[slide 1] Good morning and welcome to the Practice Directorate's annual Town Hall meeting, this year entitled "Safeguarding Privacy and Confidentiality in the Digital Age".

In the wake of fast developing, new information technologies, individual privacy, or lack thereof, has been receiving intense scrutiny. Numerous media accounts of Internet-related threats to privacy have focused a bright light on potential problems and damage to be done on the Internet, in contrast to the enormous opportunity the Internet otherwise creates. [slide 2] A recent book authored by Michael Hyatt, Invasion of Privacy, identifies a variety of risks of this technology. These include manipulation by marketers armed with personal information secured, often-unknowingly, online; credit card fraud; identify theft; digital stalking; government surveillance; and employer surveillance of employees and even prospective employees. In fact, a Gallop poll conducted at the end of June found that almost eighty percent of e-mail users are concerned about their personal privacy online, and the biggest worry is misuse of their credit card information. [slide 3] A July Time magazine cover story highlights the Internet threat, and opens with:

"It's 10 o'clock. You're on the Web. Do you know where your identity is? In fact, at any time of the day, the elements that make up who you are online may be manipulated in an increasing flood of fraud."

Fortunately, most of these accounts also provide some information about, and some hope for, better protecting privacy online in the future. [slide 4] That's a welcome alternative to Sun Microsystem's CEO Scott McNealy's widely publicized response to technology related privacy breaches: "You already have zero privacy," McNeally asserts, "Get over it."

While privacy on the Internet, in general, is of interest and concern to psychologists, privacy of health information is, of course, of particular significance to us. The following news clip provides an ominous glimpse into the potential magnitude of the problem in the healthcare arena. Let's watch (video clip plays).

The focus on this problem is not to imply that we have only now, as a result of Internet technology, "discovered" assaults on the privacy and security of health information. Rather, it is the potential magnitude of the problem that is to be underscored. Consider for the moment what it takes -- without technology -- to put a 500 page medical record into the hands of the wrong person. It could happen, although not easily. Consider what it would take to fax a 500 page medical record to an unauthorized person. What would it take to fax a 500 page medical record to 100 unauthorized persons? What would it take to e-mail a 500 page medical record to an unauthorized person? Finally, consider, what would it take to e-mail a 500 page medical record to a thousand unauthorized persons? Perhaps nothing more than a single click of a mouse.

As important as privacy may be to the delivery of physical health services, there is something quite unique about the relationship between privacy and mental health services. [slide 5] In fact, no less august a body than the United States Supreme Court, articulated this uniqueness quite clearly. According to the Court in Jaffee v Redmond:

"Treatment by a physician for physical ailments can often proceed successfully on the basis of a physical examination, objective information supplied by the patient, and the results of diagnostic tests. Effective psychotherapy, by contrast, depends upon an atmosphere of confidence and trust in which the patient is willing to make a frank and complete disclosure of facts, emotions, memories and fears. Because of the sensitive nature of the problems for which individuals consult psychotherapists, disclosure of confidential communications made during counseling sessions may cause embarrassment or disgrace. For this reason, the mere possibility of disclosure may impede development of the confidential relationship necessary for successful treatment."

If it is true that even the "mere possibility of disclosure" is detrimental to effective psychotherapy, what might we expect to be the impact on our services of the privacy risks in the developing digital age? Are we to understand that just when society is beginning to recognize the value of good mental healthcare and the importance of psychological health for good physical health, developments in technology will undercut psychology's potential contribution? Will Internet-related loss of privacy thwart successful psychological interventions in the future, or is this a manageable problem?

Before any consideration of these questions occurs, however, it is important to understand that developing information technology has hardly been the only threat to privacy and confidentiality in healthcare. The very nature of the changing healthcare system and the growing emphasis on cost-containment over at least the last decade has continued to erode confidentiality. [slide 6] In particular, the growing consolidation and integration of the healthcare market has driven the demand for comprehensive and integrated record-keeping so that patient information is readily available throughout any integrated delivery system. This has an upside: If a patient receiving treatment in Washington DC, for example, subsequently seeks treatment in San Francisco, an integrated record-keeping system can help ensure that the patient's treatment is uninterrupted and follows appropriately from previous care.

