Department of Health and Human Services
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

Hearing
Subcommittee on Privacy, Confidentiality & Security

“Minimum Necessary and the Health Insurance Portability and Accountability Act (HIPAA)”

Thursday, June 16, 2016

Capital Hilton Hotel
1001 16th Street, NW, Federal A Room
Washington, DC 20036

The National Committee on Vital and Health Statistics Subcommittee on Privacy, Confidentiality, and Security convened a hearing on June 16, 2016. . The meeting was open to the public and was broadcast live on the internet. A link to the live broadcast is available on the NCVHS homepage.

Subcommittee on Privacy, Confidentiality and Security

  • Linda L. Kloss, M.A., Co-Chair
  • Barbara J. Evans, Ph.D., J.K., LL.M., Co-Chair
  • Nicholas L. Coussoule
  • Vickie M. Mays, Ph.D., M.S.P.H.
  • Robert L. Phillips, Jr., M.D., MSPH
  • Helga E. Rippen, M.D., Ph.D., M.P.H., FACPM
  • Walter G. Suarez, M.D., M.P.H

Staff Members

  • Lead Staff – Maya Bernstein, J.D., ASPE
  • Executive Secretary – Rebecca Hines, MHS, NCHS
  • Amy Chapper, J.D., CMS
  • Gail Horlick, M.S.W., J.D., CDC
  • Hetty Khan, M.S., MGA, R.N., NCHS
  • Kathryn Marchesini, J.D., ONC
  • Rachel Seeger, M.P.A., M.A., OCR

Hearing Presenters List

  • Rita K. Bowen, – MA, RHIA, CHPS, SSGB
  • Robert Gellman, JD
  • Adam Greene, JD
  • Melissa Martin, RHIA, CCS,CHTS-IM
  • Alan Nessman, JD
  • Mark Rothstein, JD
  • Marilyn Zigmund Luke, JD

Others

  • Margaret Weiker, NDPDP
  • Dan Rode, Dan Rode & Associates
  • Deven McGraw, HHS
  • Wexler Walker
  • Latecia Engram, HHS
  • Gail Kocher, BlueCross BlueShield Association
  • Simone Coleman, M.P.H., B.S., HHS
  • Michael J. DeCarlo, Esq., BlueCross BlueShield Association
  • Lauren Riplinger, JD, AHIMA

HEARING SUMMARY
Thursday, JUNE 16, 2016

The NCVHS Privacy, Confidentiality and Security Subcommittee held a one day hearing to review current policies and practices of the HIPAA Privacy Minimum Necessary provisions and identify and discuss issues and challenges that the industry is facing when addressing this requirement, in preparation for developing recommendations to the Secretary for policy and practice guidance addressing compliance with the minimum necessary standard.

ACTION STEPS

  • Organize major points of the testimony
  • Put together an outline to work on as a subcommittee.

Thursday, June 16, 2016

WELCOME, INTRODUCTIONS, AGENDA REVIEW

Linda Kloss – Chair

Linda Kloss welcomed the members, panelists, staff, and attendees. After official introductions, Ms. Kloss announced that Barbara Evans would be the co-chair of this subcommittee.

Ms. Kloss set the framework for discussion of the minimum necessary standard in the HIPAA Privacy Rule which is both practical and complex. The purpose of the hearing is to support recommendations to the Secretary from the National Committee. On a separate track, the National Committee has approved a letter to the Secretary on advancing claims attachment standards.

OVERVIEW AND PURPOSE OF THE HEARING

Linda Kloss – Chair of the Subcommittee on Privacy, Confidentiality, and Security, continued by laying out the purpose of the hearing.

The HIPAA Privacy Rule requires that when a covered entity or a business associate uses or discloses protected health information, or when it requests protected health information (PHI) from another covered entity or business associate, the covered entity or business associate must make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

The minimum necessary standard is the fifth most common HIPAA compliance issue investigated by the HHS Office for Civil Rights (OCR), due in part to insufficient awareness or lack of clarity about this requirement, the fact that personnel are not properly trained, and because many entities lack policies and procedures to comply with this requirement.

