American Health Information Management Association (AHIMA)
1730 M Street, NW, Suite 409
Washington, DC 20036
Phone: 202-659-9440
Fax: 202-659-9422

November 1, 2002

Mark A. Rothstein, JD
Chairman, NCVHS Subcommittee on Privacy and Confidentiality
c/o University of Louisville School of Medicine
501 East Broadway, Suite 310
Louisville, Kentucky 40292

RE: Follow-up Testimony and Comments
Subcommittee October 29 and 30, 2002
Hearing on HIPAA Privacy Regulations

ATT: Marietta Squire

Dear Chairman Rothstein:

The purpose of this letter is to serve as official testimony and comments of the American Health Information Management Association (AHIMA) with regard to the October 29-30, 2002 hearing of the Privacy and Confidentiality Subcommittee of the National Committee on Vital and Health Statistics (NCVHS) on the HIPAA(1) Privacy Rule and its implementation. Besides sending this letter to you, I am copying it (and sending it via e-mail) to the members of the subcommittee and staff. This letter will also be sent and filed so that it is acknowledged as an official comment.

First, let me congratulate you, the subcommittee, and the staff for the excellent hearing that was held this week in Baltimore. I found it to be focused, constructive, and certainly educational. I only wish I had been able to attend the meeting in Boston, and I hope I can listen in on part of your hearing next week in Salt Lake City.

AHIMA

AHIMA is a not-for-profit professional association representing more than 43,000 health information management (HIM) professionals who work throughout the healthcare industry. AHIMA’s HIM professionals are educated, trained, and certified to serve the healthcare industry and the public by managing, analyzing, and utilizing data vital for patient care, while making it accessible to healthcare providers and appropriate researchers when it is needed most.

AHIMA professionals, especially those working in HIM or medical records departments are also trained in the protections, legal requirements, and “release of health information” functions. For years they have overseen the use and disclosures of health information from HIM and medical records departments in healthcare facilities, professional offices, as well as other organizations. This training and facilitation of the “release of information” functions has provided HIM professionals with considerable experience in working with those persons normally seeking health information from an individual’s records – the individual themselves, legal bodies and government representatives, researchers, health plans and third party payers, and so forth – and we believe that this unique experience also has readied HIM professionals to take on the role of the HIPAA privacy officer. Indeed many of our members have taken on such a role and AHIMA has begun the process of credentialing professionals in the field of healthcare information privacy. AHIMA is also working with the Health Information Management Systems Society (HIMSS) in offering a joint privacy-security certification.

As noted, HIM professionals have been the source of health information protections for many years, therefore our interest in the HIPAA privacy regulation has been from the perspective of trying to maximize the privacy, confidentiality, and trust expected by the patient or individual, while keeping such information available to support a number of necessary functions; the most important of which is patient care.

Office of Civil Rights (OCR)

Two observations need to be made about the Office of Civil Rights. First, I am concerned with the comments made in the October hearing about the lack of “frequently asked questions” responses by OCR on its HIPAA Privacy Web site. Apparently, few people know that the OCR was prohibited from responding to questions until it has completed and published the final rule on the modification of the HIPAA Privacy Rule. This was done on August 13, 2002, and it is to their (OCR’s) credit that they immediately began to address and post responses to questions.

Second, I just want to comment that AHIMA has been very pleased with the OCR’s approach to its responsibilities with the HIPAA Privacy Rules and the cooperation we have seen between the OCR and the industry. The Office and its staff are to be congratulated.

Comments to the OCR Questions

The responses below are to the questions raised in Stephanie Kaminsky’s e-mail of October 1, 2002, and comments raised in this week’s hearings.

Question 1: What outreach, education, and technical support programs are needed from OCR, including suggestions for OCR priority setting?

Need for a “Public Relations” Campaign – Covered Entities
AHIMA believes that currently the first priority of the OCR should be to identify the privacy requirements to the non-acute healthcare providers, smaller health plans, and third-party payers and administrators.

From our contact with our members and various healthcare providers it appears that hospitals and health systems know the regulations exist and are in the process of implementation – the testimony in this week’s hearings concurs with our observations. Our contact with professional offices and individual practitioners, however, indicates that many are not aware of the regulation, or if they are, many are very confused about the regulations.

