National Committee on Vital and Health Statistics'
Recommendations on Issues Raised by Privacy NPRM
April 25, 2002
The Honorable Tommy G. Thompson
Secretary
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201
Dear Secretary Thompson:
As part of its responsibilities under the Health Insurance Portability
and Accountability Act of 1996 (HIPAA), the National Committee on
Vital and Health Statistics (NCVHS) monitors the implementation
of the Final Rules that adopt the health data standards required
by the Administrative Simplification provisions of HIPAA and provides
consultation regarding privacy standards.
Over the past several months the NCVHS has sent you three letters
containing recommendations regarding the "Standards for Privacy
of Individually Identifiable Health Information." These recommendations,
which were informed by public hearings held by the NCVHS Subcommittee
on Privacy and Confidentiality, addressed issues involving consent,
minimum necessary, research, marketing, and fundraising.
This letter responds to the Notice of Proposed Rulemaking (NPRM)
published in the Federal Register on March 27, 2002, containing
proposed modifications to the Final Rule. We present our additional
recommendations related to the areas we have previously addressed
in our letters as well as other issues raised by the NPRM.
At the outset, the NCVHS would like to acknowledge and thank the
Department for the careful consideration it gave to our previous
recommendations. The preamble to the NPRM indicates that the Department
paid close attention to the views of the NCVHS and that in several
instances our recommendations were adopted.
Consent
The NPRM proposes to eliminate the requirement that covered entities
obtain patient consent for treatment, payment, and health care operations
(TPO). Instead, use of consent forms would be optional. Direct treatment
providers need to make a good faith effort to obtain an individual's
written acknowledgment of the provider's notice of privacy practices.
Other covered entities, such as health plans, would not be required
to obtain this acknowledgment from individuals, but could do so
if they chose. The NCVHS supports this revision. We believe it strikes
the proper balance between the benefits of informing and empowering
patients and the burdens of requiring covered entities to have patients
complete additional paperwork.
Although consent for disclosure of PHI for TPO would seemingly
further patient interests in privacy and autonomy, the consent form
would likely become simply another piece of paper for a patient
to sign without much thought or discussion with a health care provider.
The notification procedure can succeed in informing individuals
how their records may be used for TPO, but only if the notifications
are explicit and covered entities are diligent in explaining the
contents of the notice to patients. In our view, effective privacy
protections for PHI are much more likely to result from HIPAA-imposed
limits on uses and disclosures than from patient-negotiated limits
flowing from the signing of a consent form.
Minimum Necessary
NCVHS supports the NPRM with regard to the minimum necessary provisions.
Research
NCVHS supports many of the proposals in the NPRM with regard to
research, including the following: (1 ) the decision to continue
requiring an authorization or institutional review board (IRB) or
privacy board approval for use or disclosure of PHI for research;
(2) the interpretation permitting IRBs and privacy boards to issue
partial waivers of authorization for the purpose of allowing a researcher
to obtain PHI necessary to recruit potential research participants;
(3) the proposal to permit an individual's authorization to use
or disclose PHI for the creation or maintenance of a research database
or repository without an expiration date or event; (4) the modification
of waiver criteria to be better aligned with the Common Rule; and
(5) the commitment to provide additional guidance and clarification
on the relationship of HIPAA Privacy Rule provisions dealing with
research and the Common Rule.
NCVHS is opposed to the proposal that would require a covered entity
to disclose any remuneration that will result from obtaining an
authorization only in the case of an authorization for marketing.
Although we agree with the intent to simplify authorizations, our
reading of the NPRM would permit a covered entity to accept remuneration
from the sponsor of research for enrolling patients without disclosing
this fact at the time the authorization is sought. We believe that
the issue of remuneration is a material fact of which potential
research participants have a right to know.
NCVHS has previously recommended "that HHS reconsider whether
the provisions of the privacy rule dealing with the de-identification
of information unduly interfere with research and, if so, search
for options to reduce the undue interference." Consequently,
NCVHS supports the NPRM's request for comments on the issue and
its reconsideration of the de-identification provision. In particular,
NCVHS strongly supports the concept of permitting restricted uses
of a limited data set which does not include facially identifiable
information, but in which certain identifiers would remain.
Marketing
NCVHS supports the NPRM's new requirement that specific authorization
is required before PHI may be used for marketing. We believe, however,
that the general authorization requirement in the NPRM is insufficiently
protective of PHI in marketing in the context of the various exceptions
and possible applications of the rule. We believe these unintended
consequences may be eliminated through several modifications, while
retaining the general principle of requiring authorization for marketing.
