COMMITTEE MEMBERS:
Douglas L. Wood, M.D., Chairman
Mayo Clinic
Rochester, Minnesota
Jeff Bloom
Washington, D.C.
G. Kristin Crosby, M.D.
Vice President and Chief Medical Officer
Olympic Health Management Systems, Inc.
Bellingham, Washington
Bruce Devereux Cummings
President and CEO
Olean General Hospital
Olean, New York
Gary C. Dennis, M.D.
Howard University Hospital
Washington, D.C.
Michele M. Evink
Director of Pharmacy
Clarke County Hospital
Osceola, Iowa
Eugene Anthony Fay
Vice President of Reimbursement and
Government Affairs
Province Healthcare Company
Brentwood, Tennessee
John Finan, Jr.
President and CEO
Franciscan Missionaries of
Our Lady Health System, Inc.
Baton Rouge, Louisiana
Lisa Gigliotti, J.D.
Human Services Policy Coordinator
Office of Governor
Lansing, Michigan
Heidi Margulis
Senior Vice President, Government Relations
Humana, Inc.
Louisville, Kentucky
Mary M. Martin
The Senior Coalition
Crofton, Maryland
Nancy H. Nielsen, M.D.
Internist
Buffalo, New York
Dr. Erik Olsen
Member, Board of Directors, AARP
Glenbrook, Nevada
Suzanne R. Pattee, J.D.
Vice President
Public Policy and Patient Affairs
Cystic Fibrosis Foundation
Bethesda, Maryland
Jack A. Rovner
Michael, Best & Friedrich, LLC
Chicago, Illinois
Judith A. Ryan
President and CEO
The Evangelical Lutheran Good Samaritan Society
Sioux Falls, South Dakota
Patricia Osborne-Shafer, R.N., M.N.
Beth Israel Deaconness Medical Center
Boston, Massachusetts
Christy Schmidt, Executive Coordinator
Regulatory Reform Initiative
Washington, D.C.
William Toby, Jr.
Rockville Centre, New York
Patricia M. Walden
Southington Care Center
Southington, Connecticut
INDEX OF SPEAKERS AND PRESENTERS:
HIPAA Privacy Rule
Presentation 1
Paula Stannard, Office of General Counsel
Washington, D.C.
Jodi Goldstein, Office of General Counsel
Washington, D.C.
Public Comment:
Pamela Parr, RN, Executive Director
Home Nursing Service and Hospice
Marietta, Ohio
Thomas G. Puckett, M.D., FCAP
College of American Pathologists
Division of Government and Professional Affairs
Washington, D.C.
John Horty, Esquire
Chairman, Chief Executive Officer, Indigo
Institute
Horty, Springer & Mattern
Pittsburgh, Pennsylvania
Anthony J. Tirone, Director, Federal Relations
Joint Commission on Accreditation of
Health Care Organizations
Washington, D.C.
Robert R. Michalski
Vice President, System Compliance
West Penn Allegheny Health System
Pittsburgh, Pennsylvania
Kimberly S. Gray, Esquire
Chief Privacy Officer
Highmark, Inc.
Camp Hill, Pennsylvania
Barbara Hickman
AARP
P R O C E E D I N G S
DR. WOOD: Welcome to the second day of our Pittsburgh meeting today. Today is health information and protection, and I am so much focused on other information, Health Insurance Portability and Accountability Act, affectionately known as HIPAA, with a single P. I have been impressed with the discussion of HIPAA in the last couple of months, particularly in the last month as some of the now proposed revisions on how so much misinformation is floating around and the development of the methodology is quite striking because it's getting to be about like some of the mythology that is thought around about some other favorite topics that we have evaluated.
So over the course of the last couple of weeks with the great help of the members of the executive committee and the staff we have developed an approach we want to follow today. Now, from the perspective of the committee members who were not part of the Executive Committee discussions, we have a somewhat unusual circumstance; that is so far in our work everything we have done has basically addressed the regulation that is already written and is basically in the process and running. This is an unusual circumstance because we are in the middle of an open comment period for the proposed modifications, and there is a specific process that is followed to make sure that those modifications, comments about the modifications, are handled in the right way, and what we wanted to do then was to position each of you so that you could make comments that were highly informed and would be considered to be highly responsive.
The committee itself in this time frame, that is the open comment period, will not make a specific recommendation, although we can come back later after the comment period closes, and then our final reports we can adopt specific recommendations, but we do want each of you to take advantage of this unique opportunity to hear a background by some of the most capable folks from CMS. We also had tried to get the most capable folks from the Office of Civil Rights who have this responsibility, but vacations are important so I didn't want to impose on vacations because balance in life is important, and I think the people who are involved in this if they don't take their vacation now I'm pretty sure they're not going to get it for the rest of the summer. If you don't get any days off for the rest of the summer, the list is done, right ?
MS. GOLDSTEIN: No, I think it's in the fall.
DR. WOOD: So that's important. So what we want to do, and Christy has just corrected me about the organization. I don't understand organizational charts very well. OGC is really -- it's in the Secretary's, not CMS, but at any rate, we have also a couple of subcommittees who have been very involved in this work and some people around this table who have worked hard in understanding the privacy rule and its implications, and we want to take advantage of the work that they have done as well.
Now, for those of you who think that this is a simple issue, Jack's come armed with his pages. Would anybody care to hazard a guess about how many comments have been received about HIPAA so far, the privacy rule so far?
MR. BLOOM: I know it was 62,000.
DR. WOOD: What did you say, Jeff?
MR. BLOOM: I know at least 62,000.
DR. WOOD: Well, we were talking the other day, but yes, it's 60,000 plus.
MR. BLOOM: It was 52,000 the first time, 11,000 the second time.
DR. WOOD: That should give you a little bit of an idea about how sensitive a subject this is and the nature of the challenge that the people who write the regulations face to try to make sure that they satisfy all of these tens of thousands of people who have concerns, and I think at the end of the discussion today at least my understanding improved considerably after having the benefit of this briefing earlier. I think you will see what kind of work is being accomplished to try to get deftly through the middle of this and establish a very effective working start, and I say start because my experience in Minnesota where we passed a privacy law in 1995 is that you start, and after you start the implementation you go back and figure out where you need to make revisions to make sure that it works. So this is not a one-time job, and we need to think of it exactly as that, and that hopefully will diffuse a little bit of the passion about some of the subject.
Now, with that being said, I'm particularly pleased to introduce to you Paula Stannard and Jodi Goldstein from the Office of General Counsel. They have helped us considerably in the last week to understand these. Paula's going to begin, and Jodi's going to follow, and then we have some other things for you which I hope you will find quite helpful in the manner that we have used before in this group in terms of demonstrations. This one's going to be a little interesting. It should be a little fun. So, Paula, please lead.
MS. STANNARD: Good morning, Chairman Wood, distinguished members of the committee, members of the public. My colleague Jodi Goldstein and I are honored to be here today to talk to you about the HIPAA
privacy rule and the modifications that the Department has proposed to make the rule work.
The Secretary has charged this committee with suggesting common sense changes of reforms to HHS regulations while at the same time maintaining or enhancing effectiveness, efficiency, impact and accessibility, and as we work through the modifications to the privacy rule, that was what we were thinking about, making sure that we maintain strong privacy protections while at the same time making sure that we maintain access to and quality of health care.
This administration, both the President and Secretary Thompson, are very committed to strong privacy protection that works and that permits continued access to and quality of health care. Last March Secretary Thompson said that we all agree that protecting the confidentiality of patients' records is our number one concern. That's why the administration decided to go forward with the final rule while at the same time directing us and the Department to look at certain areas and provide improvements to ensure that the quality of care does not suffer inadvertently from the privacy rule, and we're going to be getting to talking about the modifications, but as Robert Frost once said, don't ever take down a fence until you know why it was put up, and so what we're first going to do is understand why this fence was put up, and Jodi is going to talk to you about how the Department originally went about drafting the rule, the outline of the rule and what we currently are dealing with.
MS. GOLDSTEIN: Thanks, Paula. I have been working on the privacy rule for about a year and a half. I came on board with the Department to help in drafting the final rule, and I've been working on this ever since. I'm in the Office of General Counsel, and I work with the Office for Civil Rights, so I was involved as Paula with the modifications that we recently proposed, and I'm just going to go through how we got to drafting the privacy rule initially and what the rule which is now the existing rule says, and then as Paula had said, she'll get to what we're proposing to change, but we wanted to give you the foundation first. A lot of topics to cover, so I will get going.
First, why do we have a health information privacy rule? Why is this an issue? There are a couple of things that played into this. As the health care system became more sophisticated, there were more people in the health care delivery system that had access to health care. In addition, information technologies gave people more, not only more access, but the ability to create databases where they can easily use information to do research or public health activities and things like that. So there was more access to this information. In addition, as electronic technologies were developing and electronic transmission of health data began to occur on a more frequent basis, there was an increasing concern about privacy and security of that health information. So in, you know, the last ten years or so public opinion polls have showed that people are really starting to care a lot about health information privacy and that they're actually engaging in privacy protective practices by not sharing important information with people who need that information to provide them the best care.
Congress responded to this. They started -- in the mid '90s there were lots of bills proposing privacy regulations, but they were having some difficulty coming to consensus. As this was going forward, there were also provisions for administrative simplification of electronic transactions of health information, and this was going on simultaneously. The electronic transactions piece gained consensus in Congress, but the privacy of the health information did not, and Congress was reluctant to put forth a law that would make it easier for this information to flow electronically without having privacy protections. So what they did was in HIPAA, in the statute that gave the Department the authority to do the privacy rule, they came up with this separate section that said that we will have three years, Congress would have three years to come up with legislation, and if they didn't succeed after three years that the Department of Health and Human Services would be required to promulgate regulations about health information privacy.
Well, that happened. Congress didn't get consensus in those three years. It was harder than they anticipated, and the Department had to draft the privacy rule, and this was a daunting task. It's a huge industry, lots of different players in it, and so the first things that the Department looked at were the base lines and some of the big dilemmas that they faced in passing and promulgating a regulation of this scope. The base line that the Department looked at was existing law, what the congressional mandate set forth, some ethical standards that were in the health care industry and actual practice.