Ms. Kloss stated the objectives of the meeting as follows: a) Understand current industry policies and practices involving minimum necessary; b) Understand challenges and potential areas of clarification in light of these practices, new and emerging technology developments, and new and evolving policy directions since the Privacy Rule became effective; and c) Identify areas where outreach, education, technical assistance, or guidance may be useful.

FRAMING OF CURRENT ISSUES – Mark Rothstein, JD, University of Louisville Institute for Bioethics, Health Policy and Law

Mr. Rothstein outlined three main points: 

1) The minimum necessary standard was drafted and created to have a very crucial role in the privacy rule; 

2) The minimum necessary standard should be extended to treatment; and

3) for payment and healthcare operations, disclosures should be in the least identifiable form consistent with the use or disclosure.

His opinion was that there is no requirement for consent at the initial stage of an individual’s meeting with a healthcare provider.  Currently, minimum necessary attempts to regulate the amount of information that is disclosed.

Mr. Rothstein gave a striking example reporting that family members of the Orlando shooting victims were unable to get information from the Orlando Regional Medical Center because the Medical Center’s position on HIPAA would not allow it to provide information without a “HIPAA waiver.”  While there is, in fact, no need for a waiver in that circumstance, it speaks to the need for better educational outreach.

Minimum necessary should be extended to treatment to ensure that healthcare providers have role-based access to only certain parts of the medical record, thereby protecting patient’s sensitive information. Patients are concerned that their most sensitive health secrets are a click away from any healthcare provider for the rest of their lives.  Concern about privacy is a leading reason why people delay seeking treatment for substance abuse, mental health, and other conditions.

Confidentiality protections serve to advance both patients’ and the public’s interest. Therefore, in the case of payment and health care operations, HHS should impose a requirement that information be shared in the least identifiable form. It is beneficial and relatively easy to convert to a unique billing number, which would assure more privacy for individuals.

NOTE:  For further information about presentations, please refer to transcripts and Power Point presentations.

Discussion  

Dr. Suarez asked about the extension of minimum necessary to treatment and the challenge of having clinical linkages to appropriate information in order to treat the patient with the best care. Mr. Rothstein replied that that argument has been raised before. However, the key point to remember is that if protections are not in place, patients will begin to self-censor the information the provide to their treating physicians.

Mr. Rothstein continued that while the proposal is not perfect, and may mean giving up some clinical benefits in exchange for privacy protection, as we move to an era of widespread use of EHRs, a better balance is needed. Mr. Rothstein responded to a question about recommendations for policy changes related to health literacy. He suggested a one-page notice of patients’ rights and offering access to a link to the OCR web page for additional information. One member agreed that there is a need to start helping people understand their roles and responsibilities for their own healthcare. The discussion continued with Mr. Rothstein explaining how critical information such as a patient’s ability to tolerate medications should be available in all cases. The unknown is whether or not people would exercise their right to segment their health information. Privacy is not free.

There are financial, healthcare, and public health costs. A decision must be made as to whether the costs of privacy are worth the tradeoffs, and if so, take the steps to minimize the costs and maximize privacy. When asked if the current definition of minimum necessary was sufficient, Mr. Rothstein answered, “no.”  He recommended re-working the definition using many examples and FAQs. Additionally, he noted that educational efforts are needed to explain minimum necessary.

PANEL 1Policy Interpretations of HIPAA’s De-identification Guidance

Robert Gellman, JD – Privacy and Information Policy Consultant

Adam Greene, JD – Partner, Davis White Tremaine

Robert Gellman

The minimum necessary rule is a general constraint, and the Committee should re-affirm the need for it. Disclosures permitted by the Privacy Rule for law enforcement and national security are broad and lack adequate standards to protect individuals. The minimum necessary rule is a constraint when a covered entity discloses a health record to a non-covered third party. The lack of understanding about the HIPAA Privacy and Security Rules in the industry is evident as entities in the health care system have various ways of responding to a treating physician’s request for records. However, it is necessary to prepare the health industry for a transition to a time when there will be constraints on treatment disclosures.

