Good Afternoon. My name is Maureen Weaver. I am a partner and chair of the health care department at Wiggin & Dana LLP, a 150 lawyer firm based in Connecticut. I am testifying today on behalf of the American Association of Homes and Services for the Aging ("AAHSA"). AAHSA is committed to advancing the vision of healthy, affordable, ethical aging services for America. The association represents 5,600 mission-driven, not-for-profit nursing homes, continuing care retirement communities, assisted living and senior housing facilities, and community service organizations. Every day, AAHSA's members serve one million older persons across the country. AAHSA's Web site is http://www.aahsa.org/.
I serve as a member of AAHSA's Legal Committee and am General Counsel to AAHSA's Connecticut affiliate, the Connecticut Association of Not-for-profit Providers for the Aging ("CANPFA"). HIPAA is the biggest regulatory wave to hit health care in decades, and so over the last two years our health care lawyers have been assisting clients with the massive task of understanding and implementing HIPAA.
I first would like to thank the Subcommittee for providing AAHSA with this opportunity to share its views on HIPAA Privacy Rule implementation. AAHSA supports the goals behind HIPAA and its privacy requirements. Confidentiality is a fundamental right reflected in the missions and daily work of AAHSA member facilities.
Although HIPAA's purpose is beyond question, its dimensions run wide and deep. In order to implement the Privacy Rule alone, we estimate that the average AAHSA member will need to develop and implement 30-40 policies and procedures, conduct detailed reviews of whether they have appropriate and reasonable safeguards in place for protected health information, roll out dozens of new forms and protocols and train an entire workforce on a round-the-clock basis in order to achieve compliance by the Privacy Rule's April 14, 2003 deadline.
We understand that the Subcommittee's purpose in holding this hearing is to assess HIPAA Privacy Rule implementation efforts with a focus on the real problems organizations, particularly smaller providers, face as they move closer to the HIPAA compliance date. We have reviewed the Subcommittee's recent letter to Secretary Thompson reporting on a prior hearing in Boston. It is apparent from that letter that the Subcommittee takes its charge very seriously. The letter delivers an honest and direct message to the Department of Health and Human Services ("HHS") that covered entities under HIPAA need more guidance and they need the guidance right away.
Our experience with HIPAA implementation among smaller providers, including providers of services for the aging, is consistent with the Subcommittee's feedback to HHS. However, I would like to emphasize that providers and their trade associations are mindful of their obligations to implement HIPAA and are taking steps to comply. The problem is that they cannot run alone to the April 14th finish line; they need help along the way.
Like many trade associations, AAHSA has taken steps to assist its members with HIPAA compliance. AAHSA has offered numerous educational sessions on HIPAA at annual meetings and spring conferences. In fact, as we speak, approximately 6,000 AAHSA members are gathered here in Baltimore for AAHSA's 2003 Annual Meeting and Exposition, and just an hour ago I participated in an educational session for AAHSA members on how to implement the Privacy Rule.
In addition to providing educational opportunities, AAHSA published a handbook last year on the HIPAA Privacy Rule, The HIPAA Handbook: Implementing the Federal Privacy Rule in a Long-Term Care Setting. Over the next several months, AAHSA also plans to offer audio conferences on Privacy Rule topics and make available model policies for AAHSA members.
Aside from AAHSA's efforts at the national level, many of AAHSA's state affiliates are providing assistance to members. Some have developed innovative approaches. For example, in Connecticut, CANPFA and the Connecticut Alliance for Long Term Care ("CALTC"), an alliance of CANPFA members, joined together to form a HIPAA Partnership. Rather than individually engage lawyers and consultants, a group of CANPFA and CALTC members pooled their limited resources to collectively engage the legal expertise of our firm. In addition, one of CANPFA's larger members contributed the expertise of its Chief Information Officer to assist with security and with electronic transactions and code sets. The project started in April 2002, and is still underway.
The HIPAA Partnership approached policy and procedure development based on a collaborative model. Our firm provided education and produced policy templates outlining the basic legal requirements under the Privacy Rule, including on those templates discussion of related federal and state law requirements with an analysis of how these requirements interact with HIPAA. The Partnership then divided into functional work groups such as clinical, administrative, business office, medical records, admissions and information systems. Each work group took certain templates, assessed them from an operational vantage point and drafted model policy/procedure documents with specific implementation guidelines. One notable benefit of this collaborative approach has been the networking and support function it provides for the participants. CANPFA and CALTC's goal in designing this structure was to foster the development of HIPAA privacy "best practices." While it is too soon to tell for sure, we can already see the makings of "best practices" in certain areas. For example, our HIPAA Partnership developed a process for Partnership members to use in identifying business associates and obtaining business associate agreements.