When we looked at the state law, we realized that there was a dramatic variation in the scope of these laws, and there were only a few that were very comprehensive. In the cases where there were comprehensive state laws, as Dr. Wood had mentioned, there was either a total failure or partial failure where things had to be reworked. So this is nothing new, the process we're going through now. For instance, in Maine clergy weren't able to get access to patients. They didn't know what patients were sick and dying, and their patients weren't able to get last rites, things like this, obstacles that people didn't think about. There were also some licensure laws for health care professionals that prohibited breaches of confidentiality, but these laws are very general, and they don't give specific information to providers on how to do that. There were also some model acts that we looked. At the NAIC model was one of the acts that we looked at, and we found that there wasn't a comprehensive framework to work from, but each of these, each of these legal base lines gave us some ideas, and we pulled both from the things that did work and the things that didn't work in crafting this regulation.
The congressional mandate. In the section where Congress had said that they were going to try to pass privacy regulations in three years they did set out what a privacy rule or privacy law should include, but there was pretty much general guidance because they hoped to pass their own law. So the guidance that we had in working with this was that the rule should address the uses and disclosures of individual identifiable health information, the rights of individuals with respect to that information and procedures that should be established for exercising these rights and for the covered entity to comply with its duties, and that's how we structured the rule, and I will go through that in detail about how the rule works. HIPAA also outlined who the covered entities were, generally health plans, health care clearinghouses and most health care providers, and I will get into more detail about that, and it defined individually identifiable health information, and we structured it around these concepts, but this is what we had to work from, so there was a lot of work that had to be done to figure out how to implement these three guidelines.
We looked at ethical base lines. There were professional codes out there about how providers should act to protect confidentiality. Again, these were general and they gave us some guidance and we used that, but they weren't very specific in helping us craft this regulation. We also looked at actual practice. We did a lot of fact finding. We talked to providers. We talked to health insurers. We talked to lots of different types of entities in the industry to understand how information does flow, what it's needed for and how things currently work.
We faced a couple of dilemmas, and I will go through these as well. In coming up with this rule there were a lot of different approaches that we could have taken, and we had to struggle through these different balances to figure out what was the right approach. First there were the different interests. There's privacy on one hand, but there's also information that is vital to certain public goals like research or like public health activities. So we were trying to balance these two things. There was also the issue of complexity versus disruption. The industry is incredibly complex, and there was a trade-off between having a complex rule that reflected the industry or disrupting current practices. So we could have come up with a very simple rule that said you can't disclose any health information, any individually identifiable health information without an individual's authorization, and people would have gone nuts because this would have just stopped the health care industry in its tracks. So in order to reflect some current practice and allow important information to flow as necessary, you end up with a very, a much more complex rule, and we decided that that was a better approach rather than disrupting the industry practices that have been established.
Jurisdiction was an issue. We had, as I mentioned, the statute set forth who the covered entities are. This is not all entities that have individually identifiable health information, and it's only a subset of those entities. So to come up with a privacy rule given that constraint was difficult because we wanted to protect the information, but we did have jurisdictional constraints, so what we did is in some instances we either required a covered entity to get documentation or to get written assurances from the person that they're giving the information to in order to try to protect the privacy of that information that does flow outside of this covered entity box.
And finally, the industry itself posed a dilemma. There are lots of differences in the types of entities that are covered, the sophistication of those entities, what those entities do. We had to figure out how to craft a rule that covered the solo practitioner in a rural neighborhood and the nationwide health insurance company that served people in all 50 states and everything in between. So to come up with rules that work for all of those different types of entities poses some dilemmas because we really wanted to come up with a rule that worked for everybody and not different rules for different types of entities.
There was also the rapid evolution of the health care industry itself. We didn't want to do anything that would stop innovation, and we didn't want to come up with a rule that would become obsolete in a couple of years. So we tried to build in reasonableness standards and flexibility and scalability so that people can apply this rule to their entity in a way that makes sense.
So the structure of this. The uses and disclosure rules. There's three buckets of types of information or types of purposes of information. The rule is very purpose driven. There is health information that is needed for things related to treatment or payment for that treatment. We call that treatment, payment and health care operations, and we made things, we made it fairly easy for information to flow for these purposes because these are the core of the uses of the health information.
Then there were uses of health information or disclosures of health information that were of sufficient public importance. This is the public health kind of stuff or research, things like that, and this information also can flow without individual authorization, but there are some restrictions on the flow of that information. So we're sort of moving one step down. It's a little bit more restricted than the treatment, payment and health care operations information, and then there's everything else.
Everything else in the rule or any other use or disclosure, any other purpose for a use or disclosure would require an individual's written authorization. I'm not sure if you can read all of this. You can see this is a dynamic process. This is the chronology of events that have taken place just since 1996. I just want to highlight some of the important things that are occurring now and the deadlines that are coming up. The final privacy rule was published on December 28th of 2000, and the compliance date for that rule is April 14th of 2003 for most covered entities and 2004 for small health plans. So there's this two-year gap between when the rule came out, the effective date of the rule and the compliance date to give people time to comply, and that's a statutory requirement that there is that two years. In the interim just last month we published proposed modifications. These are proposed changes. Paula will discuss them later. We have a 30-day comment period on those which closes next Friday, which is April 26th. Our goal, and this is a very ambitious goal, which is why I probably won't get to take a vacation over the summer, is that we're trying to get the final rule out late summer, and the reason for that is because the statute requires that we give people six months from the effective date of a modification until they need to comply with that modification, and our goal is to try to get the modifications out in time so that people will comply with them in connection with the final rule itself for the April 14, 2003, deadline.
Okay. Now, privacy rule 101. I'm going to get into the substance of what the rule says. This is my how to explain the rule in 50 words or less. Basically a covered entity can't use or disclose protected health information unless it's permitted or required by the rule. You notice my lock and key motif. The privacy rule basically puts a lock on the health information, and you need to find a key in the rule that lets you use it. If it is a permissible use or disclosure of the information, then you can only use or disclose the minimum amount of information necessary. There are some exceptions to that, but generally this is true.
The rule also creates individual rights, and the rule sets a federal floor. State laws that either don't conflict with the rule or that are more stringent, more protective of privacy, remain in effect. So this is not -- this is just setting a base line. This is not best practices. States are free to come up with laws that are more stringent and more protective of privacy, and those that already exist would remain in place.
Okay. So now I'm going to get into some of the details of how this works because there was a lot of terms in there that, you know, the devil's in the details.
Who is covered? What are covered entities? Again, as I said, HIPAA limited who we can cover to health care providers who transmit health information in electronic transactions, and I will explain what that means, health plans and health care clearing- houses. So all of the people who work with these entities, government entities that are collecting information for public health purposes, they're not covered by the rule, and this is where we had that challenge of how do you protect the information when it leaves this bubble?
We created something called business associate relationships which require the covered entities to get some protection of that information before they send it out to somebody who's doing work on their behalf, and I will explain the business associate relationship in a minute.
The electronic transactions. A health care provider is only a covered provider if the provider engages in at least one electronic transaction for which the Secretary has adopted standards. These include payment of claims, coordination of benefits, things like that. The provider is also covered if they hire somebody to do this for them. So just because it's a small health practice and they don't have a computer in the office doesn't mean that provider isn't a covered provider. If they hire a billing company that is doing this on their behalf, is doing these electronic transactions, then the provider is a covered provider. It doesn't include basic paper facsimiles, and we had lots of questions about this. If you put a piece of paper in the fax machine to send information off to another doctor or to another, to a health plan, that in and of itself doesn't trigger the coverage. Same thing with e-mail. A provider that's e-mailing his patients, that wouldn't trigger coverage under the rule.
Now, the privacy rule doesn't require providers to engage in these electronic transactions, but there was a new law that was passed a few months ago, the Administrative Simplification Compliance Act, which delays the compliance date of the transactions standards for people who submit compliance plans to the Department. It gives them an extra one year. It doesn't change the date of the privacy rule, but this law generally requires providers to submit claims electronically to Medicare, so virtually all providers are going to be covered by this date. So there is this carve-out for providers that don't do electronic transactions, but it's going to be a pretty small group.
I said I'd get to business associates. These are the folks that it could be a covered entity but often it's not a covered entity, who gets information and is doing an activity on behalf of a covered entity, like a billing company, like a transcription company or copy service, things like that. In order for the covered entity, since we only cover the covered entity, to disclose the information to their business associate, the covered entity would be required to get satisfactory assurances, probably in the form of a contract, that the business associate will protect the information and will only use the information as permitted by the covered entity and by the privacy rule. There is no business associate relationship required for disclosure to another health care provider for treatment.
You will notice I have mentioned some exceptions for treatment throughout this presentation. This is the first, but we tried not to interfere with treatment. So there are some exceptions here, minimum necessary and some other places, to make sure that doctors get information they need for treatment purposes. So business associate relationships are not required in that case.
Now, this is an important point, and this is a change from what we had originally proposed. Covered entities are not required to monitor the activities of their business associates. Covered entities are not the privacy cops. Doctors don't have to go in and audit their billing company. However, the covered entity is responsible for getting these satisfactory assurances, and if the covered entity knows that the business associate is violating that contract, is breaching that privacy, then the covered entity has to act, but it's not -- it's a known standard. It's not they should have known, they should have done some due diligence. It's if they actually know that there is a breach of this business associate contract. Then either they have to take efforts to cure the breach, to terminate the contract, or if those are not feasible, to contact the Department and let HHS know what's going on.
Now, what is covered? Protected health information, this is individually identifiable health information, and it can be transmitted in any or maintained in any form or medium. So even though a doctor is only covered if he engages in electronic transactions, it's not only the information in those electronic transactions that's protected; it's all of the health information that that doctor has. So this is a pretty broad definition. It has to be information held by a covered entity or its business associate. If it's by an entity that's not covered by the rule, it's not protected, and it includes demographic information. So it would include the name and address, the mailing list of the doctor. It's a very broad definition.
