Chairman Rothstein and members of the subcommittee Good Afternoon, my name is Elliot M. Stone and I am the CEO of the Massachusetts Health Data Consortium. Thank you for the invitation to testify.
I am pleased to update the NCVHS on our “Coalition & Partnerships Building” activities to implement the HIPAA Privacy Regulations in Massachusetts.
From your first hearing in Boston, I know that you heard a range of views on the industry’s readiness to implement the provisions of the HIPAA Privacy regulations. Your letter to the Secretary of DHHS addressed the urgent need for Resources to assist covered entities.
Today, I would like to emphasize the community collaborative approach to delivering those resources that the MA Health Data Consortium has taken - as opposed to waiting and expecting a full reliance on the federal government.
Our 3 premises are simple:
1) Most solutions are LOCAL – where services are rendered
2) There is rarely ONE Solution to any problem or issue resolution
3) Collaboration is not Anti-Trust- when non-competitive Issues are at stake – such as Privacy Protection
The MA Health Data Consortium evolved as the appropriate local convener/resource for HIPAA much as the NCVHS was the logical choice at the National level. As with NCVHS – few entities coveted that niche – and gladly ceded HIPAA Coordination to the Consortium. We monitor and replicate NCVHS priorities locally. The Consortium collects large data sets from providers and government and therefore advocates standards for data transmission and protection. One of my slides for tomorrow’s HIPAA Summit proposes other possible Regional HIPAA Conveners and Coordinators e.g. Medicare Fiscal Intermediaries, Medicaid, WEDI/SNIP Regional Affiliates, NAHDO members, a Local Health Plan i.e. the federal government should use existing contractual Partners and expand their responsibility to include HIPAA assistance!
With regard to OCR priority setting – our local experience leads us to recommend that OCR-
a) Be a resource for Frequently Asked Questions (FAQ)
b) Issue Periodic Clarifications – based on these FAQs
c) Encourage OCR staff to meet with/speak at Privacy Forums especially for designated WEDI/SNIP Regional Affiliates and train Regional OCR staff. There seems to be some red tape and reluctance for OCR to speak at private sector events.
d) Most importantly the OCR website should link to and encourage HIPAA --specific web pages of Trusted sources-- even just a few examples will make a difference
e.g. Trade Associations – especially those which advocate for smaller providers – many of these associations in Mass. have taken responsibility for assisting their own members and constituents.
For example, the Mass. Medical Society at www.massmed.org has created a special HIPAA website to assist physicians in Massachusetts.
My own personal belief is that OCR is on a No-Win path if it tries to develop model forms, model policies and model notices for the wide variety of covered entities in need. One size does not fit all.
Trade organizations and Expert groups such as the Georgetown Privacy project’s Guides are more likely to be able to obtain actual (vs. generic) documents shared by members. (if asked) (Compliance will be achieved by April 2003 since our industry understands compliance!)
Again, in my view, OCR should encourage this resource – sharing but could stimulate sharing by being a Repository for the criteria i.e. to Highlight from the Regulations:
a) Checklist of what topics must included at a minimum on Notices and Forms
b) Any items shared with OCR should have approval by the entity’s Chief Privacy Officer or Counsel – a requirement before links are ok’d by OCR
The 70+ Privacy Officers (of Larger Entities) in our MA Health Data Consortium- Privacy Officers Forum have almost universally “rejected” generic forms – as non-productive for their specific needs. I would expect the same reaction from smaller providers.
Let me quickly use the powerpoint to show you elements of our Coalition and Partnerships in Massachusetts (and what we recommend local conveners to use) reflecting seven Highlights of each Local Working Group – CIO Forum , Business Operations Forum, Privacy Officers Forum, Security Officers Forum:
1) Each group Privacy/Security has a Mission Statement
2) Always Co-Chair (Provider & Health Plan from covered entities)
3) Regular Survey for Priority Setting
4) Publish Lessons Learned
5) Share donated Policies, Forms and PowerPoint Presentations
6) Cross-Reference to other HIPAA requirements e.g. more emphasis needed on Transactions & Code Sets
7) My Board of Directors is committed to our role as a resource for the community – and to find creative ways for our Non-Profit to stay in business (via Membership, Educational Events) to afford to staff the HIPAA websites etc..
In conclusion, it’s important to note that when my members (the Privacy Officers, Security Officers et al) have time for thoughtful reflective moments – there is consensus that HIPAA gives our health care industry an opportunity for collaboration among covered entities and to re-establish trust among Consumers, their Providers, Employers and Health Plans to collect the data accurately and to treat employees/patients’ and their information consistently in our community and with dignity.
Thank you for this opportunity to provide Testimony.