Patients should be provided some degree of control. Although most patients will not care to control their records, finding a way to accommodate their interests is necessary. Doctors’ arguments regarding medication are valid. For instance, there is an interest to control the misuse of narcotics. Furthermore, patients have a responsibility to say what their preferences are, but the system has to be prepared to afford them the opportunity to carry out those preferences.

Sensitive information, by definition, varies by culture and nationality. Therefore, since sensitivity means something different to each person, Mr. Gellman suggested that patients be given a menu and an opportunity to select what is sensitive to them. He also recognized that someone’s preferences for privacy may change over time. He proposed that the committee make a recommendation to give industry notice that there is a forthcoming change, and that technological developments are needed to support those efforts. Minimum necessary guidance should address poorly defined disclosures such as law enforcement. Additionally, activities that affect the processing of large volumes of information should be given priority. Other topics covered in detail were minimum necessary exemptions – FAQs 210, 215, and 217 on the OCR “Health Information Privacy” website.

Adam Greene

Mr. Greene’s testimony focused on three areas of recurring challenges related to the minimum necessary standard: 

1) How the minimum necessary standard is working and how it is causing an obstacle to potentially effective health information exchange;

2) some guidance and expectations with respect to business associates and minimum necessary; and

3) the implementation specifications of minimum necessary.

Currently, minimum necessary does not stand as a road block to treatment exchanges because treatment is exempt from the minimum necessary standard. Any changes to apply minimum necessary to treatment could have a negative impact on what is already working well. However, opportunity exists to improve quality of healthcare operations and payment activities.

A fundamental problem occurs for example when a health plan tries to be pro-active in obtaining health information for better patient health coordination.  That would be hard to do because of the risk of opening up the entire record and disclosing too much or too little health information for the situation. 

Likewise, the healthcare provider cannot provide access to the entire medical record because under rule, doing so is a disclosure. These situations put all parties involved in the healthcare exchange at legal risk.

Data segmentation has been talked about for some time and technological solutions are not in the foreseeable future. Segmentation to some degree seems nearly impossible. Mr. Greene made a recommendation to re-consider how minimum necessary applies in the age of health information exchange. In the treatment context, there is some guidance needed for improvement. With respect to business associates, Mr. Greene suggested a revision to guidance to indicate that a business associate has the same responsibility as a covered entity regarding minimum necessary.  Current minimum necessary implementation specifications essentially state that for each recurring request for protected health information there should be a minimum necessary standard protocol.  It is very difficult to actually comply with these implementation specifications.

Discussion  

A committee member asked for clarification regarding regulations that require an organization to establish a protocol for each instance of a request for data, or in cases where the organization intends to disclose data. For routine requests, covered entities are required to implement policies and procedures that limit the PHI requested to the amount reasonably necessary.

The regulation for routine requests and disclosures says that a covered entity must develop these protocols. There is not enough information to know if there is a way of categorizing routines and limiting the number of protocols to a certain group of routines.

A member asked about the relationship of minimum necessary and breaches of information. There are legitimate questions about the threshold that would turn violation of the minimum necessary standard into a breach. There are many elements to consider, such as determining: what is a breach; what kind of resources would need to be devoted to certain kinds of activities when there is a hack; and is it likely to cause harm. There are significant differences on this issue in the privacy community and the business community.

The members and panelists discussed  determining whether there is a frequent practice in treatment, payment, or health care operations where sending more information than what is necessary to the payer is a breach situation. Although what initially appears to be a breach by sending more information than what is the minimum necessary, there might be a basis to find low probability of compromise because the payer is a covered entity.