I am just going to mention this because Paula will talk a little bit about a proposal regarding the identification. If the information is sufficiently de-identified, it is not protected under the rule. Now, this can be done through two methods. One, there is a statistical method where you have a statistician assert that this is not identifiable, and people have had some confusion, there's been some confusion about what that would do and how that would work, but also there is a safe harbor where you can strip 18 identifiers, and then the information is considered de-identified. Paula will talk about an approach that we have proposed in the modifications, in the NPRM, that addresses people's concerns that this is a very restrictive list of things that need to be stripped.
Some key points I want to make before going forward. This is again a floor. This is not best practices. Covered entities can always provide greater protections, and all of the -- most of the rule is about what is permitted, not what's required. It's a privacy rule. We don't usually in this rule require people to disclose information. So when we say you can disclose information for public health, if it's not required by law, it's permissive. The doctor can choose to disclose it or not disclose it. The only required disclosures in the rule are disclosures to the individual who is the subject of the information under our access provisions which I will talk about in a little bit and the disclosures to the Office for Civil Rights at HHS to determine compliance. That's it. Anything else is permissive.
Here are the buckets that I was talking about before. There are different types of purposes, and there are different rules that are associated with each of those types. There's treatment payment and health care operations which I will refer to as TPO. There is some uses in disclosures where an individual has an opportunity to agree or object which are related to treatment. That's why I made it sort of a subset of that treatment box. There are specifically public purposes, and then other purposes would require an authorization and the requirements vary based on the type and based on the specific purpose. So TPO, under the final rule, and this is an area where there is a proposed modification, under the final rule providers with direct treatment relationships would be required to get a general one-time consent that an individual can use or that the individual agrees to let the provider use or disclose their information for treatment, payment and health care operations. Other covered entities would not be required to get this consent, and there were exceptions for emergencies and things like that. These other covered entities would be permitted they would have the opportunity to voluntarily choose to get consent if they want to but again not required, and I don't want to go into too much detail on this because the proposal is a dramatic change from this.
I want to explain a little bit about what health care operations are because people don't necessarily this is sort of a very general term. People know what treatment is. Treatment is, you know, what your doctor needs to do to treat you. It also includes referrals, consultations, things like that, payment, again, reimbursement for health care services. It also includes coordination of benefits, medical necessity determinations things like that. Health care operations is a fairly broad category, and it covers all of the things that support the treatment and payment functions. The things that the business, the health care business needs to do to keep running and to do things in a quality manner and effectively so quality assessment and improvement activities, training, licensing, medical review, legal review, if you need to talk to a doctor is being sued he needs to talk to his lawyer do that ensure the information so he can talk to his lawyer fraud and abuse there is also these greater business planning and business management activities which are explained in more detail, but it allows the covered entities to use the information in ways they need to to run their business. This sort of subcategory of treatment, payment and health care operations are those uses and disclosures that require an individual to have an opportunity to agree or object to that use. These types of things, this category where they have an opportunity to agree or object, we were trying to assure that people could continue to do things that they normally do now, facility directories, hospital needs to be able to tell family member or friend who comes in what room the patient is in. That would be disclosure of protected health information. That's permitted. This would include the individual's location or the individual's general condition. If a person calls up on the phone and says, I heard, you know, my sister is in the hospital, can you tell me how she's doing? They can say, yes, she's stable, she's fine, and she's in this ward, whatever. It also allows clergy to access patients that are in the hospital to deliver last rites and things like that. We learned from Maine on that one.
The second category to persons involved in care or payment for care, patients always have family members and friends who help them with care, help them to talk with doctors, help them to resolve payment disputes, and we didn't want to interfere with that normal practice. So doctors can continue to talk to family members and friends who are involved in an individual's care. The only difference is the privacy protection is that an individual has a right to say no if an individual is concerned that, you know, an abusive spouse might find her, that patient can request that the facility not disclose information to the abusive spouse. So it gives the individual some control and gives the individual an opportunity to say, no, I don't want you to share this information, but generally this stuff is permitted, and the question always comes up, you know, what if somebody is unconscious? They don't have an opportunity to agree or object, or what if the family is in the room? This is a reasonableness standard. Common sense providers can continue to use professional judgment. They can infer from the circumstances what's appropriate, things like that. So we're not setting up barriers to these normal practices, but we are giving individuals an opportunity to control the release of personal information in cases where they are concerned.
Also in this category is notification. The hospital can call up a family member and say, you know, your wife was just admitted to the hospital, or they can share information with disaster relief agencies to help notify people, things like that.
This is the second bucket that I was talking about, the specific public purposes. These are the things where information, protected health information can be disclosed without an individual's authorization subject to various conditions, and there's a whole list of these. I didn't list all of them. I sort of hit the highlights. If it's required by law, it's permitted by the privacy rule. If state law says you must share information with the state about XYZ, you must share information with a coroner or whatever the case may be, that is permitted. We didn't want to set up conflicts where people had to figure out, well, it's required here, it's protected here, so if it's required by another law, the provider is permitted under this rule to disclose the information or the health plan is permitted to disclose the information.
For public health, and we do have a proposed modification to this, but covered entities can disclose to public health authorities if the collection of that information is authorized by law. This would allow disclosures of, say, information about communicable diseases or regarding adverse events of a particular drug and things like that, and Paula will talk about the proposal that we changed to that specifically in the area of FDA regulated products.
A provider or health plan, a covered entity, can disclose protected health information to avert a serious imminent threat to health or safety. So if, in fact, a psychiatrist is concerned that somebody is, a patient is about to commit suicide, they can disclose information to a person that might be in a position to help avert that threat. This would also be true in emergency situations like disaster type situations where disclosing the information is necessary to avert an imminent threat to that individual, another individual or to the general public.
The oversight activities, these can still go on. Providers can still disclose information programs such as research. Generally an individual would provide an authorization for information to be used for research purposes. However, in this section there is an exception where if an IRP or privacy board thinks it's appropriate, they can waive that authorization requirement. This is most likely going to take place in cases of records research or perhaps emergency research, but typically a clinical trial an individual would be required to give an individual authorization for their information to be used for that research.
So now I will get into the individual authorizations. This is that third bucket. So if you look in the rule and you can't find something in there that says this is a permissible use or this is a permissible disclosure, the covered entity can always get an individual's authorization. These are for things like marketing, preemployment physicals, employment determinations, life insurance, mortgage companies who need information, and this other category of psychotherapy notes. We have given heightened protection to certain types of information called psychotherapy notes which are created, typically created and used just by the particular psychotherapist, and they are kept separate from the medical record. In that case an individual's authorization would be required to disclose that information.
I want to make a point here because I talked about consent before when we were talking about treatment, payment and health care operations, and now I'm talking about authorizations. Everybody else in the world thinks that these words are synonymous except for those of us in the Department who have defined these as two different things. Consent under the final rule is a general one time permission that an individual would give for the use of information for treatment, payment and health care operations. The authorization is for other purposes. The everything else is, and these are very different, not only is the purpose different but what's included is different. Authorizations are very detailed. They have to describe the information to be disclosed. They have to mention name, the recipient or class of recipients. They have to name who can disclose the information. There has to be an expiration date, purpose. There are lots of things that need to be on this form so that the individual knows what they are agreeing to. The disclosure can only be consistent with the authorization, and generally a covered entity cannot condition treatment eligibility, enrollment in a health plan, things like that, on obtaining the individual's authorization, and the authorization has to state that so the individual knows that they can choose not to sign the authorization.
Again, here we have proposed modifications. Basically to simplify this requirement but this would still remain under the proposal. I'm going to give a quick explanation of marketing under the final rule. This is another area where there's a proposed change. This is a very general definition, but generally it's a communication to encourage the use or purchase of a produce or service, and under the final rule there's sort of three categories of things that meet that definition. There are exceptions to that definition, things that are communications, that are not marketing. So if a doctor is talking to a patient about, you know, is recommending a certain prescription drug, that's not marketing; that's treatment, and it wouldn't fall under requirements for marketing.
There are also certain health-related communications that would be marketing but would be subject to an opt-out. I wrote opt- in. That's an error. Sorry about that -- subject to an opt-out and notifications. So they can make, a covered entity can make this communication but would have to give the individual the opportunity to opt out and would have to give information about why this person is getting this information and things like that. All other marketing communications under the final rule would require an authorization, and, again, Paula will discuss how we're proposing to simplify this and to try to meet these provisions.
Minimum necessary. This was the second point I made in my privacy 101, that you can use and disclose information, but you can only do the minimum amount necessary. A covered entity has to restrict the information that they use or disclose to what is the amount necessary to accomplish that purpose, and there's a difference between uses and disclosures. If it's a use, the covered entity has to come up with policies and procedures of who in the organization can use that information. It's a rule based access type of system which, when we did our fact finding, hospitals and other facilities were telling us that that's how they normally work. They have a role-based access system. So a covered entity would need to identify the types of workers and their entity in their organization, the types of individual that class of individuals would need and any conditions of access. They have to document these policies, and this again is an area where it's flexible. Covered entity figures out what makes sense for them. So, for instance, a hospital can say that a physician, any physician in a hospital can have access to any medical record at any time. No restriction. That is fine. The only thing a hospital would have to do is document that, say, we think doctors need to have access to any information, this is important for treatment, doctors can cover for each other, whatever it is, just document the policy and the rationale, and that's sufficient, and then they can operate under those policies. Of course, if it's, you know, a candy striper, perhaps they would have much more restricted access. Of course, they might know the name of the patient in the room, but they probably won't know the details of the patient's condition, and so they have to come up with approaches for what works for different classes of individuals.
