3601 SW Murray Blvd, Ste. 10
Beaverton, OR 97005
November 10, 2002
National Committee on Health & Vital Statistics
Subcommittee on Privacy and Confidentiality
C/o Stephanie Kaminsky
Office for Civil Rights
U.S. Dept. of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
RE: HIPAA Privacy Rule Implementation Challenges & Opportunities
Dear Chair Rothstein and Fellow Committee Members:
My name is Chris Apgar and I am the HIPAA Compliance Officer for Providence Health Plans. I would like to thank Dr. Kepa Zubeldia for his generous invitation to testify before this subcommittee. I apologize for missing the opportunity to deliver my message in person last week in Salt Lake City.
I have been involved in large project management and regulatory oversight for the past 16 years in public and private sector senior management positions. For the past three plus years, I have served as Providence Health Plans’ HIPAA compliance officer. In that role, I serve on local, state and national HIPAA related committees including the American Association of Health Plans (AAHP) Privacy Subcommittee, the advisory board of the HIPAA Compliance Insider, the Oregon Medicaid contractors HIPAA workgroup. the Pacific West HIPAA Congress and I chair the Oregon HIPAA Forum transaction and code set subcommittee. I have done my tour on the speaking circuit and have collaborated with Dr. Zubeldia since the October 1999 Baltimore HIPAA industry summit on data security.
I had the pleasure of providing input during the drafting of the AAHP testimony presented by Colleen Grimes, AMERIGROUP Corporation, on October 30, 2002. I concur with much of what was presented by Ms. Grimes. Please refer to Ms. Grimes’ testimony. Rather than reiterating what you have previously heard, I would like to take this opportunity to highlight a few points I feel of key importance to the successful implementation of HIPAA privacy requirements, balancing the privacy need of health care consumers with their desire for quality healthcare at an affordable price and prompt payment of their insurance claims
I consider the following the key challenges to the health care industry and health plans specifically as we move forward with compliance efforts. These same challenges present opportunities to improve privacy while increasing efficiency, which will potentially result in lower health care costs.
1. Lack of Enforcement Rule:
Amendments to the privacy rule assisted the industry and consumers in eliminating some ambiguities and correcting some unintended adverse consequences that would have resulted had the privacy rule not been amended. Just as with many complex regulations, though, the privacy rule continues to confound, confuse and result in ongoing debate between well meaning covered entities, legal experts and consumer advocacy groups.
The Office of Civil Rights (OCR) has committed to promulgating enforcement regulations that clarify provisions and sends a clear message to the healthcare industry regarding compliance requirements. It is difficult to determine if a particular compliance approach is appropriate and proper without clear guidance from the enforcement agency. Please refer to Ms. Grimes testimony for specific examples of areas where specific regulatory interpretation and enforcement guidelines would be desirable.
2. State Preemption & Conflicting Federal Law:
Much as the privacy rule represents a positive move towards providing greater protections for healthcare consumers while increasing efficiencies in the healthcare industry, HIPAA does not represent that proverbial broad based privacy standard governing the sharing of health care information. The healthcare industry is now faced with the daunting task of determining what set of rules govern the sharing of protected health information. A hodgepodge of state and federal law exists outside the boundaries of HIPAA and the industry is challenged with not only determining which regulation prevails but also which regulation prevails for a given portion of their business when healthcare activity crosses state lines.
While outside the direct control of OCR and NCVHS, it would be helpful if the message were delivered that, until some common standard is adopted, compliance with the myriad of state and federal laws will remain a challenge and prove to be costly to the industry and consumers. Also, the lack of such a standard presents a confusing maze of definitions and requirements consumers are forced to attempt to understand when attempting to determine how and when their health information may be shared and what they are required to do to prevent unwanted sharing.
3. Lack of Standardization:
Providence Health Plans is in the process of finalizing its privacy rule policies and procedures, training staff and business partners, and developing the administrative systems necessary to support compliance with the privacy rule. We have the good fortune in Oregon to work in a collaborative environment where it is not uncommon for payers, providers, clearinghouses, vendors, public sector and the legal community work to jointly develop standards that are effective, meet regulatory constraints and serve the needs of our customers. This is not true in all states and, even given Oregon’s collaborative environment, developing workable standards that are understood, accepted and meet the differing needs of each industry segment, is a significant challenges. Ms. Grimes provided the subcommittee with sample standard forms developed jointly in Oregon. These standards required many hours of discussion and are still not final. I am happy to say that, at least in Oregon, we are nearing the finish line in some areas of standards development.
I am somewhat biased but I believe Oregon is ahead of a number of other states in developing processes, forms and standards that are accepted across the industry. This is beneficial in Oregon and still frustrating for collaborating parties as we look at our mutual and separate needs. It highlights the need for standards that work across state lines, are scalable and meet the varying needs of, say, health plans versus providers. It has been a daunting task and apprehension is rising even among the more savvy as we look towards a looming compliance deadline and the remaining work to be completed so business may continue smoothly while providing appropriate consumer protections. This is an area OCR could act as a leader and a clearinghouse of information, assisting the industry in developing common base level standards that are flexible, meet the needs of large and small organizations, take into account differing regulatory/operational requirements between industry segments and protects the privacy rights granted US healthcare consumers.
4. No Final Security Rule:
As has been stated by many, privacy and security are separate but at least some level of security is required to be able to truthfully say an individual’s privacy has been protected. The US Department of Health & Human Services (HHS) spokespeople have stated on more than one occasion that they anticipate only minor changes between the draft and final security rule. The draft rule was published over two years ago. It would be more than beneficial if HHS could make that last push to finalize the rule.
Even though the security rule is not final, the privacy rule and the underlying statute require solid security practices be adopted to protect the privacy of health information. The industry is left with a mandate but no adopted standards. This increases liability, potentially increases costs and leaves organizations and consumers lacking a clear set of standards that can be relied on.
5. Lack of Global Outreach & Technical Education:
AAHP and others have invested a significant amount of resources to develop understandable and valuable tools to assist affected parties with compliance efforts. Unfortunately resources are limited, outreach tends to be effective only with a small segment who engaged in the task of understanding HIPAA early and often lack consistency (please see my statements regarding the lack of industry standards). It is not likely OCR could be successful in developing comprehensive technical assistance programs that will touch all segments of the healthcare industry but, given the resources, OCR could move a long way towards getting the message out and providing needed resources to assist with compliance activities.
The key, though, is the provision of adequate resources. OCR has not been provided adequate resources to do the job. If the expectation is OCR act as the chief enforcer and the chief educator, Congress and the Administration need to make the necessary fiscal investment to push forward with a robust technical assistance program.
Providence Health Plans intends to continue local and national partnerships in an effort to effectively and efficiently implement the provisions of the HIPAA privacy rule. As we work with others to step around the land mines and set aside roadblocks, we look to HHS, OCR and NCVHS for advice and assistance. Protecting the privacy of health information while keeping the doors open and the business of healthcare moving is a national challenge. We will continue to expend valuable healthcare resources on implementing a complex and often inconsistent set of state and federal laws. The sooner recognized standards are adopted, compliance tools provided and privacy regulations amended to reduce inconsistency, the sooner costs are reduced and understandable and workable privacy is achieved.
Thank you for this opportunity to present my views and suggestions. I welcome any questions or requests for additional information. I hope to work collaboratively with NCVHS and others supporting common privacy goals in the future.
Sincerely,
Chris Apgar, CISSP
HIPAA Compliance Officer
(503) 574-7927 (voice)
(503) 574-8655 (fax)
chris.apgar@providence.org
cc: Kepa Zubeldia, MD, President
Claredi