My name is Gary Morse. I am vice president and general counsel of Physicians Insurance A Mutual Company (Physicians Insurance), a physician owned and governed professional liability insurer based in Washington State. The company and its subsidiaries insure about 7,000 physicians, 2,000 dentists, and 20 hospitals, mostly in Washington, but with some business in Oregon, Idaho, Montana, and Alaska. Physician leaders in the Washington State Medical Association formed the company in 1982, and shortly thereafter, the company joined the Physician Insurers Association of America (PIAA), a trade association of health care provider owned or operated professional liability insurance companies. Attached to my testimony is a copy of a November 5, 2002, letter from the PIAA to Susan McAndrew at the Office of Civil Rights discussing one of the matters I will touch upon today.
I will address the following issues:
Medical Malpractice Insurance Premiums
I have been asked to comment on the expected impact of the HIPAA Privacy Rules on medical malpractice insurance premiums. The short answer is that we expect no impact on premiums. Let me briefly elaborate.
There is no private cause of action for violation of the HIPAA Privacy Rules, but there can, and undoubtedly will be, lawsuits under state law that will involve health care information privacy issues. However, historically, such cases have been rare, and their cost has been negligible. Although we may see an increase in privacy-related claims simply because of the publicity that will occur as the April 14, 2003, enforcement date approaches, we foresee no impact on medical malpractice premiums.
It is true that many hours of staff time in companies like ours have been spent on understanding the HIPAA Privacy Rules, comparing them to existing state law, and developing educational programs for our insureds. And we will have to hire attorneys to help with some of the trickiest issues. However, these expenses represent a negligible percentage of our operating expenses and will have no impact on medical malpractice premiums.
How Companies Like Ours Can Assist our Insureds With Privacy Rule Implementation
Based on these comments, one might wonder why we are devoting resources to helping insureds implement the Privacy Rules. I have asked myself that question many times, especially when dealing with a tricky issue of whether a particular piece of state law was more stringent than the HIPAA Privacy Rules. But there is a clear answer to the question.
Most companies like ours devote considerable resources to risk management services. Our own risk management department estimates that even before HIPAA, nearly half of all inquiries from insureds dealt with some aspect of using or disclosing patient medical and financial records. As long as we provide this service, it is imperative that we be conversant with the HIPAA Privacy Rules.
A second reason to devote our resources to this effort is the vital importance of trust between physicians and their patients, both to the quality of care delivered and to the prevention of medical malpractice claims. If new privacy protections are implemented smoothly, there is an opportunity to promote that trust. If they are implemented poorly, that trust could be damaged.
Nearly two years ago, in January 2001, the PIAA formed a task force to assist member companies with their own HIPAA compliance issues as business associates of their insureds. I have had the opportunity to serve as one of three co-chairs of that task force along with Libby Lincoln of MMIC in Minnesota and Catherine Walberg of KaMMCO in Kansas. The task force also includes many attorneys employed by companies across the nation. Together the task force developed information for member companies so that each PIAA member company can be ready to be a business associate and to provide services to their insureds to help them implement the Privacy Rules.
So, Physicians Insurance has developed a HIPAA Privacy Manual for its insureds, which we are issuing in three steps. The first step was sent to all insureds several months ago to help them perform a gap analysis to identify possible deficiencies in their current privacy practices and to document that they have taken reasonable steps, in light of their capabilities, to improve privacy protections. This material also included a month-by-month calendar to ease the process of preparing to implement the Privacy Rule on April 14, 2003.
Soon, we will send our insureds a set of templates for forms and policies and procedures that take into account both the Privacy Rules and more stringent state law. We have worked particularly hard to develop templates for forms in plain language as required by the regulations and to keep the volume of material at a manageable level. By far, the most difficult portion of this effort has been identifying and incorporating state law that is more stringent than the HIPAA Privacy Rules. We have taken our best stab, and others in the state are continuing to look at the issue. We fully expect thinking to change on how to appropriately use state law, even after April 14, 2003.
