Advocacy and Health Policy
Home Page Members Only Table of Contents Search This Site Contact Us Site Index

ACS Testimony
ACS Views
Federal Legislation
State Legislation
Regulatory
Liability Reform
Practice Management
Staff Listing
Links

ACS Advocacy and Health Policy Staff

Interim Director
Christian Shalgian
1640 Wisconsin Ave NW
Washington, DC 20007
Phone: 202-337-2701
Fax: 202-337-4271
cshalgian@facs.org

Assistant Director, Regulatory Affairs and Quality Improvement Programs
Elizabeth W. Hoy, MHA
Phone: 202-337-2701
E-Mail: ehoy@facs.org

Manager, State Affairs
Jon Sutton
Phone: 312-202-5358
jsutton@facs.org

General Information
ahp@facs.org


ACS Views on Legislative, Regulatory, and Other Issues

HIPAA Privacy Rule—

staff contact: Barbara Peck, bpeck@facs.org

April 26, 2002

Ms. Robinsue Frohboese
Acting Director
Office for Civil Rights
Attention: Privacy 2
Department of Health and Human Services
Hubert H. Humphrey Building, Room 425A
200 Independence Avenue, S.W.
Washington, DC 20201

Re: Office of the Secretary; Standards for Privacy of Individually Identifiable Health Information; RIN 0991-AB14

Dear Ms. Frohboese:

On behalf of the 62,000 Fellows of the American College of Surgeons, we are pleased to submit the following comments in response to the proposed rule for Standards for Privacy of Individually Identifiable Health Information published by the Department of Health and Human Services (HHS) in the March 27, 2002 Federal Register. The Fellows of the College represent all surgical specialties and are involved in private practice, medical research and surgical education. The modifications to the proposed final privacy rule are of great interest to our Fellows, who are committed to maintaining our patients' privacy while ensuring continued availability of patient data necessary for use in clinical and scientific research.

We have several key concerns and recommendations regarding HHS' modification to the medical privacy rule. We have limited our comments to the following, as summarized below:

  • The College supports revisions to the provisions governing disclosure of information for purposes of treatment, payment and health care operations and agrees that it is appropriate to provide limited expansion of the protected health information that is allowed to flow between one covered entity and another.
  • As a concrete step in lessening the administrative and cost burden of the business associate requirement provisions, the College requests that the Department clarify that the use of electronic signature, or "point and click" agreement, is allowed as a means to enter a business associate contract.
  • The College supports the Department's proposal to consider expanding the list of data elements that would be allowed in information defined as de-identified and urge that it be adopted into the final rule.

Disclosures for Treatment, Payment or Health Care Operations for Another Entity

The College supports the Department's modifications to the provision relating to disclosures for treatment, payment and health care operations. The limited expansion of the information that is allowed to flow between entities, without obtaining authorization from the patient, as a part of treatment, payment and health care operations is a significant improvement to the final rule. We are particularly pleased that HHS has proposed allowing one covered entity to disclose protected health information to another covered entity for specified health care operations, provided both entities have a relationship with the patient. We agree with the Department's identification of the types of health care operations that should be afforded this privilege including quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, case management, conducting training programs and accreditation, certification, licensing, or credentialing activities.

In order to maintain the mechanisms by which continuous quality improvement activities are enacted, it is often the case that one covered entity must share protected health information with another covered entity for health care operation purposes. For example, the College coordinates and oversees a National Cancer Data Base (NCDB), a non-governmental centralized cancer registry that collects patient data from its approved cancer programs to analyze and track cancer treatment, outcomes and quality of care. It is essential that the physicians managing cancer patients' care be able to transmit follow-up data to the hospital cancer registries that have initiated the collection of that data. Inability to do so would put at risk the quality assessment and improvement activities that are based on utilization of this data. We believe this proposal preserves the protections to individually identifiable information established under the final rule while encouraging participation on the part of health care providers in this data collection effort.

Business Associates

In the modifications to the business associate provisions, the Department proposes to allow covered entities to operate under certain existing contracts with business associates for up to one year beyond the April 14, 2003 compliance date. While we appreciate the Administration's recognition of the burdensome requirements of the business associate provisions by granting a one-year extension to modify contracts that already exist, we are disappointed that the Administration did not offer any concrete improvements to this section of the privacy rule.

