My name is Kevin Fitzgerald, and I am Health Care Counsel of General Electric Company, located at the Company’s Corporate Headquarters in Fairfield, Conn. I am also the HIPAA Privacy Leader for Corporate operations, and it is as a result of both my capacities that the ERISA Industry Committee asked me to speak with you today.
Let me start by reflecting much of the sentiment set forth in Dr. Lumpkin’s September 27 letter to Secretary Thompson. Until the promulgation of the final regulations on August 14, there was no sense of urgency amongst much of the health industry regarding the Privacy Rule deadline. I believe this was due in great part to an unwillingness by the industry to be the first to dip their toes in the compliance pool, as so much had been in flux since the first set of proposed regs came out in 1999. After August 14, people saw light at the end if the tunnel, and it’s an oncoming locomotive.
A good deal of the confusion in the employer community is driven by the fact that HHS had no authority to regulate employers directly. As a result, we are regulated as "group health plans," which are the employee welfare benefit plans which created and operated under ERISA. But there’s no such entity within GE or any other employer called the group health plan. It’s a contract between the Company and its employees to deliver benefits, not an entity of its own. Moreover, the Privacy Rule operates on the fiction that the "group health plan" and the "plan sponsor" of that health plan are different. They’re not, in practice, as the people who know what a plan sponsor is also tend to be the same folks who know what the group health plan is. So the distinction makes little practical difference and drives considerable confusion. Add to that fact the simple truth that employers, particularly large employers, come in a large variety of flavors. For example, I believe the structure and operation of the group health plans we operate at GE are relatively well suited to the HIPAA compliance regime. About 90% of our approximately 170,000 domestic employees are in benefit plans operated centrally from Corporate on a self-insured basis. This gives us a great degree of organizational, and related physical, separation from the non-covered aspects of GE’s operations, which of course include making lightbulbs, locomotives and must-see TV. In so many words, our “plan sponsor” knows where our group health plan resides and vice versa, so it is easier for us to make the distinction.
Other employers may base their benefits strategy on a more localized basis, permitting regional operations to select and manage the offerings. This puts compliance decisions at a local level where the necessary compliance sophistication may not reside. But the “group health plan” encompasses all of these operations and functions, even though in this example it is not monolithic, but rather fragmented. Such an employer must try to link together all locally managed programs within one firewall, one compliance regime. This is not an enviable task, and it will take some time and effort to bring all of the players up to speed. On a related note, most training programs I’ve reviewed are focused on what a provider or the health plan needs to do to comply with the Privacy Rule, not what an employer needs to do. Most of the knowledge and support for employers comes in an expensive, customized format, via retained law firms or the consulting houses, who of course have no monopoly on the information available or its interpretation. In that regard, I certainly can do no better than echo the sentiments expressed in Dr. Lumpkin’s September 27 letter to Secretary Thompson: “covered entities [are] at the mercy of an army of vendors and consultants, some of whose expertise appears limited to misinformation, baseless guarantees, and scare tactics.” The bottom line is that we’re all groping forward at this stage, and the written testimony that will accompany my remarks will demonstrate many of the open or ambiguous issues.
All I can ask for on this issue is for the Department to realize that while large employers have long been aware of the importance of confidentiality, working out the details under the Privacy Rule is complicated, especially when overlaid with the preemption issue.
An issue that I want to specifically discuss with the panel is the controversy that exists between the retail drug industry and the pharmaceutical benefit management industry over the proposed Community Pharmacy Guide, which is inconsistent with all the other transactions standards. I believe the panel is familiar with the Pharmaceutical Care Management Industry’s October 17 letter on the issue, and I would like to echo some of the arguments presented in that letter. It would be the only standard that does not allow basic data fields, such as patient name. In most standards, these fields are not only allowed, but they are required, for the very reasons health plans require them in the pharmacy transaction. The HIPAA goals of administrative simplification and uniformity would be achieved by making these optional fields mandatory or situational in the same way they are addressed in all other standards, not by eliminating them.