Minimum necessary should shift focus from impermissible disclosure to the party that requested information inappropriately. Additionally, there is very little effort in training Institutional Review Board (IRB) members on the HIPAA Privacy Rule, and IRBs are generally unaware of the nuances. Guidance clarifying that it is reasonable to rely on the Continuity of Care Document (CCD) as the minimum necessary in a variety of health information exchange situations would be helpful. While there may be occasions when the CCD is not the best choice, this kind of guidance would expand the options as there is no vehicle right now to guide disclosures between a healthcare provider and a health plan.

Small practices are struggling with minimum necessary implementation specifications. One panelist stated that policies are needed to focus on whether or not someone is abusing health information exchange in small practices. The issues extend beyond technical solutions and need more focus and priorities.  In discussing small business, the members and panel noted the need for discernment when sharing information and more attention towards those who are potentially abusing health information exchange in the practice. One panelist stated that small practices and sophisticated health care providers are being put in unsound situations.

A committee member asked for commentary on enabling a federal regulatory floor and whether or not opportunities related to minimum necessary exist. Mr. Gellman responded that it may be best to give people discretion, judge them on how they exercise judgment, and in some way limit enforcement. Mr. Rothstein commented that minimum necessary standard is the best vehicle for improving privacy rule from the patient, the covered entity, and policy standpoints. He added that the minimum necessary standard represents the remains of a statute that largely does not matter since the Affordable Care Act was enacted. The privacy rule has made a substantial improvement even though it has shortcomings.

What kind of guidance regarding minimum necessary can we offer patients to understand it better?  Privacy management, as it is referred to, cannot be totally accomplished. There is a limit to what HHS can expect to do in terms of educating patients. The best HHS can do is have reasonable policies in place and make information available for patients when they care to know more.  Dr. Suarez shared his thought that there is an interesting dynamic of either blocking information or disclosing too much.

The panelists were asked for their perspective on what other industries are doing. There are other laws that the HIPAA Privacy Rule and the minimum necessary standard can be compared to, such as the Fair Credit Reporting Act, which tends to be narrowly focused. The panelists did not agree on whether the Fair Credit Reporting Act was a good example. Furthermore, Mr. Gellman noted that when privacy comes up in discussion with their constituents, clients are reminded to find a solution within the legal standards, cost restraints, and technological boundaries.  Mr. Greene indicated that he had not heard of minimum necessary discussed in other industries. In all, what was agreed on is that minimum necessary is an important concept in the law and the most under-developed provision of the Privacy Rule.

PANEL 2       Practical Implementation of HIPAA’s Minimum Necessary Standards – Approaches and Compliance

Melissa Martin, RHIA, CCS,CHTS-IM – President AHIMA, Associate Vice President and Chief Privacy and Enterprise Information Management Officer, West Virginia University Hospitals

Marilyn Zigmund Luke, JD – General Counsel, AHIP

Discussion

The Subcommittee posed a question to the panel regarding standardization,  and asked what is the relationship between minimum necessary and breach? Ms. Martin responded that she agreed with the idea of scenarios as part of implementing the standardization. She offered that industry and AHIMA would be more than happy to provide examples. She went on to describe that at WVU, they have identified scenarios that they use with the staff to help them better understand how to handle particular situations. There have been cases where they have released information based on a request, and the patient asks the healthcare provider why the information was sent. Often these are the result of an “any and all records” request. However, the internal privacy and security audit team is responsible for reviewing and following up on those requests.

On the other hand, Ms. Luke argued for flexibility based on each individual organization. To standardize compliance guidance would limit flexibility and, therefore, would not be in the best interest of the consumer. She noted concern about potential anti-trust issues if standardization takes place.  It would be helpful for OCR to provide additional information about their compliance activities to determine if perhaps minimum necessary is resulting in a breach.

All transactions have standard data elements, but this presents a challenge in the case of claims attachments because a claim is, necessarily, based on the individual’s medical situation. The members and the panel discussed the process surrounding the attachment standard, the technological perspective, and the impact on operating rules since the enactment of the Affordable Care Act. Early clarification could be helpful as the new rule gets rolled out.

