Agenda of the June 16, 2016 NCVHS Subcommittee on Privacy, Confidentiality & Security Hearing

Hearing
Subcommittee on Privacy, Confidentiality & Security
National Committee on Vital and Health Statistics

“Minimum Necessary and the Health Insurance Portability and Accountability Act (HIPAA)”

 June 16, 2016
 Capital Hilton Hotel
1001 16th Street, NW
Washington, DC 20036
Federal A Room

Meeting Minutes

Meeting Transcript

PURPOSE OF THE HEARING

The HIPAA Privacy Rule requires that when a covered entity or a business associate uses or discloses protected health information, or when it requests protected health information (PHI) from another covered entity or business associate, the covered entity or business associate must make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” 

The minimum necessary standard is the fifth most common HIPAA compliance issue investigated by the HHS Office for Civil Rights (OCR), due in part to insufficient awareness or lack of clarity about this requirement, the fact that personnel are not properly trained in this area and/or because entities lack policies and procedures to comply with this requirement.  The NCVHS Privacy, Confidentiality and Security Subcommittee will hold a one day hearing to review current policies and practices of the HIPAA Privacy Minimum Necessary provisions and identify and discuss issues and challenges that the industry is facing when addressing this requirement, in preparation for developing recommendations to the Secretary for policy and practice guidance addressing compliance with the minimum necessary standard.

The objectives of this meeting are as follows:

• Understand current industry policies and practices involving minimum necessary;
• Understand challenges and potential areas of clarification in light of these practices, new and emerging technology developments, and new and evolving policy directions since the Privacy Rule became effective, and
• Identify areas where outreach, education, technical assistance, or guidance may be useful.

FINAL AGENDA
Thursday, June 16, 2016

 

 

8:15 – 8:30 a.m.	Introductions and Opening Remarks	Linda Kloss, MA, Chair
8:30 – 9:15 a.m.	Overview and framing of current issues Mark Rothstein, JD, University of Louisville Institute for Bioethics, Health Policy and Law
9:15 – 10:30 a.m.	Panel I – Policy Interpretations of HIPAA’s Minimum Necessary Standard Robert Gellman, JD Privacy and Information Consultant Adam Greene, JD Partner, Davis White Tremaine
10:30 – 10:45 a.m.	Break
10:45 – 12:15 p.m.	Panel II – Practical Implementation of HIPAA’s Minimum Necessary Standards – Approaches for Compliance Melissa Martin, RHIA, CCS, CHTS-IM President, AHIMA Associate Vice President and Chief Privacy and Enterprise Information Management Officer, West Virginia University HospitalsMarilyn Zigmund Luke, JD General Counsel, AHIP
12:15 – 1:15 p.m.	Lunch
1:15 – 2:45 p.m.	Panel III – Minimum Necessary: Challenges and Opportunities Alan Nessman, JD Senior Special Council for Legal and Regulatory Affairs Practice Directorate, American Psychological Association  Rita K. Bowen, MA, RHIA, CHPS, SSGB Vice President, Privacy and HIM Policy and Education, MRO American Health Information Outsourcing Society
2:45 – 3:00 p.m.	Public Comments
3:00 – 3:15 p.m.	Break
3:15 – 4:15 p.m.	Subcommittee Discussion: Review themes, identify potential recommendations and additional information needs
4:15 – 5:00 p.m.	Subcommittee Discussion: Frame letter to the Secretary, reach consensus on the timeline and next steps, if any
5:15 p.m.	Adjourn

---

Written Testimony

• American Hospital Association
• The State of New Hampshire Insurance Department
• Center for Improving Value in Health Care
• Center of Health Information and Analysis
• Maine Health Data Organization
• Pacific Business Group on Health
• Centers for Medicare and Medicaid Services
• Virginia Health Information
• State of New Hampshire Insurance Department
• APCD Council
• ASC X12

Questions for Panelists

Panel 1 – Policy Interpretation of HIPAA’s Minimum Necessary Standard

• What is the current, basic understanding of the Minimum Necessary Standard?
• How does it apply to various scenarios?
  • Clinical exchanges between providers for purposes of treatment (via EHRs, for example)
  • Exchange of mental health related data and other sensitive health information?
  • Release of information processes and other administrative transactions
  • Access, use and disclosure for purposes of health care operations (such as utilization review, quality analysis)
  • Research
  • Public health disclosures considerations
  • Collection/use/exchange of data from/with medical devices/mobile devices
  • Other

Panel 2 – Practical Implementation – Approaches to Compliance

• How does your organization implement the Minimum Necessary standard in general?
• How is it implemented in the scenarios mentioned above?

Panel 3 – Issues and Challenges

• What are the most challenging issues currently faced by the industry regarding the implementation of the Minimum Necessary standard?
• How have the more recent advances in health IT (including adoption and use of EHRs, HIEs, mobile health, telemedicine, etc) affected the implementation of Minimum Necessary?
• What needs to be clarified, changes or updated regarding the requirement?