We suggest a public relations program (and there were some excellent recommendations made in the October hearings) directed to the non-acute hospital audience, which should address the:

• HIPAA privacy rules and their requirements;
• Definition (clear and simple) of who is required to comply with such regulations;
• Compliance dates for the privacy rule requirements; and
• Nature and “scalability” of the rule’s requirements and compliance.

On this last point, I must note that when I encounter a small professional practice that is aware of the HIPAA privacy requirements, they often do not know much concerning the rule’s detail, but they have heard “stories” of the complexity of the regulation. It is the experience of many of our members, that implementation of the privacy rule for small facilities and practices should be relatively simple, once such entities understand the rule and its goals.

OCR, therefore, must first let affect parties know the rule exists, what it contains, its requirements, and its scalability. As it was noted in this week’s hearings, OCR also needs to channel this education and publicity in some different directions. We believe that most trade and professional healthcare associations have highlighted HIPAA privacy, but it appears that such information has been ignored. Perhaps articles authored by the OCR or HHS in the trade and public press would be helpful. A letter from the Secretary, suggested by a few of the speakers, might work as well.

I must note that many AHIMA members and their component state associations are undertaking to identify the HIPAA privacy requirements to healthcare professional providers in their region. Unfortunately, such an activity is voluntary and can only come after our members’ primary jobs are completed. If there is something that AHIMA can do to collaborate with the subcommittee and the OCR, to assist in a PR campaign, please let us know.

FAQs
Frequently Asked Questions (FAQ) is an activity that the OCR has already initiated. The OCR Web site is an excellent resource, and we point to it often. Unfortunately, while OCR was tied up responding to the second set of privacy rule changes recently released in August, many entities went to the Web site and did not find the questions or the answers they were looking for. Many also did not leave a question. Often, and especially in small entities that have not had an HIM or medical record function, the staff do not know how to ask the question, and so they either do not ask it or they come to AHIMA, their professional or trade association, or a consultant. Sometimes we can answer the question. Sometimes we cannot, and we must turn to the FAQ option as well.

AHIMA suggests that the OCR concentrate on the FAQ mechanism. OCR can look to associations, such as AHIMA, for questions that are arising in our work with these covered entities as well as those it has received. Associations can consolidate questions; we can determine the “theme” of questions; and, we can interpret some of the concerns so that answers fit the question, site of service (which can impact the question), and so forth. Because our members work in a variety of healthcare facilities (acute care, SNF, LTC, rehabilitation, psychiatric, teaching, and ambulatory sites), large practices and professional offices, research facilities, government facilities, and health plans. We can pull together individuals who can give their perspective on a particular sector of healthcare or share their knowledge of how a rule, process, or procedure might work in a particular environment. We performed a similar function in 2000, during the development of the privacy regulations.

AHIMA has also established electronic Communities of Practice. These Internet communities – open only to AHIMA members – number close to 100 and are arranged by subspecialties as well as geographic and governmental regions. The CoPs can allow “trail balloons” to be raised in such a way as to provide feedback for potential options and responses.

Public Relations Campaign – The Press and Therefore the Public
While there is a need to work with healthcare professional providers and other covered entities, there is another body that needs to be worked with – the press. The HIPAA privacy requirements must be implemented by April 14, 2003 – that is a Monday. Personally, I have this nightmare that on Sunday evening, April 13, 2003 – a “slow news day” every newspaper and television outlet will be letting the public know of these “new” federal regulations and “rights” that will go into affect the next day – and what the public should demand of the industry.

Such press or media attention, without a good basic understanding, could result in individuals converging on healthcare providers and plans the next morning and demanding “rights” and explanations, that given the number of requests the covered entity will be unable to handle. It will not be a case of not wanting to comply; rather, it will be a case of too much all at one time.

The HIPAA privacy rule is now complete. We all know the content of the rule that must be complied with on April 14, 2003, and we know the options each of the covered entities has to choose to meet the rule’s requirements. The press and the public need to know these same facts. If the OCR can undertake to educate the press and the public as to the rule and what can and cannot be done under the rule and when, it will greatly help not only the public, but the industry as well. We – the healthcare industry, the NCVHS, and the OCR – also need to address this education function in a positive fashion. Adherence to the privacy regulations should begin to build the trust that will be necessary to support a national healthcare information infrastructure. I have attached our statement on the infrastructure for your review [Attachment I].

