The Honorable Michael Leavitt Secretary U.S. Department of Health and Human Services

Hubert H. Humphrey Building

200 Independence Avenue, SW

Washington, DC 20201

Dear Secretary Leavitt:

The undersigned members of the more than 100 health care organizations that make up the Confidentiality Coalition urge you to use the authority provided in the Health Insurance Portability and Accountability Act (HIPAA) to modify the HIPAA privacy rule’s accounting of disclosures requirement.

The Confidentiality Coalition is a group of hospitals, health plans, pharmaceutical companies, medical device manufacturers, biotech firms, health product distributors, pharmacies, employers, medical teaching colleges and others. The Coalition was founded to advance effective patient confidentiality protections, and is led by the Healthcare Leadership Council, a health care association which brings together the chief executive officers of the nation?s leading health care companies and institutions.

Under the HIPAA privacy regulation, all covered entities must track and account for the disclosure of patient health information (PHI), with certain exceptions, and maintain records on all patients – records that can then be used to furnish accounting of disclosures on demand, even when such disclosures are required by law, regulation or request of a regulatory agency.

Individuals can request an accounting of all such disclosures made over a six-year period.

This regulation has been extremely burdensome and costly. In fact, one hospital estimated that compliance with this requirement meant the hiring of two full-time employees whose sole job consists of HIPAA-related paperwork. While only a small percentage of patients will ask for a list of disclosure accountings after their care, the hospital must maintain a specific record of each disclosure in case a former patient should happen to request an accounting of disclosures.

As another example, state Departments of Insurance (DOI) require health plans to turn over thousands of records every year for various DOI claim verifications and auditing functions. In addition, health plans and providers are sometimes required to report immunization, birth, death and other records to state authorities. Tracking millions of records every year, requests, is extremely costly. In addition to the cost of tracking, there is an enormous storage cost as health plans and providers must secure gigabytes and terabytes of computer storage for this very significant level of records.

The Coalition noted with great interest the recent recommendation of the Government Accountability Office (GAO) to reduce the administrative burden created by the accounting of disclosures requirement in the HIPAA privacy rule. In its September 2004 report, “Health Information: First-Year Experiences under the Federal Privacy Rule” (GAO-04-965), the GAO recommends that HHS modify the rule to exempt mandatory disclosures to public health authorities from the disclosures that must be reported under the accounting of disclosures requirements.

Importantly, GAO concludes the report by expressing serious concern that the rule’s requirements regarding accounting of mandatory disclosures to public health authorities do not support the rule’s goal of ensuring effective patient privacy protections without imposing unnecessary costs or barriers, and thus urges modification of the rule’s requirements.

While the Confidentiality Coalition supports the GAO recommendation regarding disclosures to public health authorities, we believe it is important to clarify that this exemption also includes disclosures to other government entities, such as state insurance departments. In our view, this should not be limited to mandatory disclosures, but should be expanded to cover routine disclosures to government entities.

Further, the burdens associated with the accounting of disclosures provision grow more complex when considered in the context of a national health information infrastructure and interoperable electronic health records, an important goal of President Bush. It will be extremely costly and administratively complex to maintain these records, thereby discouraging entities from participating in a regional information exchange.

As you know, HIPAA provides the Secretary with the ability to modify the HIPAA requirements as deemed appropriate, but not more often than every 12 months. The last modifications of the HIPAA privacy rule were incorporated into the final rule, published on August 14, 2002, making modifications allowable at any point.

Therefore, we urge HHS to take immediate steps to modify these requirements for all mandatory and routine disclosures to government entities. This action is consistent with the law?s goal and would provide important cost savings.

If you have any questions about the Confidentiality Coalition’s recommendations, please contact Theresa Doyle, Senior Vice President for Policy at the Healthcare Leadership Council (202)452-8700. Representatives from the Coalition would also be happy to meet with you or your staff in person should you wish to discuss our recommendations or concerns.

Sincerely,

America’s Health Insurance Plans

American Clinical Laboratory Association

American Hospital Association

American Medical Group Association

Association of American Medical Colleges

Blue Cross and Blue Shield Association

Federation of American Hospitals

Healthcare Leadership Council

Premier, Inc.

VHA, Inc.