January 3, 2000

 

Department of Health and Human Services Assistant Secretary for Planning and Evaluation

Attention:  Privacy-P, Room G-322A

Hubert H. Humphrey Building

200 Independence Avenue, SW

Washington, DC  20201

 

Re:  Proposed Privacy Standards -- 64 Fed. Reg. 59918 (Nov. 3, 1999)

Dear Assistant Secretary:

The National Council for Prescription Drug Programs (NCPDP) is pleased to submit the following comments regarding the proposed privacy standards for individually identifiable health information.  

 

[Insert NCPDP boiler plate description.]

 

 

 

Applicability – sections 164.104 and 164.502 (F.R. page 60052).

 

The proposed regulations are much broader than their very narrow and restrictive enabling legislation… section 264(c)(1) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA):

 

“If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by the date that is 36 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act. ” 

 

The Congressional mandate is clear… the proposed privacy regulations must only apply to the privacy of individually identifiable health information as it is transmitted in connection with the transactions described in section 1173(a).  Only individually identifiable health information contained in the electronically transmitted transaction standards may be the subject of these proposed regulations.

 

 

Definitions – section 164.504 (F.R. page 60052).

 

“Disclosure”…  The definition of “disclosure” must be amended by adding at the end of that definition “other than to the individual who is the subject of the information”.  This change would make it clear that a health care provider may release an individual’s protected information to that individual without that release being considered a disclosure.

 

 

Uses and Disclosures of Protected Health Information… section 164.506 (F.R. page 60053-60055).

The Authorization for Release of Information on page 60065 must be clarified for the benefit of both covered entities and individuals.  The last sentence on that Authorization must be rewritten to better reflect section 164.508(a)(2)(iv):  “No authorization is necessary to use or disclose protected health information to carry out treatment, payment, or health care operations, except when the information to be released is psychotherapy notes or research information that is unrelated to treatment.”

 

Third Party Beneficiary to Business Partner Contract…Section 164.506(e)(2)(ii)(A)   (F.R. page 60055).

 

This provision would provide a new federal right of action for individuals in those states that recognize a cause of action if a party is named in a contract as a third party beneficiary.  Congress did not authorize nor intend that the Secretary provide a new cause of action for a breach of a business partner contract required by these proposed privacy regulations.

 

 

Sale of Prescription Records… section 164.508 (F.R. page 60055).

 

Prescriptions, patient profile information, and other patient identifiable health information that is routinely sold alone or with a pharmacy must not first require obtaining signed individual authorizations as stated in this section:

 

“An authorization executed in accordance with this section is required in order for the covered entity to use or disclose protected health information in the following subsections…(2)…(ii)…(B) Disclosure by sale, rental, or barter…”.

           

Buying and selling prescription records should be considered a “health care operations” issue and this definition should be expanded to include this common business practice.  Not to continue to allow this common business practice would disrupt health care to patients.

 

Disclosures for Banking and Payment Processes… Section 164.510(i)  (F.R. page 60058).

 

This subsection must be clarified to assure that pharmacy benefit cards are not considered “or other payment card, or other payment means…”.  Otherwise, the National Council for Prescription Drug Programs (NCPDP) payment claim, which is expected to be adopted by HHS as the national pharmacy payment claim, may have to be modified to only provide the “minimum amount of protected health information necessary to complete a banking or payment activity…”.

 

 

Notice to Individuals of Information Practices… section 164.512 (F.R. page 60059).

 

To provide the necessary uniformity that will help individuals better understand their new federal rights and the procedures for exercising their rights, the Secretary should develop and distribute a Model Notice.  The Secretary’s Model Notice must be in plain language and of reasonable length so that it can be posted in a clear and prominent location where individuals seeking service from providers and health plans are able to read the Model Notice. 

 

Section 164.512(b) requires health plans and health care providers to provide such  notice to individuals, which will surely result in many different notices that convey the required information using different language that will result in confusing individuals as they seek care from different providers and health plans.  Individuals will benefit from the consistency of a Secretary developed Model Notice, which the Secretary should broadly distributed to health plans and providers.

 

 

Non-Preemption of State Law… subpart B (F.R. pages 60050 and 60051).

 

Lack of Federal preemption will make it difficult if not impossible for covered entities to know what law they must follow.  This is more than a mere inconvenience and expense to the covered entities… individual patients will likely suffer when their health care is interrupted while they wait while the covered entities struggle to try to understand what law to follow. 

 

Conflicts between these proposed regulations and state laws would occur because of the lack of federal preemption.  The practical significance is that the covered entities would not only have to know… for every conceivable factual situation that could present itself… the applicable state law, federal law, whether or not a conflict exists, and finally to resolve that conflict correctly under the penalty of law.  Covered entities do not and probably could not hire sufficient number of lawyers to determine what law to follow in the real time of electronic transactions.  The only solution would appear to have Congress enact privacy legislation that does preempt state law. 

 

Compliance and Enforcement… section 164.522 (F.R. pages 60063 and 60064).

 

Section 164.522(b) should be modified to allow 90 days for the covered entities to resolve the complaint before the individual may submit a complaint to the Secretary.  The Secretary already has this authority to make this suggested change… section 164.522(b)(1)(iii): “The Secretary may prescribe additional requirements for the filing of complaints…”.  This suggested change would reduce the administrative burden on the Secretary.

 

 

Costs of Implementing the Privacy Regulations as Proposed is Likely to be Much Higher than the Secretary has Estimated.

 

HHS estimates the “cost of compliance with the proposed rule would be at least $3.8 billion over five years” (F.R. page 60006).  However, the October 19, 1999 Report by BlueCross BlueShield Association (by Robert E. Nolan Company) of similar proposals, many of which are included in this proposed rule, estimates cost at over 10 times that amount… $43 billion over five years.    

 

However, cost should not be viewed in a vacuum.  What will all this money buy?  According to F.R. page 59923… “the HIPAA legislative authority is more limited in scope than the federal statute we recommend, and does not always permit us to propose the policies we believe are optimal”.  Buying less than optimal protection does not sound like a good bargain for the American public.

 

We agree with the Secretary that “there is an urgent need for legislation to establish comprehensive privacy standards for all those who pay and provide for health care, and those who receive information from them” (F.R. page 59923).  

 

These proposed regulations should not be implemented because they are not as comprehensive as they must be to provide optimal protection of patient identifiable health care information.  Federal legislation that preempts state law is the only cost-effective solution for this issue and we urge Congress to make it their number one domestic priority when they return to work later this month.

 

 

Sincerely,

Lee Ann C. Stember

President