Now, disclosure is a little bit different. For routine disclosures it's very similar policies and procedures. What is the minimum amount of information necessary to disclose for a particular purpose, I mean to use for a particular purpose, I mean to disclose for a particular purpose? So, for instance, a doctor who typically has 50 percent of his patients that are in Blue Cross and Blue Cross needs, you know, these five pieces of information. They can document that policy. This is the information that they disclose to Blue Cross for a normal claim, and that's it, and they just operate consistent with that policy. For nonroutine disclosures there has to be individualized disclosure of what's minimum necessary. So if a policeman comes to the door and says, you know, can you tell me, has Mr. jones been here today? Well, then you have to determine what's the minimum amount of information necessary. Maybe you can disclose that Mr. jones was there, but you might not be able to disclose what he was there for or, you know, details of his condition. So an individual determination would have to occur in the nonroutine circumstances. And any request for disclosure covered entities must request only the minimum amount necessary and may also rely on the request of another covered entity. So if the health plan says I need A, B and C, the provider, if that's reasonable, the provider can rely on that as the minimum amount necessary. They don't have to do an individual determination. If the request is coming from another covered entity, and here is another place where there's an exception for treatment, this does not apply to disclosures to providers for treatment. If a doctor calls up and says, I need to see this person's medical record, I want the whole medical record, I'm, you know, it's a new patient, he's coming go me for this condition, whatever, the provider can give the entire medical record, doesn't have to do minimum necessary determination. Again, we didn't want to interfere with treatment.
Okay. So now we're moving to the next category. That was uses and disclosures. That was the first thing in the congressional, in the HIPAA statute of what we needed to do. And this is an important component of the rule. This is sort of -- this is -- actually I think of this as the heart of it. This is the individual rights. This is what every patient has the right to do if they didn't necessarily have under state law before.
They have a right to a written notice of the information practices of the providers in health plans. Covered entities have to actively tell patients what it is, how their information is going to be used. When we did a lot of fact finding, we found that patients think or many patients think that, oh, only my doctor sees my information, nobody else sees my information, and so this is an informational notice to say these are the types of people who are going to see this information, these are the reasons, these are the things we can do with your information, so people are aware of how information is being shared, and it gives them an opportunity to have discussions with providers about any privacy concerns that they have or concerns about these practices. And Paula will also mention a change that is happening in that notice to strengthen the notice requirement.
Individuals have a right of access. Some state laws provide a right of access, but most do not. This is a right to inspect and to copy protected health information that are in designated record sets, so what's a designated record set? Medical records, health plan payment records about an individual, it's anything that is collected about a particular individual that's used to make decisions about individuals. So if it's kept in the file and, you know, can be used for treatment decisions or payment decisions or things like that, the individual has a right to inspect and obtain a copy of that. They also have the right to amend information in these designated record sets, and this usually sets doctors off. They're crazed by the fact that individuals can amend the information in the records. This does not give the patient control of the record. The doctor can preserve the integrity of the record. It doesn't require the doctor to cross things out of the record. It's basically a requirement to append and so additional information can be added, a statement that the individual disagrees with the assessment may need to be added, things like that. It's really a right to append, not a right to cross things out, but this is an important thing. When there is something wrong, the person can actually see there's wrong information and say, you got this wrong; you know, my mother died when she was 52, not when she was 62, and they can change that, and that can affect people's treatment later on down the road.
Individuals have a right to an accounting of disclosures. They have a right to request a listing of who saw their information, who the information was disclosed to. Now, this is not all disclosures. These are disclosures that are -- it excludes disclosures for treatment for payment operations, so it includes if the police came and asked for information, that would have to be included in an accounting if information was disclosed for research that would need to be in the accounting. So an individual -- this is a right of the individual to request and to get that upon the request so doctors don't have to give this out on a regular basis or health plans don't have to give this out on a regular basis, but if asked they have to provide this accounting.
Individuals have the right to request restrictions. They have the right to talk with their doctors and enter into agreements that restrict the use of information and to a greater degree than the privacy rule does. If the doctor does not agree, if the doctor does not have to agree to the restrictions if the doctor thinks it would not be in the best interests of the patient or health reasons or comply with the restriction that's being requested, the doctor doesn't have to agree, but if they do enter into an agreement, then the doctor must act in accordance with that.
An individual has the right to have reasonable requests that information communicated from the covered entity to them done in a confidential way. They can give an alternative mailing address; don't call me at home, call me at work, things like that, and the covered entity would have to comply with that.
And individuals have a right to file a complaint with either the Office for Civil Rights or with the covered entity. This is the third thing on the list of the guidelines that were in the HIPAA statute. The administrative requirements, what does the covered entity have to do? All of these requirements are designed to be flexible and scalable. Every entity is different. Some things don't make sense in a small organization but make sense in a big organization, and the example I like to talk about is the privacy provision. Covered entities are required to designate a privacy official. And solo docs are thinking, you mean I've got to hire somebody to do this? No. It could be somebody in the organization. It could be part of somebody's job, or in a large academic medical center it probably will be a full-time person, but it's up to the entity to figure out what makes sense. So again, this is one area where it's flexible and scalable.
Same thing with training. Training is flexible and scalable. Clearly a covered entity would not have to get the same type of training to the janitorial staff as they would to the nurses that are dealing with this information on a regular basis, and they might need to give some to janitorial staff to say you should not look at stuff that's in the garbage, although it shouldn't be on somebody's desk, but the training is flexible and scalable.
There are documentation requirements. Covered entities have to have sanctions for employees who violate the entity's policies, and they need to come up with their own policies and procedures.
Enforcement. This is what happens if covered entities don't follow the rules. This is set forth in the statute. D.
The penalties. There is civil monetary penalties that would be assessed by the Office for Civil Rights. If there is a violation, $100 per violation, up to $2,500 for each calendar year for each specific requirement or prohibition is violated. It's enforced by the Office for Civil Rights. There is a delegation for Office for Civil Rights to delegate enforcement authority, and I want to talk about that for a minute.
The Office for Civil Rights, the approach for the Office for Civil Rights is one of working with entities to voluntarily comply with regulations. This can be very different I think from the Department's activities on the fraud and abuse side which usually gives people a sigh of relief. The goal at least at the outset we're going to be doing a lot of technical assistance, trying to work with covered entities to try to get them into compliance, but in fact, there are these penalties, and if there are entities that are violating the rules, there are penalties that the Department will assess in certain circumstances. There are also criminal penalties. These are greater penalties for knowing disclosures of protected health information. These are higher fines. There could be jail time involved, and this is enforced by the Department of Justice. These are for knowing disclosures. If somebody doesn't have an element in their notice of privacy practice that has to be there, they're not going to jail. This is for more egregious behavior, and it will be enforced by the Department of Justice.
I also have our web site's available for more information. The OCR privacy web site will have everything on there that's been released from the Department regarding privacy. It has our proposed modification on there. It has our fine regulation on there. It has our guidance on there, and it also provides an opportunity for people to submit questions. If anybody has done that and is wondering why they don't have responses yet, we are working on some technical assistance based on those and developing some frequently asked questions that should hopefully get posted on that web site. So that's the place to keep looking for updates and additional information. There is also an administrative simplification web site which has some information as well.
DR. WOOD: Why don't we -- we have a couple things we have got because some of the demonstration is going to involve information that is responding to information. Let's take a couple of minutes to ask questions about the content of this presentation only so that you can make sure that your teacher has imparted the information, and we'll check on that in a little bit. So Gary.
DR. DENNIS: Yes. I'm over here. That was an excellent overview. I have questions about enforcement. It appears that the statute covers what some of the penalties are, but are the comments that will be considered later and also the input of this particular committee later, will they also be related to, could they be related to enforcement or because the penalties are stated in a statute I know you can't change the penalties, but the way the penalties are applied, the way the regulations are related to how the penalties is that true or not true.
MS. GOLDSTEIN: The Department's planning to put out an enforcement rule. We have not done that yet. We do have some flexibility in how we enforce the statute. Like you said, the penalties are established by statute, but sure, if there were recommendations from this committee, I don't see why we wouldn't consider those in developing an enforcement rule and enforcement policies.
MS. STANNARD: That's correct. We are working on enforcement regulation and because the current privacy modifications do not involve enforcement provisions the committee is free to make recommendations after the close of the comment period for the modifications on suggestion of how to work enforcement.
MR. CUMMINGS: Good morning. Nice presentation. I love the reference to flexible and scalable. With respect to the policy and procedures, has your office considered developing prototypical P and Ps based on type of setting that would be, of course, voluntary worth entities, but what I'm thinking is, of course, it's going to be very different for an academic medical center versus a community hospital versus a rural health clinic versus a small rural hospital, and I can tell you in a small rural hospital folks often don't even have time to go to a web site. They're worried about how are they going to meet payroll. What are they going to do about their one surgeon's who's left. How are they going to staff their ICU when they are seriously short staffed. So interventions of that sort or tools of that sort made generally available say through hospital associations or other groups would be very useful. Is that something your office has considered?
MS. GOLDSTEIN: We have had lots of requests for models. I don't know that we have considered coming up with model policies and procedures. I know that there are some trade associations that are providing some models for their members, but you know, surely that's something that could be recommended.
MS. STANNARD: Right, and certainly the Department is committed to the extent its resources permit providing models and providing assistance, both technical assistance and otherwise. One of the things I'm going to be talking about is the fact that we have provided, in this latest NPRM we have provided model business associate contract provisions so that you don't have to go out and reinvent the wheel. We have provided some provisions that we think are adequate to serve the requirements of the rule.
DR. NIELSEN: Full disclosure. I'm a physician, and as a physician I'm under an ethical obligation that's very well established by my organization, somewhat broadly and flexibly described as you might have, as you alluded to.
I see an inherent problem with this. You have statutory authority to order only certain kinds of entities to do things, and you can only enforce, as I understand it, under those covered entities. The major problems that arose that patients complained about was the selling of their information for marketing purposes, I mean, certainly that was one big one, but pharmacists and pharmacy chains that did that, as I understand it, are not a covered entity.
MS. GOLDSTEIN: Pharmacies and pharmacy chains actually are covered providers under the privacy rule. So they would -- we would -- they would have to comply with the regulation, and we would be able to enforce against pharmacies and pharmacy chains.
DR. NIELSEN: Well, that's helpful. The difficulty that I'm having is what seems like statutory expansion. You really want to influence behavior downstream, but you can only get there if you make me do it. Now, help me understand if I'm overstating that.
