Initiatives
What’s New
Membership
Industry Events
Resources
Foundation
About Us
Site Map
Contact Us
Home
 Strategic National Implementation  Process (SNIP)
 National Provider Identifier Outreach Initiative (NPIOI)
 WEDI Regional Affiliates (WRA)
 WEDI Collaborations
 Policy and Advisory Groups(PAGS)
 NCHICA/WEDI Timeline Initiative
 Health ID Card Implementation Guide
 Clinical and EHR
 Health Savings Accounts / High Deductible Health Plans
 WEDI News and Events
 Overview
 Join & Membership Forms
 WEDI Member Newsletters
 Committees
 Policy Advisory Groups  (PAGs)
 List Serves and Forums
 Industry Events Calendar
 WEDI Listservs
 WEDI Listserv Archives
 WEDI Comments
 WEDI Bulletins
 WEDI Member Newsletters
 WEDI Policy Advisory Groups
 Presentations
 White Papers
 Clinical IT Resources
 HIPAA Resources
 Mission and Purpose
 WEDI Vision, Mission and  Guiding Principles
 Membership Information
 Join WEDI
 Board of Directors
 Committees
 WEDI Policy Advisory Groups  (PAG)
 Staff
 WEDI Member Directory
 WEDI Bylaws
 Board of Directors Members- Only Section
» Join WEDI
» WEDI Membership Renewal
» Member Directory
» WEDI Member Login
» Manage Profile
» WEDI Member Logout
 
 
 

Search WEDI for:

  
 


Workgroup for Electronic Data Interchange

Dedicated to improving healthcare through Electronic Commerce.

Find some of the latest programs, products and free resources from WEDI.

 		  
 

(8/25/99) WEDI Board Submits Preliminary Recommendations on Pending Privacy Regulations

August 25, 1999

The Honorable Donna E. Shalala
Secretary of Health and Human Services
440D Hubert Humphry Building
200 Independence Avenue, SW
Washington, DC 20201

Dear Secretary Shalala,

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) designated the Workgroup for Electronic Data Interchange (WEDI) as an advisor to the Department of Health and Human Services in the selection of electronic health care standards.  Following are several recommendations regarding Privacy Regulations for your review and consideration.

Overview:
WEDI has been requested by DHHS to provide policy comments and input to assist in the writing of privacy rules as provided for in the 1996 HIPAA legislation.  WEDI appreciates the opportunity to provide these comments.  However, DHHS needs to understand that the time constraints imposed on preparing this response severely limited the number of issues that WEDI was able to address.  There are many more appropriate issues that WEDI would like to address and take under consideration.  However, we recognize that it is not practical to address them in the short period of time provided and will address them as a response to any Privacy NPRM that DHHS issues.
 General Statements:

1) Preemption of State Law:
 WEDI recognizes that DHHS is not empowered under HIPAA legislation to write regulations that pre-empt state law.  However, WEDI determined that it was important to formally state and present WEDI s strong position that to be practically effective and not cost prohibitive, any privacy legislation and/or rules must preempt all existing and future state laws and regulations.  It is WEDI s position that non-preemptive privacy regulations will result in the stifling of the use of electronic technology thereby increasing the administrative costs and reducing the quality of patient care.  All of which is contrary to the intent and purpose of the Administrative Simplification portion of HIPAA.
 
There are two primary and compelling reasons for this position:
A)  Jurisdiction Confusion:
The confusion generated by multiple state regulations would serve to limit the use of electronic interstate communication of protected health care information.  Since there is no defined methodology to resolve the jurisdictional issues that individual state laws represent, health care entities would not know which laws may impact them and in order to reduce risk would reduce or eliminate their use of electronic interstate communication of protected health care data.

There has been a natural evolution of the interstate transmission of protected health care information that has resulted in a natural and beneficial integration and communication between health care entities. This communication is a necessary component of both improved patient care and administrative cost reduction.  For the common good of the U.S. health care system, the growth of interstate communication of protected health care data should be fostered and preserved.
 Health care data is currently communicated interstate for patient care/treatment (e.g. laboratory samples, reports and consultations), payment (e.g. insurance claims, remittance and eligibility requests) and health care operations (e.g. utilization review aggregating and analyzing data for the purpose of improving patient care).  All sizes and manner of health care entities are currently involved in these transactions including small and large clearinghouses, laboratories, single practitioners, multi-state clinics, employers, regional and national insurance carriers, etc.

One fairly common example of such a transaction would be a Florida resident, insured through their employer in Alabama by a carrier in Connecticut presenting to a California clinic for treatment.  Prior to treating the patient, the clinic could electronically request eligibility information through a local California clearinghouse, which may route the request to another clearinghouse in New York who would route it again to yet another clearinghouse in Georgia who finally routes it to the carrier s eligibility contractor in Tennessee.  The eligibility contractor s system then generates a response that reverses the path and is delivered back to the clinic, all within 30 seconds of the clinic generating the initial request.   After treating the patient, the clinic would generate an electronic claim that is transmitted to a clearinghouse in Illinois that sends it to another clearinghouse in Ohio that routes it to the insurance carrier in Connecticut.  After processing the claim, the insurance carrier could then deliver the EFT and electronic remittance advice to a clearinghouse in Indiana that routes it to the clinic s bank in Nebraska who, after balancing with the ERA deposits the EFT and forwards the ERA on to the clinic for posting.

