Privacy, please

A weekend trip to Maine for a family wedding turned into a business trip (and a tax deduction) when I was reminded that the 16th National HIPAA Summit and related Privacy Symposium were taking place at Harvard University this week. Since I was flying in and out of Boston, I hesitantly forked over the $150 extortion—er, change—fee to American Airlines and sprung for a hotel room, mostly so I could attend a heated debate—er, “roundtable discussion” (even though the table was not round)—about whether patient privacy rules were effective.

I’m pretty sure it was worth the money. Boston usually is. While in the area, I also got a tour of athenahealth’s Watertown headquarters. I learned that “chief athenista” and new daddy Todd Park is on paternity leave for the next several months, is relocating to the west coast and will come back as a board member only while he dedicates much of his time to some new ventures.

But I digress once again.

The roundtable featured a couple of heavy hitters in the privacy world, namely Dr. Deborah Peel and Dr. Bill Braithwaite, as well as Partners HealthCare System Chief Privacy Officer Karen Grant, Linda Sanches, representing the HHS Office of Civil Rights, and, via telephone, Jodi Daniel, from the Office of the National Coordinator. Given the expense I just incurred, I wrote a story Tuesday about the Peel-Braithwaite debate for someone who actually will pay me, Digital HealthCare & Productivity.

In the interest of getting the news out and getting picked up by this week’s Health Wonk Review, I’m going to give you for free some notes from other Tuesday sessions.

On Friday, HHS released some proposed dates for transitioning to the next generation of HIPAA transactional code sets—otherwise known as ANSI X12 version 5050—as well as to ICD-10 standards for E&M coding. The proposal also includes the the National Council for Prescription Drug Programs standard version D.0 for electronic pharmacy transactions.

The full language is at http://www.cms.hhs.gov/TransactionCodeSetsStands/02_TransactionsandCodeSetsRegulations.asp#TopOfPage and will appear in this Friday’s Federal Register to trigger a 60-day comment period, closing Oct. 21.

“This is not a do-over of HIPAA,” said Workgroup for Electronic Data Interchange Chairman James Whicker, who also phoned in to the HIPAA Summit. Whicker, director of EDI and e-commerce at Intermountain Healthcare in Salt Lake City, said that changes are necessary because the current version 4010A1 is more than six years old already and has significant shortcomings.

Among the changes he highlighted:

• The 835 transaction for remittance advice adds an embedded link to payer URLs for some payment adjustment and denial codes.
• 834 will allow ICD-10 to report pre-existing conditions and address some privacy concerns
• 270 and 271 eligibility transactions bring what Whicker called “a significant number of changes and improvements” from the provider perspective. For example, he said, the new code sets clarify instructions for sending inquiries based on whether the patient is the health plan’s primary enrollee or a dependent. If the eligibility date, plan name or benefit effective date for a particular encounter is different from that of the overall coverage, the health plan must report it as part of the transaction. Version 5010 also requires alternate search options for 270 and 271 transactions so a provider can search by member ID, last name only or date of birth to help eliminate false negatives and phone calls, Whicker said.
• 276 and 277 transactions for healthcare claims status have minor changes addressing privacy concerns over sensitive patient information that is unnecessary for business purposes.
• Implementation guides will no longer be free when 5010 takes effect.

I personally don’t know what to make of the 5010 news, but I know that there is significant opposition to the proposed Oct. 1, 2011, compliance date for ICD-10. As Whicker spoke, I was reading a press release from the Medical Group Management Association denouncing the idea, and would wager a large sum that the American Medical Association thinks three years and two months is not long enough.

And now back to the privacy debate.

In a separate session, Sanches vigorously defended OCR’s record on HIPAA privacy enforcement, despite the fact the office has not assessed a single civil monetary penalty in the five years the rules have been in effect. “Our enforcement has resulted in changes,” Sanches said, a sentiment also expressed by Michael Phillips, a health insurance specialist in the CMS Office of E-Health Standards and Services regarding enforcement of HIPAA security regulations.

Sanches said most privacy complaints have either been dismissed or resolved with corrective action, while some, as with Providence Health and Services last month, have been settled with with “resolution agreements,” usually resulting in a fine. Sanches described the resolution agreements as “forward-looking,” since they require corrective action even though there is no admission of liability. “We will be monitoring their compliance,” Sanches said of Providence, which agreed to pay $100,000 as part of the deal.

Suffice it to say, OCR still has plenty of critics. Deven McGraw, director of the Health Privacy Project at the Washington-based Center for Democracy & Technology, said that enforcement clearly is lacking. “When you haven’t imposed a single civil monetary penalty, you are not sending a message that you are going to hit people in the pocketbook,” McGraw said during a joint session with Peel.

Those who don’t know Peel well might think she would wholeheartedly agree with this sentiment, but she says the August 2002 HIPAA privacy amendments that created the “treatment, payment and healthcare operations” exemption effectively neutered the rule. “We believe there is nothing for OCR to enforce because there isn’t a privacy law anymore,” she said, arguing that lack of privacy is keeping people from seeking treatment for some conditions, including Iraq war veterans who might suffer from depression or post-traumatic stress disorder.

As for HIPAA security enforcement, Phillips said OCR gets many more privacy complaints per year than CMS does for the security rule, largely because so many violations involve paper PHI and the security rule only applies to electronic information. He said that CMS has received 350 security rule complaints, to date, but, surprisingly, given all the attention paid to laptop theft, only 10 percent have involved lost or stolen devices.

Of those 350 complaints, 248 have been resolved and 102 investigation remain open.
Phillips also discussed the CMS contract with PricewaterhouseCoopers to conduct 10 compliance reviews this year, saying that the audit firm has done six reviews, including the well-publicized critique of Piedmont Healthcare in Atlanta. Phillips said CMS will share information about one of the 10 cases when all the reports are done.

Another conference session focused on the Piedmont case, and I think I will do a story for one of my publication clients in the next week or two. Stay tuned.

And finally, since anything involving David Brailer tends to generate a lot of traffic to this site, I shall call your attention to the following from former U.S. Sen. Dave Durenberger (R-Minn.), who founded and chairs the National Institute of Health Policy and sits on the Medicare Payment Advisory Commission:

DAVID BRAILER a few short years ago was the No. 1 name in American healthcare according to the annual Modern Healthcare survey of important people in the field. His job then was to be President Bush’s “Health Information Czar” to get the medical system moving toward automation and electronic information interchange.

Today he runs Health Evolution Partners out of San Francisco. He says HEP was founded to accelerate the best in the inevitable change taking place in the healthcare market. It will focus on redefining quality, efficiency and accountability of healthcare services to consumers and payers. He has developed a “Purchaser Value Initiative” as well, and raised nearly a billion dollars from CALPERS and from an additional four or five state public employees retirement funds (including Minnesota).

Susan and I enjoyed lunch with David recently at the Buckeye Roadhouse just off CA Highway 101 near Sausalito. David’s no. 1 interest these days is in his family, especially his seven-year old son and year old daughter. I listened to much of a fascinating discussion over elementary education in San Francisco and the merits of various institutions before we got to passion no. 2. How health system entrepreneurs will use the cost-quality-access quandary we face in this country, to innovate our way to better health, medical care and health management services.

Listening to Brailer, you get the impression that there may have been a lot not to like in the Bush administration’s approach to “consumer driven healthcare.” On the other hand, it focused us on a critical reality. Everyone in America is a potential consumer of better health, more appropriate medical services and, someday, good judges of value in the healthcare system. Entrepreneur innovators are doing it right now, and Brailer’s EHP team will help make sure they succeed.