MS. GOLDSTEIN: Yeah. We are -- the Department was limited in its statutory authority, and that did pose some problems, as I had mentioned. The fix on that, though, would have to be a congressional fix. The only way that we could expand the scope and cover additional entities that have health information is if Congress passed a law that gave us the authority to do that. So, you know, our hands were sort of tied on that one, and so in the goal of trying to protect the information we could only protect it based on the entities that were covered by the rule.
MR. BLOOM: Thank you. Actually I have two questions. One is on the psychotherapy notes. That's sort of a broad definition. What does that include? Does that include MSW notes, psychiatrists and psychologists?
MS. GOLDSTEIN: Yes. It's mental health professionals, any mental health professional, any counselor, any mental health counselor could have psychotherapy notes. The information would have to be kept separate, and it's not the diagnosis information or the things that are needed for payment of claims or things that are normally kept in the medical record. It's sort of the notes of what took place in the counseling session that the provider keeps for his or her own personal, you know.
MR. BLOOM: Right. The personal information that you disclose at the psychiatrist or the psychologist or MSW's office that no one has any right to because it's completely protected and private.
MS. GOLDSTEIN: That's right, and that was one of the areas where that was a current practice where there was this information that mental health professionals kept separate, and we wanted to keep that added protection on that information.
MS. STANNARD: And there's a specific very detailed definition in the rule of psychotherapy notes, and if you want, we can read it off.
MR. BLOOM: No, that's fine. Save time on that. The second question is I am struggling with the minimum amount of information necessary. That's a very vague term, and I guess who decides what the minimum amount of information that is necessary? And I guess I think about when I think about that I always think about the FDA rule on devices where the devices have to be approved by the least burdensome means by the manufacturer, and one person's least burdensome is another person's inadequate. So who decides what the minimum amount of information necessary is? And is there a way of making that a tighter definition of what that information is that's disclosed?
MS. GOLDSTEIN: The covered entity determines what is the minimum amount of information necessary. Of course, if somebody complains, if they're doing something that seems wrong and somebody complains, the Office for Civil Rights can investigate it. It is a general term, and it is flexible. This is sort of in the lines of the Department not wanting to go into every single type of entity, every single type of practice and figure out what makes sense and micro manage all of those interactions and all of those uses and disclosures.
We are trying to come up with something flexible, and it does pose the concern that you're raising, but this is again one of those balancing acts that we were doing was trying to figure out how we do a rule that works but something that works for all of these very different types of entities. So that's why it is a general definition. We have had actually the opposite concern from covered entities saying this is too general and, you know, how are we going to know if this is right and we're going to be much more restrictive because we don't want to get in trouble and things like that, and people who need the information who are complaining, well, doctors are just going to not disclose any information because they are concerned that it will be more than the minimum necessary. So we are actually hearing from covered entities that they are being very conservative on this and they're actually asking us to give better guidelines as well. So there is sort of concerns from both ends, but again, we are trying to come up with a flexible approach that would work for all of these different entities, and that's what we're struggling with.
MR. BLOOM: Yeah. I am sure I will have more later. Thank you.
DR. WOOD: This is just to clarify what you have learned. We have other things later. Questions, Michele?
MS. EVINK: Just to speak kind of as a comment I think on the distribution of patient specific prescription information for marketing. I think that that primarily was not coming from the pharmacies or even the pharmacy chains but from the information distributed through the PBMs, the pharmacy benefit managers, that were the clearinghouses for larger amounts of information where the patients were being grouped and marketed through that way. So that it's my understanding, and please clarify, that the information that the pharmacies and the pharmacist gathers on behalf of the patient is protected under treatment. However, once that goes to a PBM, then how they disseminate their information is covered under marketing and is specifically how they have their privacy relationship with a patient under the health plan that was the reason why the information went to the PBM to begin with.
MS. GOLDSTEIN: Right. You are correct. Pharmacies and pharmacists are covered health care providers under the rule assuming they are doing these electronic transactions which presumably most are. They can use that information for treatment purposes. Again, this consent provision applies under the final rule. We have proposed changes to that, but they can use it for treatment, payment and health care operations. So they can use the information to fill the prescription. They can use the information to get paid from the health plan. We talk about the disclosures to the PBM. The pharmacy benefit manager would most likely be a business associate of the health plan. So, and again --.
MS. STANNARD: The determination of if you are a covered entity or a business associate really depends on a lot of facts and circumstances. So depending on the relationship and the functions that a PBM conducts it could be a covered entity itself if it's part of a plan or it could well be a business associate.
MS. GOLDSTEIN: If, in fact, it's acting as a business associate, which again we try not to use labels of, you know, because different people call themselves the same thing but do different things, so we try to do it based on functions, and Paula's point is important, but typically if the PBM were a business associate of the health plan and got that information from that relationship, they would be bound to their business associate, the satisfactory assurances they gave in that business associate contract, and could only use the information the way the health plan could. So they couldn't use it for marketing if there wasn't an individual authorization to do so. So that's how the PBM would be sort of indirectly covered by the rule.
DR. WOOD: Ms. Walden.
MS. WALDEN: Thank you. This was really helpful. There are a lot of urban legends out there about HIPAA, and we learned that in our hospital visit yesterday. And fortunately Jack was with us to straighten out the ICU on HIPAA, so they may get a bill. My question has to do with scalability, and in your chronology you indicate that smaller providers will have an extra year to comply. Can you define the smaller provider?
MS. GOLDSTEIN: It's actually small health plans, not small providers. So all providers would have to comply by the April 2003 date. Small health plans which are health plans with under $5 million in annual receipts would get the extra year.
MS. WALDEN: Will there be some sort of definition that smaller providers can rely on for the scalability piece or interpretation of the rule based on the size of an organization?
MS. GOLDSTEIN: No, but again, this is -- the approach of the Office for Civil Rights is really working with entities for voluntary compliance. If somebody is trying to comply with the rule and there is a complaint, the Office for Civil Rights comes in. They are going to work with the entity to try to figure out how to get their practices in compliance. So there isn't a specific guideline, but somebody had said that the word reasonable is used in this regulation somewhere like 250 times. We say it a lot because we mean it. If the approach is a reasonable approach for a small doc, all I would say is document the policies and, you know, some reasoning for the policies and, you know, the Office for Civil Rights is trying not or the Department is trying not to micro manage the industry and is trying to give the covered entities the opportunity to do what makes the most sense. So that's as much as I can help. There's not going to be a definition or a guideline, but it is a reasonableness standard.
DR. OLSEN: At the start of your presentation you gave one of the reasons that this law, this whole thing got started was the fact that some polls had shown that patients were not sharing information with their doctors, but you didn't get into any detail. Do you have -- as I understand it, this was information, this wasn't hypothetical, but this was after the fact the numbers of people who hadn't shared that information. Do you have any numbers of how long ago that was and has it gotten worse? I guess that's --.
MS. SCHMIDT: Yeah. I think I remember this. We will have to get you that information because I don't know whether that poll has been updated, but it was something that we certainly used in the cost benefit analysis and in the preamble to it, and what we will do is the staff will look that up and get you the cite and the exact quote from the people withholding information and we will also check to see if it's been updated.
MS. MARGULIS: Thank you, Mr. chairman. Terrific presentation. I have a question, and rather than give you the preface before it, I will just go right to the question. Can health plans disclose protected health information about a member to a health insurance agent or broker who is acting on behalf of an employer or a plan enrollee without an authorization for the following purposes: First, to resolve a member's payment or claim dispute, or second, to approve a member's preauthorization or length of stay request, and third, process an enrollment ap?
MS. GOLDSTEIN: And this is the agent acting on behalf of --.
MS. MARGULIS: An employer, not on behalf of the health plan, on an enrollee.
MS. GOLDSTEIN: First of all, I'm not giving any formal interpretations for the Department. So anything I say is my own individual opinion.
MS. MARGULIS: I understand that. That's why I gave no preface or anything and a point of information.
MS. GOLDSTEIN: Yes. And the second thing I want to say is sort of approach to figuring out these sorts of questions, and then I will try to give you what I think the answer is, but it's not something that's well established.
Generally you have to, and you pointed out a lot of these factors, you always have to look at what is the information being shared? Who is sharing it? Is it protected? Who is receiving it? What is the purpose, which is the most important thing, what is the purpose for this disclosure? And you were touching on these things. In your hypothetical is the individual -- who is sharing the information? The agent is trying to get information from the health plan?
MS. MARGULIS: Correct.
MS. GOLDSTEIN: On behalf of the individual?
MS. MARGULIS: Or the employer.
MS. GOLDSTEIN: Or the employer. Probably, and again, my personal opinion, in that case they would probably need an individual's authorization in order to advocate on the individual's behalf in order for the health plan to be able to share that information with the broker.
MS. MARGULIS: And it would be true for the employer, acting on behalf of the employer as well.
MS. GOLDSTEIN: Now, on behalf of the employer -- yeah, if they're acting on behalf of the employer as well. If they are acting on behalf of the group health plan, probably not, because, of course, they would have to have a business associate relationship with the group health plan, but if they're acting on behalf of the employer in its role as employer, then they probably would need an authorization. Okay. Now I'm scared.
MS. MARGULIS: You could call a friend.
MS. GOLDSTEIN: Can I phone a friend? I saw that book, and I don't have a book quite that big, so I'm a little worried.
DR. WOOD: All you have to do is tell us who is your counselor, and then we'll call on your counselor.
MS. GOLDSTEIN: That would be Paula.
MR. ROVNER: Christy reminds me that I have my privacy plug here, so I will try to constrain myself, and my fellow committee members know that I have been living HIPAA probably against my will for two years at the probably exclusion of most of the things I used to do as a private practice health care attorney, but I do have a question, and I wanted to get something clear. You commented that faxes would not be considered electronic transaction which would make a provider a covered entity. Most fax machines today are actually digital computers, so if the provider sends the UV92 over a digital fax, is that an electronic transaction as the Department's interpreting this?
MS. GOLDSTEIN: It may be.