Unfortunately, not all AAHSA members and not all small providers have had the opportunity to pool resources and work collaboratively. Many of AAHSA's larger members have internal resources to launch their own compliance efforts, and those members that are part of larger health systems have benefited from earlier involvement in HIPAA implementation. However, there are many small facilities among AAHSA's membership –for example, a 60 bed rural nursing home, or a 30 bed facility affiliated with low income senior housing. Struggling with a nursing shortage, shrinking Medicaid dollars, cost pressures and other challenges, these facilities live day to day. Their main mission is to care for their residents – while also juggling budget preparation, visits and calls from state inspectors as well as Medicaid and Medicare audits. The only logical "privacy official" in these facilities is the administrator or director of nursing. Yet on any given day, you might just call and find the administrator answering the phone or the director of nursing covering a shift for a nurse who called out sick.
It should come as no surprise, then, that these smaller providers chose not to acknowledge HIPAA before the Final Rule was issued in August. And it should come as no surprise that many of these smaller providers will not tackle policy and procedure development, training and other necessary Privacy Rule implementation steps until just a few months before the final compliance date.
HHS/OCR still has a chance to make a difference. Here are three steps that the Subcommittee should advise OCR to take immediately to help small providers make the best use of the precious time and resources they can devote to HIPAA compliance:
OCR should provide more detailed guidance and assistance for providers:
(A) OCR needs to give practical meaning to the term "scalable." What does "scalable" mean to a nursing home administrator who must serve as the privacy official and answer phones at the same time? Are there minimum steps that a smaller facility can take to be in compliance, recognizing the reality that some organizations do not have the option to fully master and implement every aspect of the HIPAA Privacy Rule in less than five months?
(B) OCR needs to provide more detailed guidance on practical issues facing providers in the implementation process. The OCR Q & A has been helpful in some respects, but it is not enough. OCR should continue to issue guidance similar to the Guidance issued in July 2001 covering specific aspects of the Privacy Rule that the Final Rule and comments did not address. The July 2001 Guidance was clear, well-organized and practical. It provides an excellent model for future guidance. As not-for-profits, for example, AAHSA members rely heavily on fundraising to support the services they provide and on marketing to broaden access to their services. Yet the Privacy Rule provisions related to fundraising and marketing leave open many questions: Does the Rule permit a covered entity nursing home to send fundraising materials to members of the resident's family? What about newsletters?
(C) OCR should develop plain English model forms – Notices of Privacy Practices, Request for Access, Authorization Forms to name a few. The difference between "use" and "disclosure" may seem sharp for lawyers and regulators, but how do you make these distinctions come into focus on notices and forms? In addition to a plain English version, it would greatly assist smaller providers and ensure that the Privacy Rule's purpose is truly met, if OCR could translate forms into foreign languages. Many older adults served by aging services providers do not speak English. In addition, facilities employ a large number of foreign-born caregivers.
One purpose behind HIPAA was to establish national standards of privacy in response to the patchwork of varying state privacy requirements that have developed over time. State laws still remain in effect, however. While most state laws are not preempted by HIPAA, some laws are more protective of privacy rights; in some cases, their effect on HIPAA may not be clear, and different groups affected by HIPAA may come up with different interpretations of how to reconcile them with HIPAA. Perhaps some states have taken the lead here, but we suspect that many have not and will not be able to do so in time to make a difference. In the end, the privacy patchwork quilt of state laws could well be replaced by a messy collage of diverging interpretations.
OCR should encourage states to collaborate with provider groups to develop common guidance on HIPAA's impact at the state level. At the same time, OCR should provide resources and support to states. These efforts could ultimately ease some of the burdens faced by smaller providers.
Nursing homes typically derive most of their revenues from government payers, particularly Medicaid. For many nursing homes, Medicaid represents 75-80% of revenues. HHS should involve CMS and states in determining whether there is a mechanism for allowing providers such as nursing homes that provide services to a primarily Medicaid population, to recoup some of their HIPAA implementation costs. Some state reimbursement laws and regulations recognize these types of costs for rate setting purposes, but these provisions are often narrowly circumscribed and/or subject to limitations. Could HHS develop models for states to use in recognizing an appropriate percentage of HIPAA implementation costs attributable to Medicaid? What about Medicare? Shouldn't HIPAA implementation costs attributable to Medicare be considered in Medicare payment formulas?
* * * *
AAHSA members support HIPAA's purpose and intent. However, they could benefit from realistic guidance and closer cooperation with the states. AAHSA appreciates this opportunity to share its views with the Subcommittee and looks forward to its recommendations to HHS.
Maureen Weaver
Wiggin & Dana LLP
One Century Tower
New Haven, Connecticut 06508-1832
203-498-4384
203-782-2889
mweaver@wiggin.com
www.HIPAA-law.info