But the downside of such integration on privacy cannot be ignored. No longer can a patient's mental health records simply be locked securely away in the psychologist's office file cabinet for which only the psychologist has the key. Although breaches of confidentiality were not absent from the traditionally fragmented healthcare system, breaches were usually anomalous exceptions. When breaches did occur, it was also relatively easy to identify when and how. By contrast, in the current integrated-systems approach to healthcare, neither patient nor psychologist might even be aware that a breach has occurred. Specific breaches aside, treatment information that routinely passes through a health system's dozens of hands, and past dozens of eyes, including case managers, utilization reviewers and gatekeepers, is something less than private information.

Another culprit which has been eroding confidentiality in recent years is the healthcare system's over-emphasis on the financial and cost side of care. Patient records and healthcare information now take on an unprecedented financial purpose. As a result, healthcare information is handled and disseminated differently when it is used for financial purposes than when it is used for clinical purposes. Not surprisingly, when patient information is used to justify continued payment or cost-effectiveness, the handling often lacks the sensitivity, care and consideration traditionally afforded the communication between patient and therapist when used exclusively for treatment purposes.

To add insult to injury, not only has a market driven managed care approach to healthcare eroded privacy and confidentiality, the approach has failed to solve the very cost problem it was intended to address. [slide 7] In fact, efforts over the last 10 years to decrease the cost of healthcare by decreasing utilization have, not surprisingly, resulted in a considerable increase in administrative costs. We are still spending more than 14% of our total economy on health, roughly the same as we were spending in the early 1990s when managed care started to get a foot hold. And administrative costs are now two and a half times larger than any other national healthcare system. According to Standard & Poor's "woes in the healthcare sector are everywhere as an unprecedented number of problems have come crashing down on the industry". While there is growing certainty that managed care's days are numbered, much uncertainty remains about what will replace managed care.

Enter technology. Shifting the focus of healthcare reform away from attempts to decrease utilization and cost of services and redirecting that focus towards attempts to reduce administrative activity and transaction costs seems a logical strategy. And it is here that the Internet's ability to facilitate transactional activities could prove useful. [slide 8] Jim Clark certainly believed this when he founded Healtheon with the expectation that he could take $400 billion of waste out of healthcare with the use of Internet technology to streamline the transactional aspects of the healthcare system. But what Clark did not realize, and perhaps Newt Gingrich said best, was that "….each of those (400 billion) dollars (of waste) was loved by somebody who did not want to give it up." The result has been that the promise of increased efficiency through technology has been slow to materialize. Yet, the rise of the Internet has created powerful new tools for automating administrative and financial processes in healthcare and health insurance.

Some go so far as to say that a health system using new information technologies, such as an Internet-based "virtual healthcare exchange" or auction site which brings providers and patients together, will be the final nail in the managed care industry's coffin since there will be no need for "middleman" managers of healthcare services. [slide 9] One such Internet health enterprise, Vivius, is banking on this. Vivius (www.vivius.com) proposes to work with employers who chose a defined-contributions approach to health benefits, a new role for employer third party payers that some say will be part of the next major trend in health care. A defined contributions approach is analogoues to an employer sponsored 401(k) retirement plan whereby employees are given a lump sum of money to purchase their own health benefits. Rather than relying on a health plan to package the care system or negotiate rates with providers, Vivius provides an employee with a customized Web page that enables the employee to create his or her own health network by choosing a physician, a psychologist or a hospital from a complete menu of providers. There is no claims management, and providers set their own capitated rate for individual subscribers. Consumers can compare the aggregated cost of the network they select with the employer-provided contribution to determine how much they will need to pay out-of-pocket each month. And care above a set maximum out-of-pocket amount is expected to be insured by a "wraparound," catastrophic type, indemnity insurance product.

Yet, practical barriers to the easy adoption of new information technologies also exist. Skeptics insist that, contrary to the claims of its well financed promoters, the Internet will not solve the administrative redundancies, economic inefficiencies or quality problems in our healthcare system. These problems are seen as the result of longstanding ingrained characteristics. [slide 10] These characteristics include first, economic, organizational, legal, regulatory and cultural conflicts rooted in a healthcare system grown from public and private financing. Second, these problems are the result of cultural expectations of unlimited access to unlimited healthcare resources; and third, the use of third-party payers who are rewarded for constraining those expectations of unlimited resources has created problems of its own. Some believe that the revolution of healthcare information access for consumers via the Internet will actually exacerbate the cost and utilization problems in the system, not solve them. There is also skepticism that efficiency enhancing technology can succeed in the face of the insurance industry's resistance to increasing efficiency. [slide 11] According to one commentator:

"In the language of the insurance business, the 'float' rules…… If the process of claims adjudication is haunted by a computing, contract and analytic nightmare, the nightmare is good business for health plans that make money sitting on money".