AHIMA has also produced a number of consumer-oriented documents regarding HIPAA privacy requirement for organizations to use with the public – their patients. We hope these will lend help to the effort to prepare the public for HIPAA. If there is anything else AHIMA can do to assist the OCR or NCVHS on this suggested PR project, please let me know.

Question 2: What areas are especially in need of guidance from OCR? What difficulties are providers and plans experiencing coming into compliance?

Clearly from our experience and the testimony presented this week, the healthcare community is looking for “official” guidance and answers to its questions. Organizations like AHIMA can only go so far in responding to questions, and then we too must seek an “official response.”

The covered entities, consultants, associations, and others in the industry are concerned that if they do not get an official response they will be liable for implementing in an incorrect manner. Whether the OCR will be benevolent in its enforcement remains to be seen. As you heard, the industry’s experience is not one of benevolence.

No one wants to implement over again. The sooner one gets the “right” information, the sooner implementation can continue. We recognize that OCR has had its hands full responding to the modification regulations, perhaps the industry teams previously suggested could assist, but there is a significant need for timely answers to FAQs and to producing the guidance that has been promised, before the compliance date.

Current Key Questions Needing Guidance
Patently, our response to this question is similar to that for the first question. Many of the questions AHIMA receives come from providers and plans that have not had an HIM function. Some of the key questions that we would like to bring to our attention include:

• What is the role or job description of the privacy officer? How can this position function in a small facility? Many still believe that OCR is looking for a full time position. How does the privacy office relate to information technology? (Does s/he have to be an IT trained person?)

  I have to let you know that AHIMA does highlight the role of with a HIM model, because we believe that a trained HIM professional it is more experienced to handle the management of the privacy function. AHIMA does have a job description posted on its website [Attachment II], but many want to know that OCR perspective its.

• How does the privacy rule relate to the security rule? Providers have been told by some vendors that they will not be able to implement privacy without security, which isn’t the case, but we have hear of covered entities waiting for the security rule and delaying their implementation of privacy.
  
• Organized health care arrangements, hybrid organizations and their relationship to the physician: This is an issue of interest to just about all categories of providers, as evidenced by one of our recent audio-teleconferences. Hospitals, home health agencies, SNFs, LTC facilities and others are not sure how they relate to their system and vice versa as well as their options for involvement with their physicians. Physicians are not sure how they relate or should relate to the facilities where they see patients. There are numerous relationships that could exist, and we have heard horror stories about consultants that have not understood the rule or the environment and have provided questionable information. We have recommended that different covered entities take their questions to the OCR FAQ. Remember, many smaller facilities and practices do not have full time legal staff, so it is even more important for them to get correct information so that they have time to decide on “Notices of Privacy Practices” and other arrangements.
  
• Restrictions: A lot of concern currently exists regarding a patient’s right to request restrictions. These concern come about, in part, because in a paper-based environment the ability to accommodate a restriction is significantly limited. Staff of our Association have had to respond to most questions by indicating that there is good chance the provider entity will have to let individuals know that they cannot accommodate most restrictions (except those specified in the rule itself). This will change as the industry becomes more electronic and electronic health records are the rule rather than the exception. AHIMA believes the OCR needs to review this issue and the environment and provide some general guidance as well as discuss these situations with the public and the press so that assumptions and expectations are not out of line with reality.
  
• Preemption: Similar to others testifying, we too have heard continual questions related to preemption. Without access to a complete database of all state and federal laws, we have not been able to provide specific responses. AHIMA has recommended that covered entities get together and collaborate on a state basis to sponsor a project to identify conflicting and more stringent situations. This is the best recommendation we can give for now.

  It is also apparent that there may be situations where there are also perceived conflicts between HIPAA and other federal rules. We will begin to forward these issues to OCR for FAQ response. We recommend that the subcommittee consider in a letter to Congress to suggest that the floor that HIPAA has created for privacy protection be raised to the ceiling. I direct your attention to AHIMA’s recent statement on this issue, which I have attached to this letter [Attachment III].

• Copying costs are also an issue. This is partly because there are some state laws regarding such costs as well as Medicare regulations. The real issue generally is not the cost of the actual copying, but rather the time and resources it takes to get the record ready for copying, especially since the record needs to be reviewed to ensure that such copying meets all of the privacy and state rules for copying.

As noted before, if the OCR is willing, associations like AHIMA can serve as collectors or interpreters of questions to be answered by OCR in the FAQ. We have no desire to put ourselves in between the questioner and the OCR, but we can help the OCR to understand the question, and we have a general knowledge of the environment that is behind the question.