As we have previously expressed to the Department, we believe the business associate provisions create heavy burdens on covered entities and their business associates by the imposition of contractual requirements. We realize that the construction of these provisions is a result of the inadequate statutory authority granted to the Department under the Health Insurance Portability and Accountability Act (HIPAA). However, this circuitous route to protecting all individually identifiable health care information places unreasonable administrative and cost burdens on providers, other covered entities and their business associates.

To demonstrate, we estimate that the cost of complying with just the contract requirements under the business associate provisions will cost participants of the National Cancer Data Base $600,000 in the first year alone. This takes into account the preparation and negotiation of 1500 contracts, each requiring two hours of legal consultation at $200 an hour. We believe this estimate to be conservative and anticipate that additional expenditures will be required to ensure compliance with this provision. While we would like to thank the Department for its attempt to relieve some of this burden from covered entities and their business partners by providing form language for the business associate agreement, we point out that regulatory language is not sufficient as a legal document. The development of the specifics in each contract will still require legal assistance.

As a concrete step in lessening the burden of the business associate requirement provisions, the College requests that the Department clarify that the use of electronic signature is allowed as a means to enter a business associate contract. Like the earlier proposed and final rules, the revisions to the proposed final privacy rule are absent any instruction as to the use of web-based technology to fulfill the business associate contract requirements. It is unclear in both the Privacy Rule and the Security and Electronic Signature Standard what exactly would qualify as a signature and whether a "point and click" acceptance of the business associate privacy practices would qualify as a contract that is legally binding under the rule. In complying with the privacy rule, the College, as the administrator of the National Cancer Data Base, will be faced with entering written contracts with all 1,500 of our cancer registry programs. This will entail significant time and could create reluctance on the part of our stakeholders to enter such agreements because of the anticipated costs incurred through pursuit of these contracts.

As we have stated, the cost of complying with the business associate requirement is onerous. Allowing the use of point and click technology to execute a business associate contract could alleviate, to a significant degree, the cost and administrative burden to health care providers, other covered entities and their business associates. With the increase in health-related data transmitted online, there has been a move to the acceptance of point and click agreements as legally binding "signed" documents. We strongly urge the Department to clarify that such methods of contracting are in compliance with the Privacy Rule.

De-Identified Information

The Department states in the revisions to the final rule that it is considering permitting disclosure of a limited data set which would not include facially identifiable information, but in which certain identifiers would remain. The limited data set would qualify under the safe harbor method as de-identified health information and would replace the more stringent requirements of de-identification set forth in the final rule. The disclosure of this data set would only be for purposes of research, public health and health care operations.

We appreciate HHS' responsiveness to comments from the College and other concerned entities regarding the need to use and disclose non-facially identifiable patient information for research and quality improvement purposes. The College is encouraged that your agency recognizes that the data requirements for research and health care operations are unique from those for treatment and payment and is considering altering the rule to account for these differences.

As the College has noted previously to the Department, the methods by which covered entities would be expected to de-identify information under the final rule are not in keeping with common sense approaches to ensuring that the information is usable. The requirement to remove all 18 identifiers specified in the final rule would render data almost useless for many research purposes or quality improvement activities that are essential to improving public health. This creates a perverse disincentive to de-identify information, completely contrary to the Department's intent. The College believes that accountability is more than just protecting private health information. It also bears the responsibility of beneficence towards treating the patient and obligates health care institutions and providers to promote quality improvement and cost-effective health care.

For these reasons, we strongly support HHS' decision to seriously consider recommendations to revise the final rule to allow greater latitude in what will be considered de-identified information. The College agrees that the limited data set should allow inclusion of the following information: admission, discharge and service dates; date of death; age; and five-digit zip code. We maintain that these data elements do not directly identify an individual, but are key for conducting research and outcomes improvement activities. We agree that data which is defined as de-identified should not include patients' names, street addresses, telephone and fax numbers, E-mail addresses, social security numbers, certificate/license numbers, vehicle identifiers and serial numbers, URLs and IP addresses, and full face photos or any other comparable images, as these could easily be linked to individuals.

Regarding the limited data set, we note that the proposed revisions to the final rule does not include a definition of "service dates," but would hope that it is broadly defined to include dates of all evaluations, medical diagnoses and treatments. Timing issues relative to provision of services can be critical for evaluation of treatment patterns that affect the outcome of care. The College would appreciate clarification from the Department as to what is defined as "service dates."