Committee member Barbara Evans asked who makes the decision about whether it is reasonable to rely on a requesting party’s representation that what they are asking for is the minimum necessary?  Ms. Martin responded by stating that the Release of Information Officers receive all third party requests in a centralized process. The officers are required to have several hours of training. Training methods range from computer-based to one-on-one. Constant communication between both parties takes place to validate the request.  Ms. Luke continued that making the minimum necessary determination is very challenging particularly in the electronic environment when compared to the historic paper system.  The organization has always supported the reasonable reliance concept since it allows the covered entity to rely on the person making the request. There is agreement that when a request is denied, a negotiation process takes place, and the matter is usually resolved. Depending on the level of the request challenged, it may be elevated to the privacy officer. If it could not be resolved at all, then legal action would be the next step.

The Subcommittee then addressed accounting for disclosure requirements and the use of clinical guidelines for specific clinical categories.   When asked if one solid definition of minimum necessary could be used as a standard, or should multiple versions be developed for clinicians, researchers, third-party inquiries, Ms. Luke responded that multiple variations of the same term might actually cause more confusion and a variety of interpretations.  Therefore, she would stick with one definition and keep the flexibility for each covered entity to apply as they see fit.

Regarding the use of sequestration or segmentation, one panelist expressed the view that medical outcomes might differ or that people might be placed at risk if a provider were to make decisions without having the complete record. Ms. Martin stated that likewise, from a hospital perspective, the hospital does not advocate segmentation from the clinical providers. Segmentation could work in other parts of the hospital where departments have role-based access. There are multiple forms of requesters such as attorneys, insurance companies, research companies, etc. that are handled in a more controlled fashion in the organization. Also, segmentation is something that can be considered in context of the federal Part 2 Confidentiality of Substance Abuse Treatment Regulations.

Is there a type of research where you are either trying to eliminate selection bias or operating hypothesis-free where the minimum necessary data set would be equivalent to everything in the data set?  At WVU researchers typically collaborate and often get any and all records. After working through issues, the process is documented and outlined for future reference.  In terms of what is trending, academic facilities that have clinical trials have a copy of the hospital’s database in a de-identified format, which cannot be released at any interval. If an entity is making a request for data from a health insurance plan, the plan would prefer to release data in a de-identified format.

When asked to provide their definitions of sensitive information, Ms. Martin responded that this area is very subjective and that she supports getting further clarification.  Ms. Luke added that SAMHSA has encouraged Congress to convene public hearings and work with NCVHS to get input from individuals in public and private entities before the Part 2 confidentiality requirements and statutes take effect.  

When asked how minimum necessary plays out in the era of linked data sets, for example linking clinical data element with a claim, Ms. Luke responded it would depend on who is doing the linking.  A HIPAA entity will follow specific parameters, while a non-HIPAA entity might be problematic.  In all, it will depend on the attributes of each individual delivery system.  This will continue to evolve.

PANEL 3       Minimum Necessary:  Challenges and Opportunities

Alan Nessman, JD – Senior Special Council for Legal and Regulatory Affairs Practice Directorate, American Psychological Association

Rita K. Bowen, – MA, RHIA, CHPS, SSGB, VP, Privacy and HIM Policy Education MRO American Health Information Outsourcing Society

Alan Nessman: 

Mr. Nessman’s presentation began with a history of working on the HIPAA Privacy Rule. The challenge for the minimum necessary standard in the last two years has been requests by insurance and managed care companies who are required to conduct risk adjustment audits mandated by the Affordable Care Act. In doing so, psychologists are asked to release entire records, which contain sensitive information related to therapies that are unnecessary for the audit. However, working together collaboratively with insurers has allowed psychologists to extract the relevant clinical information from the record. The psychologists found privacy protections confusing due to the complexity of HIPAA. Anthem Blue Cross Blue Shield began their test audits for risk adjustment a year prior to the requirement. Working collaboratively has allowed them to present it to their members who are conducting the same type of audits. Reception from the members has been positive. Therefore, the American Psychological Association Practice Organization recommended guidance adopting this approach as a standard for minimum necessary in similar situations.