Question 3: What “best practices” are being done in the industry? Are compilations of best practices available and how are successful implementation strategies being disseminated?

There are a variety of “best practices” being circulated in the industry. Some take the form of programs, such as AHIMA’s “Getting Practical With Privacy;” some are being published in books, and some, such as AHIMA’s “Best Practices,” are published in professional journals (such as the Journal of AHIMA) or on Web sites, such as AHIMA’s (www.ahima.org).

The HIPAA privacy rule is essentially new for the industry, so implementation strategies and best practices have to rely of past practices such as “release of information” and HIM privacy practices, experience from the industry’s involvement with Medicare compliance, and information from privacy efforts in other industries. As implementation takes place these resources are updated to reflect the positives and negatives of the implementation process.

AHIMA members-only Web-based CoPs, including a HIPAA community and a HIPAA Privacy community offer privacy officers and HIM directors a place to exchange information and help each other out with privacy implementation issues. While these communities are not open to the non-members, the results of these communities sharing does eventually become the basis for “best practices” that are published and posted – and accessible to the public.

One of the problems, associations experience, is that those best in a position to share strategies and practices are also those deeply engaged in the activity with no time to write for the benefit of others. AHIMA is fortunate to have a team of professional and technical staff members, who have worked in the industry and who can work with members to ghost-write items that can be shared. This team has also revised all of AHIMA’s affected “best practices” and these revisions have been (and will be) posted on our Web site and published in our AHIMA Journal.

The one concern with seeking and finding “best practices” or implementation strategies is the ability to determine which practices or strategies are, in fact, the appropriate and correct practice, policy, or procedure for a specific situation. This is a real problem for entities seeking to implement the privacy rule with no previous experience.

AHIMA is fortunate to have an excellent reputation in the industry, but there is no “seal of approval” for such information in the industry, and some will not know that they are implementing incorrectly until they find out further down the line. While implementing a “seal of approval” requested by many of the testifiers would be difficult, it certainly would help the industry.

Question 4: What are the available resources for HIPAA compliance (especially no or low cost ones) including those from professional organizations and trade associations? What helpful websites are entities using? What other work has been done and is it in the public domain?

AHIMA Resources
AHIMA has been addressing the issue of privacy and confidentiality for many years. A good example of our involvement is our newsletter In Confidence, which just celebrated its 10th anniversary. In addition AHIMA included a privacy module for its HIPAA online education program three years ago.

More recently, AHIMA initiated its Getting Practical With Privacy training session – a two-day training session that was held around the country and included a several-hundred page guide to privacy implementation. This guide has been revised since the final modification rules were published in August 2002, and also reflected the proposed rules previously. When the modifications were published in August, additional materials were sent to the course’s previous attendees to bring them up to date. This program will again be offered in the coming year, and it will be modified to match the needs of individuals new to the concept as well as those who want a refresher just prior to the compliance date.

AHIMA offers a number of audio-teleconferences throughout the year. Privacy or HIPAA privacy rules are often the topic. A session covering the modifications made final in the August regulations was offered within two weeks of the OCR’s publishing the regulation and steps have been taken to ensure future conferences will be held within days of any major releases. The AHIMA Web page also includes analysis of the privacy rule and other HIPAA material.

AHIMA has initiated a privacy credential and a privacy institute to facilitate those who are in the privacy officer role or wish similar education. The privacy credential – Certification in Healthcare Privacy, is offered in an on-line testing process. The institute is also offered on an on-line basis. AHIMA is working with the Health Information Management and Systems Society (HIMSS) and will jointly sponsor a Privacy and Security certification to correspond with HIMSS’s security certification.

I must provide a note on the AHIMA Certification in Healthcare Privacy examination. This past Wednesday, during the hearings public comment period, a comment was made that AHIMA’s examination questions were not up to date with the August 2002, HIPAA privacy rule modifications. That statement, while correct, does not acknowledge the situation surrounding a certification examination and the required development of qualified questions.

It takes several months to write and proof test questions for a certified certification exam. Knowing this, and knowing that the AHIMA exam would be first available this fall, the group designated to write the exam questions, wrote all questions pertaining to those issues identified in the NPRM in such a way that the answer would be neutral to any final rule. This approach was noted in the exam application material, so that those taking the exam would not be surprised that the exam questions did not reflect specific output from the August rule modification that become effective October 15, 2002. The exam committee has updated the questions, however, given the process that is required, in order for the exam to be accredited; specific questions related to the August modifications are not on the current exam.

