Michael A. Kalm, M.D., P.C.
Adult, Adolescent And Child Psychiatry
Email: mikalm@alumni.duke.edu
3191 South Valley Street, Suite 152
Salt Lake City, Utah 84109
Telephone (801) 468-1248

Testimony at the National Committee on Vital and Health Statistics (NCVHS) Subcommittee on Privacy and Confidentiality hearing on November 6, 2002

Good morning.  I am Michael Kalm.  I am Secretary of the Utah Psychiatric Association and I am a private practitioner of Psychiatry in Salt Lake City.  When I say private practioner, I mean precisely that.  I practice in an office entirely by myself.  I have no receptionist, no secretary, no office manager.  I contract with a billing service that does billing for me.  I have an accountant that does my taxes.  Otherwise I perform my professional duties entirely by myself.

My first awareness of HIPAA came through a mailing from the American Psychiatric Association’s Office of Healthcare Systems and Financing in late July of this year.  This mailing gave me an overview of HIPAA, threatened me with 10 years in prison and $250,000 in fines for noncompliance (that got my attention) directed me to a web address (which was misspelled, “hippa” instead of “hipaa”) to file for an extension.  The mailing indicated that even with the extension, there had to be full compliance with something called the “Privacy Rule” by April 14, 2003 and something else called the “Transaction Standards” by October 16, 2003.

The mailing went on to detail between 66 and 90 main points that had to be considered in order to be in compliance.  Regarding these main points, the essence was that I as a practioner had to be able to demonstrate awareness of these points, policies and procedures to deal with them, training of staff in these policies and procedures, testing of staff in these policies and procedures, evaluations of the testing, monitoring the results and documentation of all of the above in some kind of standardized form that would indeed demonstrate compliance.

After I started breathing again, as an officer of the Utah Psychiatric Association, I brought this matter to the attention of the Executive Board of the Utah Psychiatric Association, where the general reaction was “Huh? Hippa? What’s that?”  Some of our members, who work for major institutions like the state, or the University of Utah, or Intermountain Health Care reacted with, “Oh yeah, I’ve heard something about that, but the (fill in the blank) institution is taking care of all of that, I think.”  Other private practioners, like myself reacted with near panic, “Does that mean us?  What do we have to do?”

I took it upon myself to research this further, to see if there was some way to facilitate compliance for the private practioners.  I did an internet search and came up with a 50 page Template for a Comprehensive Health Care Information Protection Agreement Between Business Associates, a one page Certificate of Group Health Plan Coverage, a 41 page “Certificate Policy Statement,” a 42 page guide to medical records documentation, a one page Medical Billing Code of Ethics, a one page sample form for Consent for Purposes of Treatment, Payment and Healthcare Operations, a one page sample Consent to the Use and Disclosure of Health Information for Treatment, Payment, or Healthcare Operations, a three page Sample (Chief) Privacy Officer Job Description, an 83 page Framework and Structured Process for Developing Responsible Privacy Practices, a one page sample Consent For Office Procedure, and a one page Authorization to Release Information. 

Thus, in short order I had amassed 227 pages of documents that gave me a few sample documents, mostly arcane guidelines, and left me bewildered as to the question I started with, how do I ensure that I am in compliance with the Orwellian termed “Administrative simplification Provisions” of HIPAA.  Simplification?  I think not.

In the meantime, I have been receiving mailings from this or that organization offering to train me or my staff in HIPAA compliance for $300 and up.  I have no idea as to the worth of these offerings.

Stephanie Kaminsky’s October 24th email to me regarding this hearing suggested several topics this committee would like to hear about.  The first one on the list was “What outreach, education, and technical support programs are needed from OCR, including suggestions for OCR priority setting?”  Being something of a computer geek, I thought OCR stood for “Optical Character Recognition.”  Linking to some of the sites that Ms. Kaminsky recommended, I found out that OCR in this case referred to the Office of Civil Rights.  Starting from this example, I have some suggestions for helping the private practioner:

  1. Don’t assume that we know what you know.  Explain the acronyms and explain the rules in clear, plain English.
  2. Help us with sample standard forms that the Government will accept.  We want to be in compliance.  We just want to know how.
  3. Put yourself in the shoes of the private practioner.  You can’t foresee everything, but imagine that you are alone in your office like I am.  Show me how you would document that you are in compliance.
  4. Looking at some of the topics from Ms. Kaminsky’s email, such as “How are entities managing to do the state/Fed preemption analysis fundamental to HIPAA integration and compliance?” I ask myself, “What are they talking about?  What does that mean?  Does that have something to do with me?”
  5. After you have had a chance to understand the ignorance I have demonstrated in this testimony, tell me what I need to know.  There are a lot more like me.

Thank you.

Respectfully submitted,
Michael A. Kalm, M.D.