MR. ROVNER: That's -- okay.
MS. GOLDSTEIN: It may be, and this is something that is actually being discussed currently, and there may be some additional guidance on this coming out.
MR. ROVNER: Because that is an area that I think is greatly misunderstood. As my committee members know, I also spend a lot of time on the road speaking to lots of providers and others, and there is, as Chairman Wood pointed out and Ms. Walden, a tremendous amount of just misunderstanding. So when you get to something that's actually kind of a tough issue to get that clear.
MS. GOLDSTEIN: It's a tough issue, and people are right now struggling with what is electronic media, what is an electronic transaction, you know. That's why I did say paper fax because it's clear that if you stick a piece of paper in the fax machine, that does not constitute an electronic transaction, and we're trying to --.
MR. ROVNER: Well, that's the problem because it depends on what fax machine you have. If you have an old fashioned analog fax machine which sends the signal as you drive the paper through, what you have is just plain old telephone transmission. It's not digital. If you have what most fax machines are today which is actually a computer, it feeds the paper through, records the information in memory and then sends the transmission digitally. You actually have a computer transaction. So that's the clarification that's needed if you're not going to include faxes or are going to include faxes.
MS. MARGULIS: That goes directly from your computer.
MS. GOLDSTEIN: Yeah, and I think that the distinction may be, again, this is a little bit in flux, this is based on some preliminary discussions, but if you start with a piece of paper, I think that that will not be considered an electronic transaction, but the line may be the computer, and there will be some clarification on this I'm hoping in the near future, so keep watch.
MR. ROVNER: Will do. One other question, if I may. It relates basically I think what will ultimately be addressed in your enforcement rules, but as you point out, the statute on penalties talks about requirements, prohibitions and provisions, none of which are defined. Now, the rules talk about not really -- they actually define requirements as your implementation specifications, or the other way around, implementation specifications which is what the rules use are defined as requirements. So there's an issue about how you're actually adding it up, and it makes it important because of the $25,000 cap.
MS. GOLDSTEIN: Yes, and that would be addressed in an enforcement rule. I don't have an answer for you at this point though.
MR. ROVNER: Is that something that if we are to look at that might be of assistance to the Department in figuring it out?
MS. GOLDSTEIN: Sure, sure.
DR. WOOD: We have a little demonstration we want to do which I think will probably highlight a few of these questions and maybe allow us to focus some of the other questions. So let's do that next, and this is going to be a committee participation demonstration.
MS. SCHMIDT: Right. We were trying to figure out how to do a demonstration of the privacy rule, and after that question period I think the presenters are going to take great delight in announcing that we want you to close your books right now. Take out a piece of paper. It's going to be a pop quiz.
We have a 15 question quiz coming up for you. It's true or false. If you have been listening, you should do just fine. You're going to be grading your own papers. So you don't have to worry about that, but there will be -- if you do well, we're going to ask you at the end and you will get treats for doing well on our quiz, and it will have to do with taking another quiz. Thank you, Bruce.
DR. WOOD: So what's the enforcement if you don't do well?
DR. OLSEN: Is this private?
MS. SCHMIDT: This is private. Don't look at each others' papers. Label your paper 1 through 15. There are going to be 15 true or false questions. I'm going to give you a scenario, and at the end of that I will ask you true or false, and then you will find out the answer electronically.
Number one. I am a patient. My doctor needs to discuss my treatment with other doctors and nurses, but the privacy rule prohibits doctors and nurses from discussing private health information if there is a possibility someone will overhear. What if my doctor needs to discuss my condition with a nurse at a busy nursing station or with me over the phone from someplace other than a private office? The privacy rule prevents these discussions. True or false? False.
MR. ROVNER: Excuse me, but you should have been in the critical care unit yesterday.
MS. SCHMIDT: We're going to do that next.
MS. GOLDSTEIN: The privacy rule is not intended to prohibit providers from talking to each other and to their patients. We realize that, of course, there are cases where there may be overheard conversations, particularly in hospitals and busy emergency rooms, things like that. We clarified in our guidance document that we put out in July of last year that normal communications between providers is okay, and if, in fact, there is an inadvertent disclosure, that is not a violation of the rule. This is something that we proposed some regulatory language to clarify. Of course, the covered entity has to have reasonable safeguards to protect the information and can only disclose minimum necessary information. You know, probably screaming the fact that somebody has HIV down a hallway may not be appropriate unless it's necessary in an emergency, so reasonable safeguards would apply.
MS. SCHMIDT: So there are two extra credit questions that came out of our tour yesterday at the University of Pittsburgh Medical Center. Here are the two ones. One of them, two cardiologists were talking to us and complaining that the chief of staff is difficult to get hold of, and the only time they apparently can consult with the chief of staff is at a cocktail party. They're talking about Mr. lomax who is on a heart machine, and they're at the cocktail party and one cardiologist wants advice about how to treat Mr. lomax. Is that okay under the privacy rule?
DR. WOOD: Is that question number two?
MS. SCHMIDT: No. That's just extra credit. The extra credit is if you got the first one wrong. This one is true. They can talk about the treatment of a patient even at a cocktail party if it has to do with the treatment of a patient. Here is the other one they raised in the cardiology-.
MS. STANNARD: One point. You can talk about treatment. You can't gossip.
MS. SCHMIDT: Yes.
MS. GOLDSTEIN: And, of course, if you are at a cocktail party, you may need to take additional reasonable safeguards to make sure that other people aren't listening to the conversation.
MS. MARGULIS: And you haven't had ten drinks.
MS. GOLDSTEIN: But consultations for treatment are permitted.
MS. SCHMIDT: Another one that they raised. These cardiologists had a lot of questions yesterday. They had a critical care unit. It was an eight-bed unit. Sometimes when a patient appears not to be responding, they shout the patient's name to see if they can get a response. Often there are family members for some of the other patients in the critical care unit. Are they now going to be allowed to shout the patient's name to see if they can move on to another form of resuscitation and see if the person wakes up? Yes or no? Yes.
Okay. You guys are good. Number two, again I'm a patient and a patient concern. The privacy rule is going to create a government database with everybody's individual personal health information in it.
MS. GOLDSTEIN: We laugh. False. We actually had --.
MS. MARGULIS: You already have it.
MS. GOLDSTEIN: This does not create any. We had lots of comments that accused us of creating, you know, setting up a system to create a government database. The only requirement that a covered entity would have to disclose information to the government, to the federal government under the rule is for compliance purposes.
MS. SCHMIDT: I'm a patient. I continue to be a patient. The privacy rule prevents my pharmacist from filling my prescription before I show up and sign that consent form for the first time. Now instead of having the prescription waiting for me, I'll have to come to the pharmacy, sign a consent form and then wait around for hours while my prescription's filled. True or false?
MS. GOLDSTEIN: True. True, okay. I got one right.
MS. EVINK: Unless we get the proposed rules.
DR. NIELSEN: That's a question. Is the test under the present rule?
MS. GOLDSTEIN: It's only about what we've talked about so far.
MR. BLOOM: You didn't tell us that.
MS. GOLDSTEIN: I'm sorry. We didn't give you the rules properly. The privacy rule would permit a covered entity, including a pharmacist, from using individually identifiable health information for any purpose before getting the individual's consent. So the doctor can phone in the prescription to the pharmacy. The pharmacy can't begin filling the prescription or checking with the insurance company to see if it's covered until the individual signs a consent. This is one area, as everybody has mentioned, where the Department has proposed a fix to this problem. This is not an intended result.
MS. SCHMIDT: True.
MS. GOLDSTEIN: True.
MS. SCHMIDT: You don't always get it right. A patient again. The privacy rule prevents a friend or a family member from picking up prescriptions for me. Now I will have to get out of my sick bed to get my medicine. True or false?
MR. TOBY: False.
MS. GOLDSTEIN: The rule specifically allows pharmacists to use professional judgment and experience to make reasonable inferences about the patient's best interests in allowing somebody else to pick up prescriptions. This is back to the friends and family members assisting in care that I talked about before. If the person is coming in with a prescription for the individual, the pharmacist can presume that the person is assisting in that individual's care and that the patient doesn't object to the information being disclosed. So they can use professional judgment. This is reasonable common sense stuff.
MS. STANNARD: This, of course, assumes under the current rule that the patient has signed a consent.
DR. NIELSEN: That's why -- you can't have it both ways. If I'm -- help me understand.
DR. WOOD: No. This is just a quiz first, and it's to check on what you learned in the presentation.
MS. GOLDSTEIN: This is about whether a family member can pick up the prescription generally.
MS. SCHMIDT: They have already signed the consent under the current rule. You only have to sign the consent once with your pharmacist. All right. Play along.
I'm a physician. The privacy rule requires me to monitor the activities of my business associates. True or false.
MS. GOLDSTEIN: I guess I did an okay job of explaining this one. Covered entities are not required to monitor. They just are required to act if they know of violations of their business associate contract.
MS. SCHMIDT: I'm a physician. The privacy rule prevents me from using a sign- in sheet in my office so I know when a patient has arrived. I can't even call out the names of patients in the waiting room when it's their turn for their appointment. True or false.
MS. GOLDSTEIN: You guys are good. The Department didn't intend to prohibit sign-in sheets or people calling out names in the waiting room. We clarified this in the guidance that came out in July. Also the proposed change that Paula will explain makes it clear that these incidental disclosures, the fact that somebody else might overhear the name or might see somebody else's name on the sign- in sheet is not a violation of the rule.
MS. SCHMIDT: I'm a hospital. The privacy rule prohibits semi-private rooms. With two patients in a room there is no way to guarantee that one won't overhear health information about the other. Now I'll have to rebuild my facility to include only private rooms.
MR. BLOOM: Only true in the south.
MS. GOLDSTEIN: That's right. The privacy rule does require reasonable safeguards. It does not require structural changes to facilities. It doesn't require soundproofing of rooms, things like that. It does require appropriate administrative, technical and physical safeguards to information.
MS. STANNARD: So you might want to put your information, your paper records in a file room and have it locked. You might want to put a lock on the door if that's considered a structural change.