I mentioned previously that AHIMA has published a number of “Best Practices “ applying to the privacy and confidentiality of health records and information. These practices have grown from previous activities and functions of our HIM professionals with regard to release of information and other HIM requirements for privacy and confidentiality. “Best Practices” are continually monitored to ensure that they keep current with national requirements including the HIPAA privacy requirements. “Best Practices” are printed in our Journal and posted on the AHIMA Web page. AHIMA’s “Best Practices” are often referred to as standards in health record management for the industry.

AHIMA also monitors all federal activities related to HIPAA privacy. Such information along with other information related to healthcare and general privacy and confidentially finds its way into a variety of the Association’s publications and other member services.

Finally, once again I have to point out that all of AHIMA’s CoPs are member- run and driven, and provide a forum for members that have common interests or responsibilities. With regard to HIPAA privacy, and beyond the discussion possibilities that which I have previously mentioned, a CoP offers members the opportunity to have access to a variety of Web links, community resources, and FAQs on specific issues.

Other Resources
Certainly, the subcommittee is familiar with the federal Web sites sponsored by the OCR and HHS. Patently, there are many other sites as well, and Rita Bowen, one of the testifiers and a member of AHIMA, has provided several in her testimony. The problem in identifying these additional Web sites or other types of resources is knowing that these are responsible and comprehensive resources.

One’s ability to judge such resources is limited, in part because the last word on the accuracy of any information will be the OCR. As several individuals testified in this week’s hearing, it would be very helpful if the OCR could give a seal of approval for resources. Otherwise, we have to rest on the reputation of those offering the resource. Those involved in HIPAA typically receive a variety of advertisements for HIPAA compliance material each week. They have limited time to review these resources and to determine their value or authority. While my colleagues and I have much more experience than the average office, practice, or facility we are not in a position to make recommendations. Any assistance that the OCR or HHS could render would be greatly appreciated by the industry.

Question 5: How are covered entities approaching the privacy rule’s training mandate?

Healthcare providers that have had to initiate training for the Medicare compliance requirements seem to be addressing the privacy requirements in the same manner. This approach includes training for all employees or workforce on a general level, followed by specific training for those positions and functions where it can be expected that employees will need to know much more specific information and have specific training. A number of larger faculties and health systems have initiated on-line training for staff. Such on-line training makes it easier for facilities like hospitals, with multiple shifts, and home health agencies, with scattered staff, to ensure that training is available. Most of these groups also are integrating privacy into general orientations, setting up plans for annual refresher courses, and establishing training for professionals that interact with the facility like physician groups.

Groups that have not had the Medicare experience have to start from scratch, but the model is there and groups such as AHIMA are assisting privacy officers to understand what must be done. In addition, there are numerous vendors willing to come in and train a provider or plans staff, or provide other training materials.

That leaves us with the training of those entities we identified above as not being involved in privacy implementation. From the standpoint that the smaller the entity the easier the training, we should have some “best practices” available when they become alert to the fact that they have to train. But formal training has been alien to many such organizations. This could be an area where the OCR could work with CMS to determine methods that could be used to assist these entities. CMS has gone through significant efforts in the past 5 years to establish training mechanisms – perhaps OCR could use these. If AHIMA can be of assistance, let us know.

Question 6: Are there any models for public (Federal, state, and local) – private partnership development? How should covered entities go about coalition building and developing consensus procedures?

I believe by now that I have conveyed that AHIMA and its members are open to a variety of different public-private partnership opportunities. Others that testified this week have also noted our involvement and that of some of our CSAs, such as the Tennessee Health Information Management Association and its work with the state’s hospital association and medical societies.

Another example is the Markle Foundation’s Connecting for Health project that includes privacy and security of electronic health records and information as one of its goals. Both AHIMA and the NCVHS are involved in this project, which was kicked off in September and should be completed in nine months.

Issues like preemption lend themselves to coalition building on a local level – unfortunately, such local consensus does not help the interstate problems that many covered entities are experiencing, and tends to lower the floor for HIPAA privacy. I have also noted that in a time when everyone is so busy with the initial implementation there tends to be limited activity to build such consensus. It was also pointed out in testimony that the subcommittee and the whole NCVHS must point out the need for Congress to address the issue of preemption. Certainly, the NCVHS can significantly help the industry to reach consensus on this issue and raise the privacy ceiling and provide uniform and standard protections across the spectrum.