The final step in our Privacy Manual will be templates and resources for staff training materials, which we hope to have available in January 2003. Our manual is provided to policyholders at no charge, and the Washington state version of the manual is available to the public on our web site at www.phyins.com.
In this process, we have not worked in isolation. We have worked closely with the Washington State Medical Association, the Washington State Hospital Association, several attorneys, and various other organizations working together to develop HIPAA materials in the state. We have met with large and small clinic managers to share ideas and identify logistical barriers to the implementation of the rule. We have obtained input on the forms from volunteers whose only contact with health care is as patients.
A couple of instances where the Privacy Rules interfere with the efficient delivery of quality health care
1. We have nothing but praise for the sincere and quite successful effort by HHS to prevent these rules from interfering with the efficient delivery of high quality health care. As you might imagine, as we all learn more about the impact of the rules in the real world, we will identify some problems. The letter from PIAA attached to my testimony speaks to the following issue that deserves further consideration by this committee and HHS.
The Privacy Rule requires a physician who is a direct service provider to give a patient the Notice of Privacy Practices the first time the physician delivers services to that patient on or after April 14, 2003. The Rule also requires the physician to make reasonable efforts to obtain an acknowledgement of receipt from the patient at that time. However, it is completely unrealistic to apply this requirement to settings outside the physician’s office. How can a physician realistically comply when the first service delivery is at the hospital bedside, the nursing home, or other facilities outside the physician’s office?
Of course, the duty does not apply in an emergency, but none of these examples are emergencies. And, it is clear that HHS contemplated that hospitals, nursing homes, and others would develop organized health care arrangements (OHCA) with their medical staff, which would provide the patient with a single notice of privacy practices on behalf of all members of the OHCA. However, in discussions with several hospital attorneys, I have been told that they are advising their clients not to form an OHCA. The legal reasons for this advice include the difficulty of managing the privacy practices of all the members of the medical staff. In addition, there is an increased potential that such arrangements could expand hospitals’ vicarious liability for the negligence of otherwise independent members of the medical staff.
We would ask that HHS acknowledge that the application of the Notice of Privacy Practices requirement to settings outside the physician’s office interferes with the delivery of health care and needs to be the subject of a future amendment to the Rules. Meanwhile, it would be especially helpful if HHS were to announce that it will not enforce the requirement outside the physician’s office until such time as this portion of the Rule has been amended.
2. My last comment is somewhat less specific, but is nonetheless all about a serious impediment to the delivery of health care. Physicians have always been dedicated to the sanctity of the physician-patient privilege, and all health care providers are sensitive to the importance of protecting the privacy of an individual’s health information. Yet, many are throwing up their hands in response to regulatory requirements across the entire spectrum of their practice, from patient billing to enormous amounts of paperwork to OSHA requirements to medical malpractice risk and, yes, to the HIPAA Privacy Rules. Countless physicians have lamented to me that they just want to take care of their patients, but the insurers and the government won’t let them do it.
Now, we are not going to solve that problem here. But HHS can do something about the “fear” of one more set of regulations. My thought is to draw further on the use of the word “reasonable” that appears hundreds of times in the Rules. Perhaps HHS can issue a guidance document declaring that reasonable efforts to comply are what is expected and that only clear abuse will be the subject of enforcement action. Perhaps the guidance document can describe how patient complaints, wherever possible, will be addressed in a non-adversarial manner in an effort to assist patients and providers in understanding and adjusting to these Rules. There are probably other ways that HHS could alleviate the growing “fear,” particularly with regard to guidance regarding the enforcement of the duty to comply with more stringent state laws. I believe that anything that can be done about this problem will better enable physicians to protect patient privacy.
There is a common ground here among patients, providers, insurers, and regulators. Everyone involved is working to maintain and increase the trust and openness between patient and physician that is so necessary to the delivery of high quality health care services.
Thank you for asking me to testify today, and thank you so much for your hard work on these issues.
Respectfully submitted,
Gary L. Morse
Vice President and General Counsel
Physicians Insurance A Mutual Company
1730 Minor Avenue, Suite 1800
Seattle, WA 98101
(206) 343-7300