Good morning. My name is Doctor Lloyd Smith and I am a podiatrist in private practice in Newton Centre, Massachusetts. I am here today representing the American Podiatric Medical Association. APMA is the national organization representing nearly 11,000 doctors of podiatric medicine. I serve as Vice President of the Association and as Chair of the Health Policy Committee, which has responsibility for all Federal health-related issues.
The APMA is keenly aware of the significant challenges created by the passage of the Health Insurance Portability and Accountability Act of 1996. When the privacy regulations were first released in December 2000, the APMA recognized that its members would need assistance in understanding and applying the regulations in private practice. Most podiatrists practice as solo practitioners, in partnerships or in small group practices and rely heavily on APMA for information. As the April 14, 2003 date for compliance with the privacy regulations approaches, APMA has seen a noticeable increase in member inquiries related to HIPAA.
What is APMA doing to assist our members in preparing for the April 14 deadline? We are actively and aggressively educating our members. We have discussed the specifics of HIPAA in our many publications. We have provided key leadership with HIPAA information, including through interactive presentations. We are constantly updating our members’ only website with new information. We have made available a list of HIPAA Resources, including the Office of Civil Right’s website and phone number. Other identified resources include the CMS website, the free list serve to receive notification of Federal Register releases related to HIPAA, and information about the HIPAA Roundtable Conference Calls.
Most significantly, over a year ago, APMA committed to the development of the APMA HIPAA Privacy Manual, which will be made available to our members on the web site and in hard copy. A respected, well-known law firm that understands the podiatric profession is drafting our manual. Not only will the manual discuss the specifics of the privacy regulations, but it will include sample forms for use in the office. We delayed production of our manual until finalization of the privacy regulations in mid-August but expect it will be available to our members in the near future. We are proud of our efforts but more needs to be done.
In our opinion, the OCR has not yet begun to reach the provider community with information about the privacy regulations. Until it does so, providers cannot be expected to be compliant with the regulations. Providers are having tremendous difficulty comprehending the regulations, as they currently exist. As a result, small office practices may be aware of the regulations but have not yet begun to take action towards becoming compliant. The information needs to be repackaged and presented in a way that is understandable to providers. The APMA has limitations in terms of financial and human resources yet we have committed to the development of a privacy manual. We are not, however, the definitive source for information on the privacy regulations. We believe that providers would benefit from the creation of a detailed, in-depth manual designed for the small or medium-sized group practice. Many individual offices do not have the financial resources necessary to obtain additional guidance on the privacy regulations. OCR should be the definitive source for privacy-related information and it should be available to all providers at no cost.
The OCR should add more information to its list of Frequently Asked Questions about the privacy regulations. The recent addition of these questions to OCR’s website is positive and they provide a starting point for individuals seeking more information on the regulations. A monthly newsletter should be developed and sent to all providers, free of charge. The newsletter should provide key information, important facts and detailed instructions about the privacy regulations to all readers. As a starting point for distribution, the newsletter could be sent to all Medicare providers.
The OCR needs to create regional or state programs to educate providers. Representatives from OCR should be available to participate in specialty-specific regional and state meetings. For example, my region just completed a meeting involving podiatrists from Massachusetts, Rhode Island, Maine, New Hampshire, Connecticut and Vermont. The OCR’s experts on the privacy regulations would have been most welcome at that meeting. The provider community needs to have access to the experts on a grand scale, particularly as the date for compliance draws closer. Recognizing that OCR’s resources are not unlimited, and assuming that OCR has a team of experts addressing the privacy regulations, the OCR could commit to, for example, three presentations for APMA, as well as three presentations for each of the other provider groups, including among others, the American Medical Association and the American Osteopathic Association. This would ensure that all provider groups would have equal opportunity to hear from the experts. The APMA would be pleased to assist the OCR in scheduling presentations to podiatrists.
The privacy rule training mandate does present a challenge to APMA. Many of our local component societies are planning half-day or whole day presentations on HIPAA. The APMA applauds the efforts of those state societies organizing HIPAA presentations or seminars but, from a national perspective, the APMA will not offer privacy rule training beyond the written information contained in the APMA HIPAA Privacy Manual. Members and their staffs must rely on the state component societies or other, outside sources for this training.
As you can appreciate, our members are being inundated with information about HIPAA. We have been unable to gauge with any great degree of accuracy the quality of the information being offered. Many vendors and consultants will not release their information unless an individual commits to utilizing the services or expertise offered by the vendor or consultant. Rather than investigate the numerous array of vendors and consultants in existence, the APMA is advising members to first review the information contained within the APMA HIPAA Privacy Manual and then assess what additional information might be necessary, if at all. In our opinion, it would be helpful if the OCR would assume oversight of the products sold by vendors or, at the very least, establish a quality control process. If privacy-related products are developed for sale, there needs to be oversight to better ensure that those products contain accurate information.
The provider community needs more information concerning OCR’s enforcement of the regulations, including clear identification of the penalties for lack of compliance. We realize that the penalties are known yet are concerned that those penalties have not been effectively communicated to providers. More education is needed on the amount of the penalties and the situations for which penalties will be applied. Will OCR representatives arrive unannounced in private practices? Will OCR randomly contact individuals to inquire about their privacy-related experiences? Will patient complaints be encouraged and will the OCR be obligated to investigate every complaint? Will providers be required to submit proof that the privacy rule training mandate has been satisfied? Our members need to know how the new regulations will be enforced and the lack of definitive information is frustrating for those expected to abide by the regulations. APMA requests additional guidance from OCR so that we may educate our members.
We also have concerns about patient education. Compliance with the privacy regulations will result in noticeable changes in daily practice activities. Many patients will be confused by the changes and may not understand why they are being asked to sign, for instance, a form indicating that they have been notified of their privacy rights. What if the patient refuses to sign that form? If patients are not educated and are resistant to changes being implemented in private practice and elsewhere, what protections exist for covered entities? The privacy regulations impact everyone, providers and patients alike. Does the OCR have plans to educate patients about the new regulations? That should not be the sole responsibility of the covered entity involved. The OCR needs to take responsibility for ensuring that patients, as well as providers, understand the new regulations.
The APMA is not familiar with “best practices” being done in the industry. We are unaware of compilations of best practices available.
In terms of the state/Federal preemption analysis fundamental to HIPAA integration and compliance, we believe that entities are unaware of the need to perform this type of analysis. Additionally, most individuals are not familiar with the state laws regarding privacy. The integration of HIPAA and other federal and state laws requires action by the OCR. A compendium of existing state and other federal laws should be created and made available to the public. These laws should be clearly articulated so that the average practitioner reviewing the information can understand them. If the information is made publicly available in a standardized format, the likelihood of adherence to the standards increases. If practitioners do not realize that differences in the standards exist or that a state standard is more stringent than a standard contained within the privacy regulations, then the correct standard will not be followed. If the state and other federal laws related to privacy are clearly identified and maintained in a common location, then practitioners will better be able to adhere to the correct standards. The APMA encourages the OCR to take responsibility for creating and maintaining such a compendium.
In general, we believe that covered entities, particularly practitioners, need more help in achieving compliance with the privacy regulations by the established deadline. Most practitioners are already overwhelmed with existing regulations and are struggling to comprehend the privacy regulations. More needs to be done. As the national organization for podiatrists, we will continue to educate our members about HIPAA and the privacy regulations. We need your active assistance with that endeavor. On behalf of the APMA, thank you for including us in today’s hearing and for providing us with the opportunity to offer comments.