Rita K. Bowen: 

Ms. Bowen gave a brief overview of  the Association for Health Information Outsourcing Services  (AHIOS).  AHIOS is seeing the most challenges in worker’s compensation where more information is released than necessary. Each state has its own version of requirements for how to respond to worker’s compensation requests. Trying to limit information from the health record is difficult unless you have a full understanding of anatomy and physiology. Ms. Bowen covered findings from the 2016 HIMSS Connected Health Survey in detail. She highlighted concerns about:  the electronic health record, where many do not have the capability to limit unnecessary information; request letters that are often used to narrow the information that is really needed; the need for consistency in the EMR to ease the process of sharing minimum necessary information;

need for technical assistance for staff who are responsible for releasing information; having a unique patient identifier related to releasing information; data segmentation is needed in conjunction with a unique patient identifier; identify the source of all information coming into the database; clarification for patient-directed access to information; and patient education and engagement.

Discussion

The members opened the discussion by asking whether Mr. Nessman’s organization gets requests for information other than the audits. He responded that while there are a variety of requests, the risk adjustment audits are the best example of minimum necessary. APA recommends their members keep separate psychotherapy notes. The problem occurs when clinical and therapy notes are combined and have not been separated. More importantly for informational purposes to the committee, if EHRs do not have the segmentation capability, then it will default to providing the entire record. How does the landscape of technology, rules, and policy at the federal level influence this minimum necessary HIPAA aspect?  Participants agreed there has not been enough thought about the data segmentation at the specialty level. Furthermore, there also has to be discussion with the patient. The patient does not know that the information they provide can be used against them. That conversation needs to take place with the patient and to date, it is not happening.

The tensions between protecting privacy as care becomes more integrated have been known for some time. The goal is to foster collaboration with other health care professionals and work on improving communication.

The Subcommittee asked Mr. Nessman what issues members of APA are struggling with and whether surveys had been conducted for which he could share results.  Mr. Nessman responded that no surveys have been conducted, but they field hundreds of HIPAA and record keeping calls. They are trying to do outreach to educate the members.

Dr. Suarez asked about the approach in developing minimum necessary solutions for different scenarios, to which Mr. Nessman responded that stakeholders should be engaged to better identify particular areas where further clarification is needed. Risk adjustment audits are increasing and they raise unique minimum standards issues and that further guidance is needed.

A member of the Committee posed the question, assuming that appropriate technology is in place, what kind of laws or regulations are needed?  Ms. Bowen suggested defining “sensitive” information. She noted a remaining lack of consistency in the application of the minimum necessary standard among organizations that should be vetted.

Mr. Nessman stated that APA recommended two areas of segmentation: 1) keep psychotherapy notes separate from the EHR; and 2) test data should have the same protection as psychotherapy notes.

When asked about the secondary uses of information, Mr. Nessman responded that because so much information is potentially included in the record, it’s important to define what is actually needed for a particular purpose.  There are regulations that are in place for these requests that reinforce what they can and cannot use it for. Ms. Bowen mentioned that 50% or more of AHIOS’ requests are from third parties. Most requests present a request letter stating what they need and the proper patient authorization. However, if it is for payment and you can make the linkage, there is no authorization that is required.  The patient authorization guides what you will and will not do, but the request letter is narrow and should never broaden the scope of the authorization.

The request letter is the leading document. Today’s default is sending the entire record because of the lack of specificity. In the organization, if AHIOS released information and it was more than necessary, AHIOS will notify the provider. Although this is not a breach because the authorization could have covered it, the covered entity makes the call as to whether harm has been done. In essence, the default should not be to send the entire record.

Ms. Kloss asked finally, if there are areas where NCVHS should focus first for guidance what would that be?  Ms. Bowen suggested focusing on attorneys’ requests because, given the extensive data requests, they question sometimes whether the attorneys are actually acting on behalf of the patient.  She also added the need for guidance considering the increased data from devices and patient-generated health information.  There needs to be some guidelines as to handle, what is received, how the information is threaded into the record, how it is protected and what are the expectations. Mr. Nessman noted concern from the mental health respective in trying to determine what is minimally necessary and the effects might impact patients seeking services.  Ms. Kloss summarized that aside from the technology, that outreach and education and guidance are bottom line recommendations.