Accordingly, NCVHS recommends the following revisions to the provisions
dealing with marketing:
1. The definition of marketing needs to be simplified to cover
any communications about a product or service, unless it is subject
to one of the specific exceptions. As currently written, the communication
must be to encourage the recipient of the communication to purchase
or use a product or service. Thus, communications encouraging the
recipient to tell others about a product or service are not covered,
nor are marketing communications couched as merely informational
messages. The change NCVHS recommends is necessary because only
activities within the definition of marketing require an authorization,
and under the wording in the NPRM, a wide range of commercial activities
need not comply with the authorization requirements.
2. The NPRM excepts from marketing (1) descriptions of the entities
participating in a health network and their products and services;
(2) communications for treatment of the individual; and (3) communications
for "case management or care coordination for that individual,
or to direct or recommend alternative treatments, therapies, health
care providers, or settings of care to that individual." Although
the NPRM states that the third exception is not intended to increase
the scope of the marketing exceptions, NCVHS is concerned that the
third exception could be interpreted much too broadly. We reiterate
our position that case management and care coordination should not
be considered marketing, but we recommend the inclusion of additional
language clearly limiting the applicability of this exception.
3. The provision excluding face-to-face communications from marketing
needs to be limited to contacts by health care providers. Otherwise,
business associates (that may have the same rights as covered entities)
could engage in face-to-face marketing activities without being
subject to the authorization requirement.
4. In the December 2000 Privacy Rule, exceptions to the definition
of marketing are limited to oral communications or written communication
where no compensation is received from a third party. If compensation
is received by a third party, the Privacy Rule will not permit the
communication to be excepted from the definition of marketing. The
NPRM proposes to broaden the exceptions to the definition of marketing
by including written communications where the covered entity receives
direct or indirect remuneration from a third party for making the
communication. NCVHS believes that remuneration for communication
transforms the communication into a marketing event, and therefore
recommends that the original limitations to the exceptions to marketing
be restored.
5. Under the NPRM, marketers are not required to disclose how they
obtained the identity or PHI of individuals they contact, the rationale
being that the execution of an authorization provides the individual
with all of the necessary information about the identity of possible
marketers. NCVHS believes that disclosures at the time of marketing
contact are important because authorizations are likely to be signed
by vulnerable people at a vulnerable time. Accordingly, NCVHS recommends
that conditions on marketing based on an authorization need to be
established by the Privacy Rule. As we recommended in our letter
of March 1, 2002:
Authorizations to permit health care marketing should be limited
to products or services that are directly related to the health
of the patient, and should clearly indicate that they are comprehensive
and can include sensitive protected health information. The disclosure
of protected health information by covered entities to marketers
should be conditioned on the marketers' agreement (1) not to redisclose
the information, and (2) to disclose, in the course of marketing,
the financial arrangements of the parties.
NCVHS further notes that the focus should be on "marketing"
rather than "marketers" because there is potential for
privacy abuse caused by the practice of marketing, even where the
entity would not describe itself as a marketer.
6. NCVHS would like to reiterate another recommendation contained
in our March 1, 2002 letter, that "[s]tandardized, simplified
procedures should be adopted to ease the burden on individuals who
want to opt-out of future marketing contacts." Applying this
principle to authorizations, the Privacy Rule should contain simple
procedures for the revocation of marketing authorizations.
7. NCVHS continues to believe that the Privacy Rule must place
restrictions on the methods of marketing pursuant to an authorization,
so that confidential PHI is not disclosed on the outside of mailings
or through voice mail, an unattended FAX, or other modes of communication
that are not secure.
Fundraising
The NPRM does not specifically address the issue of fundraising
and therefore NCVHS would simply restate our recommendations on
fundraising set forth in our letter of March 1, 2002.
Accounting for Disclosures
NCVHS recommends that HHS clarify the rules for accounting for
disclosures for public health and research purposes. Further, NCVHS
believes that the burden for accounting for disclosures for public
health and research purposes should be minimized whenever possible.
We appreciate the opportunity to offer these comments and recommendations.
Sincerely,
/s/
John R. Lumpkin, M.D., M.P.H.
Chair, National Committee on Vital and Health Statistics
cc: HHS Data Council Co-Chairs
|