MS. GOLDSTEIN: Right, but you don't have to rebuild facilities in order to make sure that somebody in the next bed doesn't hear a conversation.
MS. SCHMIDT: From a hospital. The privacy rule allows doctors and nurses to see a patient's entire medical record if I think they need it to do their jobs. True or false.?
MS. GOLDSTEIN: Yes. The privacy rule does not prohibit requests for the entire medical record or uses of the entire medical record. Again, this would still have to -- if it's a use, then the hospital would have to come up with policies and procedures that permitted viewing the entire medical record. If it's a disclosure, there are exceptions for disclosures to other providers for treatment purposes, and they could send the entire medical record.
MS. SCHMIDT: A physician's question. The privacy rule requires covered entities to purchase expensive computer equipment in order to comply.
MS. GOLDSTEIN: False. Again, this is the flexibility and scalability. The privacy rule does not require particular technologies or types of technologies to be purchased. It tries to incorporate the fact that different entities will have different levels of sophistication with information systems and allows the entity to design whatever system will work best. It does not require buying expensive software or hardware in order to follow this rule.
MS. RYAN: Just clarification. What was the implication of the other law that you referenced this morning that was requiring electronic submission?
MS. GOLDSTEIN: Oh, the Administrative Simplification Compliance Act will require by October of 2003 that most providers submit claims to Medicare electronically. There is a process for getting a waiver of that, but it will generally require providers to submit claims electronically.
MS. STANNARD: And CMS is in the process of drafting regulations that will make that requirement and also detail the types of waivers that will be given.
MS. SCHMIDT: From an insurer. How are we supposed to do business under this rule? It would prohibit doctors from faxing information to us or to each other or to their patients. True or false.
MS. RYAN: What kind of fax?
MS. STANNARD: A paper fax.
MS. SCHMIDT: The old fashioned kind.
MS. GOLDSTEIN: False. The rule doesn't prohibit any certain modes of transmission. It just requires that covered entities have in place safeguards in order to protect that information, make sure that the information is not getting sent to the wrong place. It might require that the fax machine isn't in a public area. Again, it depends on the facility, but reasonable safeguards would apply.
MS. SCHMIDT: From an insurer. What happens when I'm required to report information under state law? I assume that if some other law requires me to disclose health information, I won't have to do some big analysis under the privacy rule or get caught in the middle because the privacy rule might not allow this disclosure. True or false.
MS. GOLDSTEIN: True. This is the part of the rule that says if it's required by another law, it's permitted by the privacy rule. This was intended so as not to put covered entities in the predicament of being caught in the middle and having to try to figure out which law they are supposed to comply with. If another law has already determined that this is an important disclosure, the privacy rule does not interfere with that.
MS. SCHMIDT: From a lot of people. The privacy rule is delayed by the Administrative Simplification Compliance Act. We're off the hook for another year.
MS. GOLDSTEIN: Believe it or not, we have heard this a lot. Congress specifically exempted the privacy rule from that delay of the transaction rule or limited the condition delay of the transaction rule. The compliance date for the privacy rule is still April 2003 which would make some covered entities have to comply with it before the transaction rule which would be October of 2003 of that year if they submit compliance plans.
MS. SCHMIDT: There are three more questions. So see how you are doing. Patient. The privacy rule requires my doctor to give my health information to researchers and the police even if they don't have a warrant. In health plans all these people have to do is ask.
MS. GOLDSTEIN: Good job. Okay. The rule permits disclosures. It does not require disclosures. Remember, there were only two required disclosures to individuals under the access provisions and to the Department for compliance purposes. So it's a permissive disclosure. Providers are permitted to disclose to law enforcement and to researchers in certain circumstances, but there are conditions on this that apply, and in certain cases an individual would have to provide an authorization for disclosures for research.
MS. SCHMIDT: No. 14, a patient. When my family member comes to pick me up at the hospital, the doctor will still be able to explain my condition and tell him what to expect when I return home. True or false.
MS. GOLDSTEIN: That's true. Again, this is the disclosures to friends or family members who are assisting in care. Providers can disclose information about the person's condition or treatment to those assisting in care of the individual unless the individual objects.
MS. SCHMIDT: And the last question from a family member. The privacy rule would have prevented me from finding out information about my son in a hospital in New York City on September 11th.
THE AUDIENCE: False.
MS. GOLDSTEIN: Correct. The rule permits disclosures by hospitals to disaster relief agencies and to families in order to notify them that a member of their family or loved one is in the hospital or has been involved in a disaster. That's it.
MS. SCHMIDT: Okay. That's it. Please look down your list, and I think you all know how to do the numbers in your head. If not, I think Tony Fay would help you calculate it. If you have got 90 percent or above correct, raise your hand. You can get a treat. Thank you.
DR. WOOD: What we would like to do actually is take a short break and then come back and have, yeah, right, have your treats. I would like to come back and also have the subcommittees who have been doing a lot of work take the time to share with you the work that's been going on and the discussion that's been going on in the subcommittees so you can get a good sense of all the work that has been done. Oh, yeah. We have got to do the proposed modification actually. So you can find out where on the basis of what you saw there will be some modifications. So we'll do a ten minute break.
(Recess taken.)
DR. WOOD: Now that you have seen the amount of complexity in trying to craft a rule that is workable and now that you have done the exam and you have seen how well you have done or not done and I think seen where there are a couple of particular problems based on the original approach to this, Paula's going to take the time now to go through the proposed modifications. These are the ones actually that are now out for open public comment until next Friday. So we want you to see how the Department is responding. So Paula will go over those, and then we'll take the time to have some discussion among ourselves and other questions.
MS. STANNARD: Thank you. As Dr. Wood mentioned earlier, I am in the Office of General Counsel. I am counsel to the general counsel there which means I am a political appointee, and when I arrived at the Department in September, our process of thinking about modifications to the privacy rule was well under way, and we were being guided by a couple of principles that the President and the Secretary had set out. They were, namely, that we were absolutely committed to ensuring privacy and security of protected health information but not at the expense of access to and quality of health care and not at the expense of the common sense practice of medicine.
So in considering how to modify these rules, how to make privacy work, our touchstone was what would the reasonable patient expect? How would they expect their health information to be used and protected? And does the rule as currently set up help or hinder the patient's access to quality health care?
Our belief is that patients would expect their medical records to be protected from disclosure to those people who don't have a legitimate need to see it without having their access to care impeded. We hope that the modifications that we have proposed meet these principles and will operate to ensure privacy of health information while at the same time making sure that our system of medicine works, and we propose these modifications to correct unintended barriers to access to quality care and to make changes to benefit consumers of health care services, consent notice, minimum necessary and oral communications, research and de-identification. Then there are a number of discrete policy issues we addressed; parents and minors, marketing and business associates, and then there were a number of other changes more than the technical changes that we made. As we have mentioned before, we're currently in the comment period which ends next Friday. Believe me, we welcome your comments. We obviously are not out there in the trenches, you are, and your perspective is very valuable to us, but if you don't like something that we did, some proposal that we made to fix a problem that commentors have identified, give us alternatives. We know that the problems exist. We need to have a way to fix them.
So as I said, if you don't like what we did, we need alternatives. Also, you know, we're glad to hear your comments here, but in order to be effective, in order for us to take them into consideration in modifying the rule in reaching a final modification they have to be submitted pursuant to directions that were in the NPRM which is send them to the Department at the address listed which is US Department of Health and Human Services, Office for Civil Rights, Attention Privacy 2, Hubert Humphrey Building, Room 425A, 200 Indiana Avenue Southwest, Washington, D.C., 20201, or submit electronic comments on hhs.gov\ocr\hipaa. I understand we are having some trouble accepting some electronic comments because of the demand for it, but if you are having problems, just keep trying. We're also, as I said, accepting them if you send them to the Department.
DR. WOOD: You want to correct the URL at the bottom of the page.
MS. SCHMIDT: Two As, one P.
MS. STANNARD: I did this late at night, sorry.
MS. GOLDSTEIN: So people now --.
MS. STANNARD: It's H-I-P-A-A, sorry, although if you go to hhs.gov you can find your way to it. And because our mail is still being slowed down by the irradiation process. If you're going to be submitting comments by mail, we have determined that we're going to continue to accept them as long as they're postmarked by April 26th, but we would appreciate it and our staff would greatly appreciate it if you're sending it by mail, if you'd get it in as soon as possible because we're under a really tight deadline because, as Jodi mentioned, we want to make sure that we get the final modifications effective so that you don't have to comply with the current final rule when there are modifications that are coming in a short period of time. So that's why her summer is going to be very busy.
The first area in which we're proposing changes is in notice and comment, consent and notice. We heard a great deal from people out in the medical community that the proposed requirement should require prior consent before health care information can be used for treatment, payment and health care operations, was completely unworkable in a number of situations, and the most obvious ones are emergency situations in which there's an exemption but pharmacists, specialists, doctors who receive referrals or give referrals a lot, emergency medical technicians, ambulances, and we just heard that because of the nature of their practices and the way they operate it's impossible for them to obtain consent or just becomes completely unworkable. So what we did was thought about what does a patient expect? The most was unimpeded access to quality care, a generally limited use of protected health information to what is necessary to provide that quality of care, fair notice of how this health information is going to be used and more control over where his information goes. So what we're proposing is to eliminate mandatory written consent for use or disclosure of protected health information for treatment, payment and health care operations. This should alleviate the problems that made the consent requirement unworkable. Consent can still be obtained if a covered entity wants to, and the very important thing is that authorizations by the patient are still required for all other disclosures of protected health information.