The discussion concluded with Ms. Kloss reading a statement from the American Hospital Association which was included in the record

Public Comment Period

There were no comments.

Subcommittee Discussion:  Review Themes, Identify Potential Recommendations and Additional Information Needs

All committee members were asked to provide one or two themes derived from the testimony. Each theme would be recorded on the flip chart. Themes will then be compared and consolidated.

Minimum Necessary (MN) Themes

  • Overarching concept is that MN practical applicability needs to be further defined through guidelines in multiple areas.
  • Find guidance with regard to segmentation.
  • Flexibility/discretion
  • Consumer Education of what HIPAA does and doesn’t provide and rights as a consumer
  • A need for technical solutions as well as policy solutions
  • MN as a critical concept
  • Targeted guidance
  • Over-compliance for MN
  • From the provider perspective – Education and guidance as to how MN applies in emergency situations; community situation
  • Defining what sensitive information is and having guidance
  • Sensitivity definition and how does it impact state laws
  • Applying MN to treatment
  • Replacing patient identifiers so billing does not identify
  • Under compliance/over compliance…where is the balance?
  • Resolving disagreements relating to standardization of implementation.
  • How do we reconcile sensitive data with the OCR guidance given on Feb 2014?
  • Cyber security for HIPAA
  • MN and breach
  • MN doesn’t lend itself to data mining or big data
  • Expand definition of the covered entity that non covered entity
  • MN and cost management
  • IRB
  • MN – Is there a time when it is not appropriate?
  • Patient education as it relates to signing the understanding of HIPAA
  • Guidance for consistency for implementation
  • scalability (size of organizations)
  • What is the patient’s experience? Does MN lead to a different patient experience?
  • Thinking short term versus long term
  • Current administration of the concept as outlined in the regulations: Can it be applied at the time the current regulations and analyze if the administration of the concept still works.
  • The definition of MN and guiding concepts – defining relevant, defining necessary, defining reasonableness; all terms to describe MN
  • How special is mental health?
  • Need for clarification using the FAQ tool
  • Better reporting procedures for violation offenders
  • MN in workers comp
  • Privacy and selling the data
  • MN and ACO
  • Examination of technology and how it may impact some of the recommendations that were made in that area
  • MN organizational policy and procedure and provide guidance around that

Major MN Themes

  • We need to step back and develop a working definition
  • Guidance: Need to look at guidance along a continuum from more formal guidance to the FAQs
    • Mental health
    • Sensitive information
    • Business associates
    • Worker’s Comp
    • Law enforcement
  • Better Use of Technology
    • EHR functionality
    • HIE
    • Workflow
    • Interoperability
    • In the context of MN
  • Data Segmentation
    • The patient centric
    • Who controls it
    • Who makes the determination
  • Increase in education outreach, engagement
  • Authorization
  • Giving incremental information

The subcommittee members conducted a roundtable discussion with each person contributing their themes that were highlights from the testimony. Discussion led to consensus for the final list. All duplications were removed and the remaining themes were grouped into a “Major Themes” category. Although each theme was discussed, the following issues were emphasized: 

  • any and all requests – an example of over compliance;
  • no requirement for pre-directed (i.e. disability) requests, but there needs to be some guidance there instead of requesting any and all;
  • increasing the level of education of the person requesting and will increase costs.

Next steps are to organize what was articulated in testimony and put together an outline to work on as a subcommittee. See what we want to address in a letter using a short term/long term framework. This will generate a discussion and then take offline to work. Include other groups that may be important to hear from and request informal input from them such as pharmacy, etc. and discuss in another meeting. The first call is June 27th. A total of four calls will take place before early September.

Adjournment

Meeting was adjourned at 4:04PM

I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.

/s/
Chair

September 30, 2016
Date