Proponents of the use of information technologies to remedy the ills of the healthcare system acknowledge that benefits have been slow in coming. The full benefit of these developments, they believe, hinges partly on supportive public policy not yet completely developed. The absence of shared standards for data communication has long limited the ability to realize savings in transaction costs through the increased use of information technologies. It is hoped that once the regulatory standards promulgated to implement the Health Insurance Portability and Accountability Act of 1996 are in place, electronic data storage and dissemination will be more readily facilitated.

[slide 12] You will recall this law, known as HIPAA and sponsored by Senators Kennedy and Kassebaum, as one that extended the portability of employer-paid health insurance, eliminated most pre-existing condition prohibitions in insurance plans, and created a demonstration project to test the effectiveness of Medical Savings Accounts. In addition, the Administrative Simplification provisions of HIPAA directed the Secretary of HHS to begin the process of adopting standards for electronically transmitting health information, adopting standards for securing the storage of that information and, in the absence of specific congressional action, adopting standards for protecting the privacy of the individuals to whom that information refers. When the rules are all in place, it is believed that the health industry will have a uniform set of standards for electronic data transmission that will increase efficiency in the healthcare system.

The Preamble to the initial rule promulgated by HHS – "Standards for Electronic Transactions" – reflects the intent of HIPAA. [slide 13] It reads: "Electronic data interchange, or EDI, is the electronic transfer of information, such as electronic media health claims, in a standard format between trading partners. EDI allows entities within the healthcare system to exchange medical, billing, and other information and to process transactions in a manner which is fast and cost effective. With EDI there is a substantial reduction in handling and processing time compared to paper, and the risk of loss of paper documents is eliminated. EDI can eliminate the inefficiencies of handling paper documents, which will significantly reduce administrative burden, lower operating costs, and improve overall data quality."

The rule's Preamble continues:

"The health industry recognizes the benefits of EDI, and many entities in that industry have developed proprietary EDI formats. Currently, there are about 400 formats for electronic health claims being used in the United States. The lack of standardization makes it difficult and expensive to develop and maintain software. Moreover, the lack of standardization minimizes the ability of healthcare providers and health plans to achieve efficiency and savings."

While standardized electronic transfer of information was key to the Administrative Simplification portion of HIPAA, Congress was also quite aware that for adoption of electronic transfer of health information to occur, increased privacy and confidentiality for that information is critical. [slide 14] According to HHS,

"The electronic information revolution is transforming the recording of health information so that disclosure of information may require only a push of a button. In a matter of seconds, a person's most profoundly private information can be shared with hundreds, thousands, even millions of individuals and organizations at a time".

In the HIPAA statute, Congress created a self-imposed deadline of August 21, 1999 to enact comprehensive health information privacy legislation. If Congress failed to act by this deadline, the statute required the Secretary of HHS to promulgate privacy regulations. As we now know, Congress did, indeed, fail to act and HHS promulgated a final privacy rule that became effective on April 14, 2001, with an expectation for compliance two years from that date. This two year delayed implementation period was intended to provide substantial time for professional associations, like the APA, to work with their members to assess the effects of the standards and to develop necessary policies, protocols and procedures to comply with the standards. Additionally, HHS expects to work with trade and professional associations to develop guidance and provide technical assistance to better enable members to understand and comply with the new standards. According to the Preamble to the privacy rule, "This final rule establishes, for the first time, a set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care. The rule sets a floor of ground rules for healthcare providers, health plans, and healthcare clearinghouses to follow, in order to protect patients and encourage them to seek needed care. The rule seeks to balance the needs of the individual with the needs of the society. It creates a framework of protection that can be strengthened by both the federal government and by states as health information systems continue to evolve."

[slide 15] The rule's Preamble specifically references mental health information as follows: "Moving beyond the facts of physical treatment, there is also significant intrusion when records reveal details about a person's mental state, such as during treatment for mental health. If, in Justice Brandeis' words, the 'right to be let alone' means anything, then it likely applies to having outsiders have access to one's intimate thoughts, words, and emotions….. The (Supreme) Court (in Jaffee v. Redmond) noted that all fifty states have adopted some form of the psychotherapist – patient privilege. In upholding the federal privilege, the Supreme court stated that it 'serves the public interest by facilitating the appropriate treatment for individuals suffering the effects of a mental or emotional problem. [slide 16] The mental health of our citizenry, no less than its physical health, is a public good of transcendent importance!'"

