HHS, while developing national privacy policies for healthcare information technology, is barring the public from a series of key regional meetings that are part of a federal effort to survey state privacy laws, identify any state laws that are deemed to be "barriers" to a proposed national healthcare IT network and recommend any needed changes.
RTI International -- formerly the Research Triangle Institute -- a not-for-profit research organization based in Research Triangle Park, N.C., with participation by the Center for Best Practices, an arm of the National Governors Association, was awarded an $11.5 million contract in October 2005 by the Agency for Healthcare Research and Quality at HHS to evaluate variations in state privacy laws and practices. The Office of the National Coordinator for Health Information Technology at HHS also is participating in oversight of the RTI contract.
In May, HHS added $5.73 million in funding to broaden
the reach of the project, called the Health
Information Privacy and Security Collaboration, or HISPC, and to
bring the total value of the 19-month contract to $17.23 million.
According to RTI, the purpose of the contract is to: assess variations in organization-level business practices, policies and state laws that affect health
information exchange; identify and propose
practical solutions, while preserving the privacy and
security requirements in applicable federal and state
laws; and develop detailed plans to implement
Groups formed by the governors of 33 participating
states and Puerto Rico subcontracted with RTI and have been holding
state or territory meetings on privacy issues. According to RTI,
another phase of the process calls for participating states and Puerto Rico to send delegates to regional and
national meetings to identify common themes and note
areas both of consensus and disagreement. The 17
states not participating in the HISPC have been
invited to the regional meetings.
A series of 10 regional meetings began Oct. 23 in
Kansas City, according to an RTI schedule. A meeting
set for Friday in Indianapolis is for
HISPC-participating states of Indiana, Illinois,
Michigan, Kentucky and Ohio. Roland Gamache is
director of the state health data center at the
Indiana State Department of Health in Indianapolis and
the HISPC project lead and contact person in Indiana,
according to RTI's Web site. Linda Dimitropoulos, is project director, privacy and
security solutions, for RTI and the head of the HISPC
effort for the institute. In response to an e-mailed request for the time and
precise location of the Indianapolis meeting, Gamache
replied by e-mail that he was referring the request to
RTI, which he said was "hosting" the meeting.
Dimitropoulos acknowledged she'd received the request
for meeting information from Gamache and confirmed that
RTI was "hosting" the regional meetings for HISPC,
adding, "These are working meetings that are being
held by RTI and as such are not open to the
Calls and e-mails to AHRQ and ONCHIT, including ones to Robert
Kolodner, the new interim head of ONCHIT, asking why
the meetings would be closed prompted an e-mail
response from spokesman Raymond Sass with the Office
of the Assistant Secretary for Public Affairs, which
Sass asked to be attributed to another HHS
spokeswoman, Christina Pearson.
"This is a deliberative, working meeting of the
contractor and its subcontractors about work plans and
other logistical issues associated with the contract,"
the e-mail said. "Federal Advisory Committee Act (FACA)
rules do not require this meeting to be open to the
public, and the department believes this meeting is
being conducted in an appropriate fashion."
Language in H.R. 4157, a federal IT bill that passed
this summer but is locked in a conference committee
with the Senate, called for a similar study of state
privacy law differences as is currently being
conducted under HHS contract by RTI. Throughout most
of its legislative life, H.R. 4157 also called for
giving authority to Congress or the HHS secretary to
pre-empt any state privacy laws reported as barriers by
the study. The study provision remains in H.R. 4157
before the conference committee, but the pre-emption
language was stripped from the bill at the eleventh
hour before it passed the House on July 27.
The Health Insurance Portability and Accountability
Act created a uniform floor of privacy regulation
across all states, but added that states could enact
more stringent privacy provisions. Many states have
tighter privacy controls than HIPAA in the use of
healthcare information involving HIV/AIDS, mental
health and drug and alcohol treatment.
In an April interview, then outgoing ONCHIT head David
Brailer said there were two problems with the HIPAA
scheme that allowed state variability. State privacy
laws, he said, "didn't anticipate the digital era, and
they didn't anticipate portability."
Brailer said federal legislation pre-empting state
laws was not the only answer.
"The main thing that matters is, if states get
together and get consensus, Congress will follow; and
if they don't, the states will know what to do,"
Paul Feldman is deputy director of the Health Privacy
Project, a not-for-profit corporation
whose aim is to raise public awareness of health
privacy. Feldman also serves as co-chairman of the
confidentiality, privacy and security work group of the
American Health Information Community, a federal
advisory panel created last year by HHS Secretary
Feldman was not ready to criticize RTI's announced
intention to keep the public from the regional
meetings, but added generally that the more eyes focused on a problem the better.
"I'd have to see what the basis is for doing it,"
Feldman said, but, "it strikes me at first glance as
What do you think? Write us with your comments at
href="mailto:[email protected]">[email protected] om
href="mailto:[email protected]">[email protected]
om. Please include your name, title and