The retail pharmacy industry has expressed a concern that PBMs or other carriers will be able to use this data for their own unrelated purposes, including selling it to manufacturers. But since PBMs will act as business associates of group health plans such as GE’s, they will be legally bound to use and disclose the information they obtain from pharmacies solely for the purpose of performing contracted for services consistent with the Privacy Rule, and I can assure you that in the absence of the Privacy Rule, GE contracting specifications would not permit marketing or other extracontractual use of employee data.
Moreover, nothing in the Privacy Rule, including the minimum necessary standard, prevents pharmacies from including these basic fields in pharmacy transactions. Since these fields are required for clinical and payment verification purposes, they meet the minimum necessary standard. Moreover, pharmacies are not even required to apply the minimum necessary standard when responding to a reasonable request for data from health plans or their business associates. Finally, if the minimum necessary standard is truly the concern, this concern can be eliminated by changing these optional fields to required or situational fields. That way, the minimum necessary standard would not apply.
Making sure that the pharmacy standard transaction parallels the identification data fields of other health claims transactions is important to self-insured plans such as GE’s, since we have a fiduciary obligation to make sure that claims dollars are paid appropriately. Putting all your identification eggs in one data field basket will certainly lead to late, incomplete or rejected claims, which serve no one’s interest, particularly that of the patient and the provider. This situation, without exaggeration, could lead to a wholesale shutdown of the retail pharmacy sector after April 14. Moreover, proper identification enhances the effectiveness of patient safety features such as drug utilization review. Name, relationship code, complete date of birth, and gender are some of the strongest types of confirming data. It is critical to the effective management of the benefit that such information continue to be provided by retail pharmacies as part of any claims submission.
The Transactions Standard for pharmacy must take into account our fiduciary responsibility and maximize patient safety. This will not come at the expense of privacy and confidentiality, but rather be consistent with the group health standard. NCPDP 5.1 should be modified to include name, complete date of birth, relationship to patient, and gender, member identifying number and other key identifiers as required fields. This would be consistent with the treatment of such information in the Standards adopted for medical and other claims.
As is indicated in the written remarks, there exists a great degree of confusion amongst employers regarding the reach of the privacy rule beyond group health plans. One area to highlight in particular are in-house medical clinics, which GE operates as do many other major employers. These clinics do not, on the whole, engage in the electronic standard transactions, even though they use many types of electronic communications in dealing with colleagues, the provider community and their patients. It would be of tremendous help if the current defined transactions list, which focuses essentially on group health insurance information, remained static, with no others added, and, in the case of the first report of injury (FROI), a deletion of that item from the regulation. The FROI is commonly understood as workers compensation term, and since workers comp is explicitly excluded from the regulations, it should be excluded from the transactions list. No single line item has proven more confusing to explain in my travels within and without GE, and its deletion would remove unnecessary ambiguity from the regulation.
A further complication comes with outsourced clinics, either operated by local health care providers, often hospitals, or larger national concerns. Many of these entities have deemed themselves covered entities, and we currently engaged with a number of those providers in deciding how to allocate responsibilities without causing confusion, especially concerning employee communications. My suggestion is that a covered entity performing non-covered functions for a non-covered entity should be exempted from the regulations, if that position is consistent, factually and by policy, with the other operations of the non-covered entity.
Another area that is producing high volumes of work that produces little actual value is the business associate agreement requirement. Most large employers will end up doing something over 100 agreements; GE will be in the area of 200. What will we attain for these provisions over what we previously used in our contract to protect employee information? Literally, another five pages to our already lengthy administrative service agreements. Virtually everything that we have previously addressed under confidentiality, security, nonmarketing and other standard contractual terms now is reformatted into the model language, to which most employers and suppliers will add their own twists to expand or limit responsibilities and risk. A preferable alternative would be a one-page statement that the party will comply with HIPAA as expressed in the regulations, not dissimilar to the notice of privacy practices for providers.
Obviously, time does not permit a complete discussion of the ambiguities and complexities facing the employer community under the Privacy Rule. I would like to emphasize again that ERIC and its members take confidentiality of employee data, medical or otherwise, seriously, and we will work to achieve compliance by April 14 of next year. We look to this Commission and the Department to give guidance and understanding to the issues that face us, as well as the health care industry as a whole.