So, what privacy protections do our patients now have as a result of the HIPAA privacy rule? Before providing a glimpse into the rule, I am compelled to first offer you something easily, frequently and freely given by attorneys -- a disclaimer. The following comments about the privacy rule are not intended to be a legal opinion or an authoritative statement of all the requirements necessary for ensuring HIPAA compliance. Rather, my comments are intended to raise awareness, identify important issues and help begin a process leading toward HIPAA compliance.

It is important to understand that the "learning curve" leading to HIPAA compliance will be a process extending over the next two years and beyond. [slide 17] This is so not only because of the rule's complexity but because there may actually be some changes to the rule by the Administration along the way, and there will certainly need to be a dialogue with officials at HHS as we work to apply the rule to the actual practices of psychologists. Additionally, it will be important to understand how the requirements of this rule synch with the requirements of an earlier rule - - the transactions and the code set standards - - as well as with the security and electronic signature standards for which a final rule has not yet been promulgated.

What does the privacy rule require? The rule which covers all forms of health information not just electronic, requires that healthcare providers must obtain the patient or client's written consent prior to disclosure of health information for the routine uses of treatment, payment or healthcare operations. [slide 18] While this general form of consent is not much different from how consent has typically been secured prior to initiating treatment, its inclusion in the final rule was controversial, and, in fact, the proposed privacy rule did not include it. Opponents argued this consent requirement would not provide meaningful safeguards for patients, would increase healthcare costs and would interfere with pharmacy practices. Some consider the consent not "informed" consent since most patients will not know the contents of their record at this early stage of their treatment and will not really understand the extent of uses of their record; particularly those included in the definition of "healthcare operations;" this is a very broad category of activities ranging from quality assessment to utilization review to "business management and general administrative activities of the entity."

During the rulemaking process, the American Psychological Association consistently took the position that while the activities included in healthcare operations should, indeed, be narrowed, we favored retention of this initial consent requirement in addition to further protection for mental health information, something I will speak to in a minute. More to the point, while we acknowledge that a blanket consent as it has historically been practiced leaves something to be desired, we believe the remedy is to improve this initial consent process rather than eliminate it altogether.

The rule also prohibits the disclosure of health information for purposes unrelated to healthcare, such as employment or non-health insurance matters, without explicit patient authorization. [slide 19] This authorization requirement, in contrast to the consent requirement, must contain a description of the information to be used or disclosed that identifies the information in a "specific and meaningful fashion."

But from our vantage point, the real utility of the authorization requirement above and beyond initial consent is its mandated use for the disclosure of psychotherapy notes. That is, general consent alone is insufficient to enable disclosure of the notes related to the content of communications taking place during psychotherapy sessions. Rather, specific authorization is necessary for the release of what we in the profession have historically referred to as "process notes." Importantly, a covered entity, such as a managed care or insurance company, is prohibited from conditioning treatment, eligibility for benefits, or payment of claims on the patient's authorization to disclose the psychotherapy notes. In addition, patients are given the right to have adequate notice about how their records are to be used, the right to see their records (although not the psychotherapy notes per se) and a right to know to whom their records have been disclosed. State laws, such as stronger laws that address the privacy of mental health records, are specifically not preempted by the rule. States are, therefore, free to enact stronger privacy laws.

While the new rule is good for psychologists and patients, it is not ideal. [slide 20] During the rule making process the Practice Directorate, through the work of Marilyn Richmond, Doug Walter and the rest of the Government Relations staff, persistently communicated to HHS our recommendations that state mental health privacy laws not be preempted, that the specific authorization process for psychotherapy notes be included and that patient consent be required for release of records for health plan administrative purposes. These recommendations were acknowledged and included in the final rule. Unfortunately, our recommendation for an expanded definition of "psychotherapy notes" was not included, thereby limiting the amount of information actually protected by the specific authorization requirement.

[slide 21] As issued, the rule's definition of "psychotherapy notes" expressly excludes information pertaining to medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of diagnosis, functional status, treatment plan, symptoms, prognosis and progress to date. Any of this information can be disclosed based solely on the initial general consent, without the necessity of the more specific patient authorization. In our opinion, at least some of this information is as sensitive in the mental health treatment process as is the information currently included in the definition of "psychotherapy notes." In particular, the results of psychological testing, including the raw data, should be considered sensitive mental health information worthy of the increased privacy protection afforded psychotherapy notes. The Practice Directorate intends to continue whatever conversation necessary with HHS in hopes of improving the existing privacy rule this way.