Coupled with the decision to propose that we eliminate written consent was a desire to strengthen the notice requirements. What the patient really wants to know is how is my information going to be used, what can I do if I don't want it to be used in a certain way? And so what we have done is in addition to requiring notice of what the health care disclosure is, that providers attempt to get written acknowledgment of receipt of the notice by the patient as a good faith requirement so if the patient either refuses to provide a written acknowledgment, they can document that refusal, and that's fine, and the acknowledgment can be as easy as signing another copy of the notice or initialing it, and documentation of good faith effort is just as easy as putting a note in the patient's medical record that they received the notice but didn't provide written consent. Now, why did we do this? When we looked at consent, we realized that consent is really illusory because a patient is required to give consent; otherwise, the provider can refuse to treat, and really a patient expects when he goes to the hospital or goes to a doctor that his doctor is going to get his medical information and use it to treat him, and then he realizes that if his medical plan is going to be paying for this treatment, the provider is going to have to provide that information to the health plan or to the insurer or he's going to have to use that information to bill the patient. So the way it was set up just didn't seem to make sense to us. So this change that we're proposing will inform patients of what their rights are and how to exercise them while eliminating the barriers that could delay or block access to care.
The next area which we were proposing change is minimum necessary and oral communication. We retain the requirement for oral communications and minimum necessary, but we're addressing those incidental disclosures that occur in a treatment situation, doctor talking to a nurse in a semi-private room, doctor and nurse talking at a nurse's station, the x-ray light boards, things like that. Incidental disclosure that permitted the reasonable safeguards are used and if minimum necessary requirements are met. We believe that this approach amoves the a chill from common and necessary health care practices so long as reasonable precautions are taken to eliminate disclosure, to limit incidental disclosures. Let me go back a minute.
So we are proposing to modify this requirement, and the one important thing is that the disclosure has to be incidental to treatment, and it has to be related to that treatment. For example, standing in a nurse's station, if I'm treating a patient in a cardiac unit, it's not directly related to the treatment that the patient had a nose job two weeks ago unless he's taking medication or in some way that treatment, that previous procedure affects his current medical situation.
Oral communications. We retain the protections for oral communication and permit uses and disclosures that are incidental to otherwise permitted use or disclosure provided that these are necessary for effective quality health care and minimum necessary and safeguard standards are met. As I said, talking to a patient in a semi-private room, talking to other providers of if passersby are present, and as I mentioned earlier, in talking about one of the questions in our quiz, a provider in a cardiac ICU can talk to another provider or nurse about a patient's cardiac condition, but they can't gossip about or comment on a patient's nose job or sex change operation unless it's immediately relevant to his treatment.
Summary: We are retaining the standards for reasonable efforts to limit uses and disclosures to the minimum necessary, and the same incidental uses and disclosures are permitted for written or electronic communications. Waiting room sign-in sheets are okay. Patient charts at the bedside are okay. X-ray light boards are okay. But what do, for example, safeguards entail? Take for example the sign-in sheet. You can identify the name, probably the doctor that the patient is going to see, but you can't ask the patient why are you here, you know, what are you seeking treatment for or purpose of your visit, and I think this really reflects the common sense practice of medicine and how you actually go about your work today. We're just making sure that it's clear and that people understand the limitations.
Research: When we were looking at the research provisions, we had received a lot of comments that the privacy rule as currently stands impedes research, that the requirements for separate forms were burdensome that in terms of obtaining waivers of authorizations that the criteria were vague, internally inconsistent, confusing, redundant, so we looked at what we could do on research. First of all, we decided that we could simplify the research provisions. In terms of the criteria to permit waiver of authorization, we more closely aligned that with the common law. I will talk more about that in a moment. We proposed to consolidate required forms, so if you are doing an informed consent for a person who is undergoing clinical trial, that informed consent can be combined with the consent for use of a protected health information. We also indicated that the expiration date provisions of the authorization are eased. We require in the privacy rule that an authorization designate an expiration date. We propose in the NPRM that in the case of research that the end of that expiration date can say end of study, and if you're compiling a database for research purposes, that expiration date can say none or no expiration date.
We're also proposing to provide transition provisions that provide greater flexibility for continuing research that was begun before the compliance date. So that this in effect would grandfather in existing research that's going on. If you have a current research that's going on without authorization, you don't have to stop your research, go back and get authorization from all the participants or from people whose medical records you're using. As long as you've obtained an IRB waiver or express written permission, you don't have to go back and get new waivers or new authorizations for use of protected health information. Our desire was to address the concerns about the rule impeding medical research while making sure that these privacy protections were strong.
Let me talk about the research waiver criteria. As you know, there are two ways that research is permitted. You can either get a specific authorization from the patient to use his medical records and health information for research purposes, or you can go through an IOB or privacy board and get a waiver of that authorization. The original final rule created eight waiver criteria which we have listed on the far left, and we received comments during the period when we reopened the rule that these were confusing, burdensome, inconsistent and inconsistent with the practice that was going on under the common rule, and the common rule, as you probably know, is what applies to research that is being funded by the federal government. You have your IRB and they apply certain criteria for waiver of informed consent, and their very civil criteria research involved no risk to the subject waiver, would not affect waiver research could not be practically done without the waiver and whenever appropriate subjects are to be provided with pertinent information after partial. We heard from a lot of people that if you're under the common rule you shouldn't have to comply with the privacy rule, that there is some consideration of privacy given when you go through an IRB process and that should be sufficient. We found when we looked at the issue that there are a couple of problems or concerns. First of all, exempting people who are subject to the common rule would create a dual system: One system or more favorable system for people who are receiving federal funds, a second system for private research, and we didn't think that was appropriate.
A second problem occurred because some researchers voluntarily subject themselves to the common rule. In some instances if you're doing research at a university that receives some federal funding, the university researchers voluntarily agree to comply with the federal common rule for all research that's done at the university, and we had to address, well, if we decided to go with the common rules for people who are subject to the common rule, how do we deal with those people who are voluntarily complying with the common rule? And the final concern that we had was that the common rule, although it does consider privacy, doesn't explicitly consider it. It's not mentioned in the factors for waiver. So we thought about it a great deal. And research was probably the one issue that we debated the most.
We ended up meeting at 7:30 in the morning mostly two times a week for like two months, and I think that the majority of our meetings were talking about research just because it was very difficult to resolve. We ended up deciding that the best thing to do from our perspective was to modify the waiver criteria under the privacy rule more closely, align it with the criteria that were considered under the common rule and make that applicable to everyone. So what we have done is created waiver criteria that are simple and provide definition of what we're considering.
We say one of the waiver criteria is that the use or disclosure of public health, of protected health information involve no more than minimal risk and individual's privacy. What does that mean? We take some of the other criteria that we had previously had as independent criteria and say that that's what defines no more than minimal risk, so no more than minimal risk means that you have to have an adequate plan to protect identifiers for use or disclosure, you have to have an adequate plan to destroy identifiers as soon as possible but consistent with needs of research, and finally, you have to have adequate assurances that there will be no reuse or disclosure of the protected health information except for other research oversight or as required by law.
So what we tried to do is make it simple or more understandable. Then we determined that another criteria should be that the research could not be practically done without the waiver. This is similar to one of the criteria under the common rule, and finally, that research could not be practically done without access to the protected health information; again, similar to the criteria of the common rule.
So I think that this solves many of the problems that people had identified with the criteria that we were previously proposing to use for the privacy rule.
There is still one more issue. A lot of people suggested that we have some type of set of data that was facially not identifiable that could be used more broadly, specifically in the area of research, but in other areas also. For example, for public health purposes I know a lot of state hospital associations gather in data from all of their members, aggregate it and then provide that information back to all of their members. They can't do it under a business associate contract because they're providing one entity's information in an aggregative form to another entity which is not permitted by the business associate provisions. So we're looking at and asking for comment on an idea of a limited data set that could be used for specific but limited purposes for research, for public health purposes or for health care operations, and we're looking at how we would put this together and asking for comment on, you know, what data is necessary to do these functions, what data is not. So we'd be excluding directly identifiable data but retaining certain identifiers.
In order to protect this information because it could be reidentified, it's not facially identified but it could be reidentified, we would propose to require a data use agreement. Now, I think that this would protect privacy while providing access to limited data for specific purposes, but we're asking for comment on this idea. What purposes other than the three that we've identified should have access to this limited data set? What data elements should be in this limited data set? What elements should not? We're really open to creating some type of information between identifiable information which you need authorization to obtain and use and completely de-identify information which we have been told is not useful for some of these purposes. So we really want to be able to meet the needs of researchers, of public health interests and of other health care operations, but we need to do it in a way that protects the privacy of the information, and this is how we came -- this is the best way we came up with doing it. As I said, we need your comments in order to do it.
Another area in which we're proposing change is in the parents and minors area. Family law, as you may know, is a matter of state law, and in promulgating the final rule the Department had intended to defer completely to state law in terms of disclosure of minor's' information and access to minor's information. One thing I need to make quite clear is that the privacy rule provisions on parents and minors is only about rights to medical records. It's not about a minor's right to obtain certain treatment without parents' notification and consent or minor's right to consent without parents' knowledge of certain services. What we found in looking at the rule is that as it's currently drafted we didn't quite do that. If a state law permitted but did not require a provider to provide certain information to a parent, we inadvertently preempted that.
So what we're trying to do is preserve the intent of the current law which is to completely stay out of the area of parents and minors and leave that to states and parents' discretion, to provider's discretion. There is no change of parental control over a minor's health information in most cases, and as I said, we're trying to make sure that we defer to state law.
So the changes that we're proposing is that disclosure to a parent is permitted when permitted or required by state law. Disclosure to parent is not allowed when state law prohibits that disclosure, and we're quite firmly trying to make sure that we preserve the discretion of providers. When state law is silent or unclear, we want to make sure that we're preserving the provider's discretion to give or deny a parent access in accordance with his professional judgment.
Marketing was another area in which we had a great deal of difficulty in figuring out what to do with it. All the comments we received agreed that the system that had been proposed in the final rule was not workable, that it was just very confusing. We had three different categories of information, and it was difficult for a provider to know what he had to do because it could so easily be one or the other, and on the other side consumers said, you know, this is also very unclear. We got contradictory suggestions as to how to change it.
We had three categories of information, and providers said, you know, move this second category up into not marketing. Consumers said, you know, it is marketing and you should require consent for it, or I'm sorry, authorization for it. What we ended up doing is simplifying it a great deal and creating just two categories.
We proposed prohibit sending marketing materials to an individual without that individual's a