In the above hypothetical example, which is not extreme, these transactions pass through eleven states and none of the trading partners involved in the transactions would be aware of all of the states through which these transactions passed.  This does not take into account the complexities and variables of dial-up, frame relay and other wide area routing through public telephony and data carriers.  Routing these transactions through the fabric of multiple telephony and data carriers that represent the wide area and PSTN (public switched telephone network) could easily add 10 more states to the path that the transaction could follow.  There is no way for the health care entities to know which State laws are applicable to their transactions.

B) Cost of Compliance:
The cost of monitoring various state laws and establishing different administrative and technical procedures for each state that a health care entity sends or receives protected health care information would impose an extreme burden to all of the health care entities.  Even small provider offices that use clearinghouses would be sending protected health information through multiple states and would have the same issues and costs of compliance as large clinics.

Assuming that there was a methodology to establish jurisdiction, without preemption there is nothing in place to prevent states from enacting conflicting laws.  As a result, a health care entity implementing processes and technologies to comply with State A s law could create non-compliance with State B s law.  Therefore, the architecture of health care entities systems and processes would have to be extremely complex and cumbersome to allow the kind of diversity that would enable a health care entity the ability to deploy multiple concurrent processes and systems on a state by state basis.  The cost of re-engineering to enable this level of diversity would be prohibitive and if forced on the health care system would raise the cost of every entity in the chain of care and payment.  This would obviously be contrary to the intent of the Administrative Simplification portion of the HIPAA legislation.

2) Authorizations For the Release of Information:
WEDI recommends that specific authorization for release of protected health care information be required in all instances, except for the purpose of treatment, payment and health care operations.  For the purpose of treatment, payment and health care operations, the authorization for release of health care information should be implicit.

This recommendation is intended to ensure prompt and timely access to treatment, payment, and facilitates on-going operations that impact quality of care.  This recommendation is consistent with the intent of the Secretary of DHHS Privacy Recommendations of August, 1997, which essentially recommends that patient authorization for release of information only be required for circumstances not related to treatment or payment.

WEDI recommends that DHHS clarify the definition of treatment to include diagnosis to ensure that any activity surrounding diagnosis of a case would be treated on the same basis as treatment.

WEDI has recommended that release of information also be implicit for health care operations so that specific authorization would not be required. Further, WEDI recommends that the definition of healthcare operations should be broad enough to ensure that health data can be aggregated and used for utilization review and improving patient outcome.  WEDI recommends that DHHS use the definition of health care operations currently contained in the Greenwood privacy bill H2470.

3) Tracking of Access and Disclosure:
WEDI recommends that DHHS require the tracking of all access and disclosures of protected health information for those accesses and disclosures that are not for the purpose of treatment, payment or healthcare operations.  This is consistent with the recommendations contained in (2) above.

Requiring the tracking of accesses and disclosures of protected health information for the purpose of treatment, payment and healthcare operations would create significant cost burden and could negatively impact patient care.
 

4) Copying, Inspection and Amending of Records:
WEDI generally agrees and supports DHHS s recommendation that patients should have access to their medical records and have an opportunity to challenge or amend the information.

WEDI recommends that patient s rights of copying; inspection and amending of healthcare records are limited only to the patient s medical record and specifically exclude non-medical and/or administrative records.

5) Limitation of Exceptions:
WEDI has reviewed the DHHS Privacy Recommendations of 1997 and finds there are many areas where exclusions are recommended that may not be appropriate.  Within the time constraints allowed with this response, WEDI cannot specifically address each area of exclusion.   However, WEDI does recommend that DHHS closely examine each of the areas that were advocated for exclusion in their 1997 Recommendations for Privacy Legislation for the purpose of severely limiting any exclusions in the DHHS Privacy Rules.

WEDI notes that the DHHS Privacy Recommendations of 1997 also advocate government payers should be covered under any privacy legislation.  With that in mind, WEDI recommends that with the exception of clear national security interests, that DHHS Privacy Rules include all government payers and do not exclude federal and/or state public agencies and programs such as CHAMPUS, Indian Health, Medicare, Medicaid, Workman s Compensation, etc.  Federal and state healthcare agencies and programs should be accountable under the same rules as private healthcare entities.
 
WEDI will reserve any further recommendations or comment on exclusions until after the DHHS Privacy NPRM is released.

6)  Effective Date of DHHS Privacy Rules:
WEDI recommends that the effective date for any DHHS Privacy Rules should be the greater of two years from the publishing of the final rules or concurrent with the effective date of the DHHS Security Rules.
 

Sincerely,

Lee Barrett
Chairman, WEDI
 
Some links are to pdf format files and require Adobe® Acrobat® Reader to view.
 
  Email This PagePrint This PageGo Top
Workgroup for Electronic Data Interchange  |  Webmaster  |  Disclaimer   |   Site Help
Copyright © 2000-2004 Workgroup for Electronic Data Interchange (WEDI) All rights reserved. 
 Site best viewed with Internet Explorer 5.0+ or Netscape 6.0+ in 800x600 resolution