[slide 22] On balance, the privacy rule is a necessary and good step forward in helping to stop the erosion of privacy that has been occurring for some time now. And for our part as health professionals working to protect patient privacy and implement the rule, we will need to meet certain requirements established by the rule. While the Practice Directorate will be providing much more in-depth information about these requirements in the coming months, here is the "nut-shell" version of what the rule requires of psychologists and other health professionals:

• Designation of a person responsible for the development and implementation of privacy policies and procedures and a contact person for receiving complaints. In a hospital, this could constitute a separate full-time staff position while in a solo psychology practice it would likely be the psychologist who fills these roles
• An obligation to train members of the provider's workforce on the policies and procedures
• Having in place administrative, technical and physical safeguards to protect the privacy of identifiable patient information. For a solo practitioner, this might mean that only he or she has password access to the computer file in which patient records are stored and that any hard copies are locked in a file cabinet with restricted access
• Providing a process for patients to make complaints about the policies and procedures, and a procedure for documenting complaints
• Having and applying appropriate sanctions for any staff failures to comply with policies and procedures
• Mitigating, where possible, any damage done by a violation of the policies and procedures

The rule also requires:

• Limiting health information disclosures to the minimum necessary to achieve the purposes of the use or disclosure (except for disclosures to a healthcare provider for treatment purposes)
• Giving patients adequate notice of the uses and disclosures of their protected health information;

• Giving patents the right to request restrictions on the use and disclosure of protected health information
• Giving patients the right to access, inspect, amend and copy protected health information with exception of the psychotherapy notes as I indicated previously.

As I also mentioned a few minutes ago, the Practice Directorate will be making available in the future much more information on the details of these various HIPAA requirements. Today, however, my purpose is to simply introduce you to the basics of HIPAA and create the context for discussion among our distinguished panelists and for discussion between our panelists and you. So to set the stage, let me return from ground level back to a 40,000 foot perspective. While the increased privacy protection of HIPAA is long overdue, the real question that remains is: Can we now comfortably conclude that the "mere possibility of disclosure", to use the words of the Supreme Court, will be eliminated in the digital age? Or will efforts to creatively use new information technologies to remedy the ills of a fragmented and inefficient healthcare system inadvertently undermine the delivery of services by causing people to refuse to participate in their own healthcare for fear that private information will become public? Or, closer to home, will the atmosphere of confidence and trust necessary for successful psychotherapy become a thing of the past?

Those of you who participated in last year's Town Hall meeting may recall the paradoxes I spoke about being created by the developing Internet culture:

• Limitless knowledge and information alongside narrow-minded self-interest and reduced diversity
• The possibility of a global community at the expense of local community
• The potential to communicate with anyone, anywhere, anytime coexisting with the risk of diminishing truly intimate human relationships.

To these paradoxes I would now add: The potential for a technology-aided, efficient healthcare system, without managed care, at the risk of insufficient privacy to ensure successful psychotherapy

But I would remind us also that neither side of these paradoxes is a certainty. Our work is cut out for us to maximize the opportunities information technology provides while simultaneously mitigating its threats. We must be creative and flexible while maintaining our integrity in the face of continuing change and transition in both healthcare and technology. And as psychologists, whose very work depends on privacy, we have a special responsibility to not only work together but to take a leadership role in safeguarding privacy and confidentiality in the digital age.

References

Hyatt, M. (2001). Invasion of privacy: How to protect yourself in the digital age. Regenery Press: Washington, DC.

Jaffee v. Redmond, 518 U.S. 1 (1996). [Online] Available: http://supct.law.cornell.edu/supct/html/95-266.ZO.html

Health Insurance Portability and Accountability Act of 1996. [Online] Available: http://www.hcfa.gov/hipaa/hipaahm.htm

Kleinke, J.D. (Nov./Dec. 2000). Vaporware.com: The failed promise of the health care internet. Health Affairs. (Vol. 19, No. 6; p. 57-71).

Standard & Poors. (2000, October 19). Special report: Health care at a crossroads. [On-line] Available: http://www.standardandpoors.com/ratings/publicfinance/SpecReport.htm

Starr, P. (Nov./Dec. 2000). Health care reform and the new economy. Health Affairs. (Vol. 19, No. 6; p. 23-32).