Fortunately for AHIMA, we have a very diverse membership that gives us internally a perspective across the healthcare industry. With such a perspective, we are always open to working with any segment of the industry to try and reach consensus on an issue, process, or procedure, and have a history of doing so. Certainly, there should be a post-implementation point where the industry, the OCR, and the subcommittee can sit down and look at what regulations need to evolve and what consensus is needed in order for the goals of the HIPAA privacy rules to be met and to ensure that the consumers trust is once again manifested by the industry’s practices. AHIMA would be pleased to participate in such a meeting.

Question 7: How are entities managing to do the state/federal preemption analysis fundamental to HIPAA integration and compliance? How should we address the integration of HIPAA and other federal and state laws?

The preemption issue is significant when related to privacy. We have experienced a mixed picture from those now addressing the preemption requirements. Some covered entities appear not to understand the issue at all; whereas, some have an active campaign to understand the conflicts and determining the more stringent requirements, by working with the state’s healthcare associations and various legal groups. In one state, the hospital association is coordinating a group purchase of legal services to determine that states “conflict” issues, each member organization that joins this effort can take its questions forward to be answered by the attorney that has been hired. This work however, as pointed out in several testimonies, does not address the need for full federal preemption.

It is clear that a central process for determination of the preemption issues would be the best solution. It is also clear that the money and possibly the authority for this to occur, within the OCR, does not currently exist. However, some ability to make such decisions is going to have to be established so that the millions of covered entities can get consistent answers. The NCVHS is going to have to alert the Congress and the Secretary to this issue and prove possible ways to resolve it including raising the privacy floor. In the mean time it might be helpful for the OCR and HHS general counsel, to approach all agencies and offices whose rules intersect with the HIPAA privacy regulations and establish a consensus on preemption, that can result in consistent responses to questions on this issue.

Several AHIMA members have raised questions concerning conflict among different pieces of federal regulations. To date, these issues have not been specifically identified and I have asked for clarification. When we receive such clarification we will forward the information on to the OCR for its response. I have raised questions with other federal agencies and offices (outside of CMS and OCR), and find that very few of them have much awareness of the HIPAA privacy rules.

Question 8: Can you assess the accuracy and quality of the information and services of vendors and consultants, especially as they pertain to small providers and health plans?

I believe we have commented on this issue above, and the short answer is no. Besides the issue of a “seal of approval” for such information and services, we have found that there are very few vendors or consultants that are specifically directing their efforts toward small providers, health plans, and third party administrators. The few we found had rather simplistic answered that did not recognize the variances among small providers or the needs that differ so much from mid-sized and larger groups, organizations, and facilities. We have found a number of volunteer activities – those “in the know” helping those who did not know. This raises all the issues I have previously covered and covered so well in this week’s testimony.

Given the time remaining – 5 months, the size – small entities with limited resources (dollars), and the necessary expertise, there are few qualified to be a consultant and few willing to be a consultant or vendor for these entities. In December, the initial privacy regulations will have been published for two years. Obviously, many covered entities have delayed implementation for a variety of reasons. It does not appear that extending the compliance date would improve this situation. Flexibility and understanding on the part of the OCR, I believe one person in her testimony called it “compassionate compliance enforcement,” might be the only way that we can ensure that the privacy regulations will be implemented in 2003.

Conclusion

Once again, we at AHIMA would like to thank you all for these hearings and the time that the Committee and staff have put in to make them a success. And, we thank you for the opportunity to participate with this written testimony.

We have made several comments and offers acknowledging AHIMA’s willingness to work with the Privacy and Confidentiality subcommittee, the full NCVHS, and the OCR to ready the industry for the HIPAA privacy regulations, we hope that you will take us up on this offer, and if there is anything else we can do, please let us know.

Sincerely,

Dan Rode, MBA, FHFMA
Vice President, Policy and Government Relations

cc – via e-mail: NCVHS Privacy and Confidentiality Subcommittee
Stephanie Kaminsky
Marietta Squire.

Attachments (3)

(1) HIPAA refers to the Health Insurance Portability and Accountability Act of 1996 and its subsequent Department of Health and Human Services regulations including the HIPAA Privacy Regulations and Guidance.