HHS has asked for specific comments on whether another one or more geographic units smaller than a state, such as city or county, precinct, neighborhood or other unit would be needed in addition to or preferable to a zip code. We believe that the inclusion of a zip code does not directly identify a person and is an adequate geographic identifier. The use of zip codes, which provide an approximation of patients' location relevant to site of health care services, is essential in evaluating related access to care factors that ultimately impact health outcomes. For example, using zip codes as a geographic identifier can reveal how a patient's distance from health care services can influence stage of diagnosis and treatment decisions.

The Department also requests comments on whether date of birth is needed and, if so, whether the entire date is needed, or just the month and year. The College considers date of birth as one of the key factors which can be used to identify cases for subsequent study. When data is encrypted or trapped, the inclusion of date of birth, rather than patient age, provides greater specificity for analytic purposes. Patient age is relative to the day in which it was reported and is ultimately not as useful. Date of birth is particularly critical for case identification in instances when there are multiple case submissions from the same institution. Defining date of service to include the date of diagnosis and treatment and allowing the birth date in the limited data set would allow for stratification of patients into demographic age groups and would offer valuable timing benchmarks around which analyses can revolve.

In addition, HHS is soliciting comments on its proposal to condition the disclosure of the limited data set on covered entities obtaining a data use agreement in which the recipient would agree to limit the use of the data set to the specified purposes permitted in the privacy rule, limit who can use or receive the data, and agree not to re-identify the data or contact the patients. The College believes that it is appropriate for HHS to limit the use and disclosure of this limited data for research, public health and health care operations purposes. Although we believe that the compromise to allow a limited data set is a laudable improvement to the final rule, we do not believe a data use agreement is necessary to ensure the proper use of de-identified information.

Notice of Privacy

The College supports the added flexibility to the Notice of Privacy Practices provision for health care providers that have a direct treatment relationship with patients. Our member surgeons face many situations in which they have to perform procedures on an emergent basis. The final rule requires that a health care provider make a good faith effort to obtain a written acknowledgement of the notice at the time of first service delivery. The Department's modification to the Notice of Privacy Practices recognizes that it is not always possible during an emergency situation to immediately provide notice to patients and obtain acknowledgement. HHS' proposal to delay the requirement for provision of notice until reasonably practicable after the emergency treatment situation better reflects how medicine is practiced, yet still provides for fair notice to individuals about how their information will be used, disclosed and protected.

Research

The Department has proposed changes to the research provisions that the College believes will be less cumbersome for researchers and make it easier to conduct legitimate research that is vital to improving health outcomes. The modifications to the criteria for waiving the requirement of written authorization from patients for use and disclosure of their health care information for research purposes would provide a more seamless approach to those covered entities having to comply with both the Common Rule, which is the standard used by seventeen federal agencies and the Privacy Standard.

Authorizations

The College agrees with the Department's proposed decision to eliminate the requirement for separate authorizations for different purposes. We believe that having one set of criteria that apply to all authorizations will be less onerous on health care providers and easier for patients to understand.

Incidental Disclosures

The College urges the Department to include in its final rule the proposal to exempt "incidental disclosures" of patient information that occur in the hospital. It is critical that communications between patients, physicians and other caregivers not be so limited as to prevent essential discussions from taking place in areas where other non-involved parties may incidentally overhear, such as a hospital emergency room.

Conclusion

The College appreciates HHS' diligence in producing revisions to the final rule that address a large number of concerns raised by interested parties. We believe some of these changes improve the workability of the rule and applaud the Department for working through these difficult issues in attempt to prevent unintended consequences upon implementation. We understand that some of the major flaws that we believe remain in the rule are a result of the inherent weakness of HIPAA and we continue to hope for a legislative redress to the problems outlined in our comments.

The College hopes that HHS finds our comments useful in developing a final revised privacy rule. If you have any questions, please call me at 202-337-2701.

Sincerely,

Cynthia Brown
Director, Division of Advocacy and Health Policy

Revised April 11, 2006

ACS Views on Legislative, Regulatory, and Other Issues

Advocacy and Health Policy

 

This page and all contents are Copyright © 1996-2006
by the American College of Surgeons, Chicago, IL 60611-3211