those that prefer a more interactive computer program solution, we are offering members the HIPAA EarlyView" Privacy Tool developed by NCHICA. Both resources contain checklists, key document templates, and advice.
The Academy has developed an on-line HIPAA EDI Practice Management System (PMS) Directory in collaboration with the medical specialty coalition, which is available at www.hipaa.org/pmsdirectory. The Directory allows a practice to look up its PMS vendor and determine its HIPAA readiness for each covered transaction. Practices can also use the Directory to investigate the extent of HIPAA readiness of other vendors.
How well are we doing in reaching our members with these messages? In some respects quite well, I think, and in others not so well. For example, by a show of hands during my recent lectures on HIPAA at the AAFP Annual Assembly, roughly three-quarters of the audience indicated that they had filed a transactions and code set extension plan with CMS. Given that some of the audience are employed physicians or working in groups, and do not need to file an extension, I think this augurs well for our members’ awareness about the HIPAA transactions and code set standards and about HIPAA in general.
However, my best estimate about member Privacy Rule implementation is less hopeful. I would estimate that fewer than half of our members’ practices have begun to implement a program of privacy standards implementation as of two weeks ago. We need to discuss some of the reasons for this low level of privacy implementation among AAFP members who are generally aware of their obligation but have not acted.
The single most important reason for the delay is, I believe, our members’ confusion about what it is they must actually do at the practice level. “What must I do that is different from my current practice?” is the question that I hear most often.
To students of the Privacy Rule and its standards, a group I call the “HIPAA literati” and to which, sadly, I must include myself as a member, this may seem a strange question. Aren’t the rules clear? After all, we’ve gone through a very long process of writing, amending, and finalizing the Privacy Rule. Isn’t this all pro forma and routine by now?
No, out in the real world HIPAA is a complicated mess. Dr. John Lumpkin’s statement in the letter which he wrote to DHHS Secretary Tommy G. Thompson, of September 27, 2003, summarizes quite well the basic problem here, and I quote: “The failure of the OCR to make available sample forms, model language, and practical guidance has left covered entities at the mercy of an army of vendors and consultants, some of whose expertise appears limited to misinformation, baseless guarantees, and scare tactics.”
Doctors often don’t know who to believe, what to buy, or from whom to get individual practice assistance. They are hearing conflicting claims, and are being bombarded by vendors and consultants giving conflicting stories. Sometimes this mis-information comes from vendors or lawyers who have a product to sell that offers a “solution” to the problem. Multiple “urban legends” are circulating across the country, spread by email and at meetings, such as the rumor that HIPAA requires all sign-in sheets to be eliminated or copies of all electronic data to be stored off site at a distance of fifty miles or greater. But often the mis-information appears to be the by-product of the complexity and scope of the Privacy Rule itself. Confusion and apprehension are simply a matter of well-intentioned health care workers, who suddenly find themselves appointed “privacy officials,” spreading erroneous beliefs about permissive or prohibitive behaviors within the Privacy Rule.
To add to the confusion in our members’ communities, some larger organizations have begun to implement HIPAA in ways that cause interruptions in the routine and necessary flows of health care information between the practices and hospitals and pharmacies. Sometimes, this is due to an over-zealous interpretation of HIPAA, as in the case of a hospital that has stopped all fax transmissions to doctor’s offices in the name of HIPAA, a step that now requires the doctors’ offices to call the hospital for verbal radiology reports.
Delays in HIPAA Privacy Rule implementation will continue until there is a clearer picture of what must be done, in what priority, and with what latitude of enforcement.
Then there is the cost factor. CMS has reported that approximately half a million health care covered entities filed an ASCA-mandated extension plan by the deadline of midnight October 15. Assuming that each of these "Covered Entities" spent an hour’s time in researching the requirements for the transactions and code set standards and in filling out the forms, I calculate that this activity alone cost providers over 50 million dollars. Physicians and their office staffs look at the time and effort that appears necessary to devote to Privacy Rule implementation – the first step, of course, being simply to assign the most basic meaning to a host of new constructs and documents, such as “business associates,” “notice of privacy practices,” and “requests to amend the medical record,” – and they see that it is many, many times the effort. For the busy practitioner taking care of patients day in and day out, there is precious little time – or money - to waste.
One very specific concern of mine is that the Privacy Rule is a “one size fits all” solution. To be workable, however, I believe HHS and OCR need to create “zones of compliance” rather than specific targets for some aspects of compliance. Such flexibility would accommodate the needs of health care organizations of differing sizes and complexity. Such zones would allow for simplification of implementation, especially in medical practices and in small provider organizations. For example, I believe that the complex and lengthy Notice of Privacy Practices requirements should be simplified and shortened for small providers. A more detailed Notice could be voluntary. We believe that Business Associate contracts should not be required of all those it would appear to be required of now, or that a zone of compliance with regards to BA contracts for small providers be acceptable, at least until the contracts have become standardized and the costs of creating them – many thousands of dollars for a medical practice – are reduced.
Clearly, we are merely at the beginning of a long and difficult period of HIPAA Privacy Rule implementation. A year hence we will know much more than we do now about the practical, down-to-earth realities of HIPAA in the offices of family physicians across the country. Will our patients understand why we are handing them a multi-page Notice of Privacy Practices on their first visit, and appreciate the effort that has gone into making their medical records more secure? Or will the inconsistent and clumsy implementation of a poorly-understood set of federal regulations merely make it more difficult for patients to obtain access to their records and disrupt the flow of vital health information between doctors’ offices, hospitals, and health plans, ultimately degrading the quality of our primary care health systems?
I would agree with Dr. Lumpkin’s opinion that we are on the verge of major and widespread disruptions of the health care system unless action is taken quickly and with adequate resources to inform both the public and the provider community about the various documents and notices with which they are about to be confronted. We need a massive public education program or we will have a massive public meltdown over HIPAA.
The Academy appreciates this opportunity to submit a statement to the subcommittee and looks forward to working with you to develop effective public-private-professional organization solutions to HIPAA Privacy Rule implementation. This is a matter of continued interest to the Academy and we thank the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
Comments and questions can be sent to:
David C. Kibbe, MD
Director, Health Information Technology
American Academy of Family Physicians
1520 E. Franklin St.
Chapel Hill, NC
919-929-5993