March 30, 2001 Tommy Thompson Secretary Department of Health and Human Services 200 Independence Ave, SW Room 801 Washington, D.C. 20201 Attention: Privacy I, Room 801, Hubert Humphrey Building Federal Register Vol. 66, No. 40, Standards for Privacy of Individually Identifiable Health Information Dear Secretary Thompson: On behalf of the American Health Quality Association (AHQA), the membership organization of state-based quality improvement/peer review organizations (QIOs), thank you for the opportunity to provide comments on the Final Rule on Standards for Privacy of Individually Identifiable Health Information. The QIOs perform a wide variety of services to both public and private purchasers that require providers and practitioners to disclose health information to them that identifies both practitioners and patients. The QIOs protect this information with strict confidentiality and disclosure policies and understand the value of the trust that is the result of solid privacy practices. This type of trust is also critical to the relationship between patients and their caregivers. It is equally important that patient information move smoothly throughout the system of care for treatment of the patient and to improve the quality of care for those patients. This regulation represents a thoughtful attempt to balance both needs. Our recommendations in this letter are limited to the regulationÕs affect on the ability of QIOs which do not provide direct patient care but labor to improve care giving processes, to continue to work to improve the quality and efficiency of care. The Role of QIOs/PROs Quality Improvement Organizations (QIOs) perform medical review, assist providers (including practitioners, hospitals, skilled nursing facilities, home health agencies, and nursing homes) and plans in analyzing and improving the quality of care they deliver and assess the appropriateness of billing and payment. The primary customer for most QIOs is Medicare. However, they also have contracts with Medicaid, public and private employers, and other federal agencies. For purposes of the Medicare contract, Federal law refers to QIOs as Peer Review Organizations (PROs). The QIOs perform their work in a variety of ways. Sometimes they analyze specific medical records for the purposes of medical necessity determination, and other times they are asked to analyze aggregate samples of claims to identify payment and service delivery patterns. The statute creating the PROs gave them the authority to review individual patient records and placed strict confidentiality and disclosure protections on this information. The QIOs also need access to protected health information for other purchaser contracts. In this regulation, the primary question for external organizations like QIOs that rely on provider data for data analysis is, under what circumstances are covered entities allowed to give them protected information without individual authorizations? AHQA believes there are three primary ways that QIOs would be able to obtain protected health information - acting in an oversight, business associate, or research capacity. This letter includes recommendations that would clarify the circumstances under which QIO/PRO work with government agencies should be considered oversight, and the appropriate parameters for QIOs/PROs when they are considered business associates with covered entities. Specific Recommendations: 1. The circumstances under which government program administrators are considered oversight. The regulation states that government programs are considered both oversight and covered entities. However, there is no discussion about the circumstances under which they would be considered one or the other. Because the PROs act on behalf of government programs, it is critical that providers and practitioners understand the circumstances under which they are sharing information with PROs. Without such clarification, practitioners and institutional providers may be concerned about sharing information with the PRO program and analysis of the appropriateness and quality of care and payment error could suffer. AHQA Recommendation: In the definition of oversight add the following language: For government benefits programs any function required by law shall be considered oversight. This language ensures that Congressional intent for the programs they created is the driving force for making the distinction between a government administrator acting in their oversight or covered entity role. For purposes that may be more discretionary in nature, government administrators of federal programs could be considered covered entities. They would need to create business associate relationships with those with whom they contract. 2. Definition of oversight. The definition of oversight should include the functions Congress directed the PROs to perform for Medicare beneficiaries. The preamble includes in its discussion of the definition of oversight activities the functions that Congress mandated PROs perform. However, the regulation did not specifically include these statutory functions and should be amended to ensure that Congressional intent is not hindered. AHQA Recommendation: Delete the semi-colon, add a comma and insert the following phrase at the end of Section 164.510 (d) Standard: Uses and disclosures for health oversight activities.(1) (ii) : the appropriateness, and medical necessity of care and whether the quality of services meets professionally recognized standards of care. 3. The definition of generalizable knowledge for purposes of health care operations. In Section 164.501, Definitions, the regulation states that in circumstances where an external entity is acting as a business associate for a covered entity, their use of the data for improvement of the population of that covered entity - regardless of the size of the population - should not be for developing generalizable knowledge. Some have questioned whether the Medicare and Medicaid populations within a state are so big that if the QIOs/PROs analyze protected information on behalf of a state population in either program that it might have to be considered research because the knowledge is "generalizable" to a large population. This needs to be clarified to ensure that this regulation does not create a barrier for public programs to analyze care delivery and billing patterns and use that information to improve the performance of the program. AHQA Recommendation: Insert the following sentence at the end of the definition of Health care operations in Section 164.501. Definitions (1) For a government program acting in their capacity as a covered entity, the enrollee population of that program shall be considered the population of the covered entity. Information gathered from them in the course of health care operations and used for purposes of improving the quality or appropriateness of care or the health of those enrollees shall not be considered generalizable knowledge This regulation will impact the delivery of health care in very significant ways. AHQA is please that the Secretary chose to gather more information on its impact and to accept recommendations for ensuring successful implementation. For questions regarding our comments feel free to contact Karen Milgate at the address or phone number on our stationary. Sincerely, David Schulke Executive Vice President