Presentation to The Fourth National HIPAA Summit April 26, 2002 Sharon King Donohue General Counsel National Committee for Quality Assurance

NCQA and HIPAA Proposed standards changes for 2003 Impact of the NPRM and quality assessment Certification of Business Associates NCQA’s model Business Associate Contract Points to mention: NCQA has a wide range of programs relevant to different parts and levels of the system. Core part of our mission is providing information. Much of the information we have is available free of charge on our Web site. We give more of it away free to the media so the HMO report cards you see are usually based on our data. As previously indicated, we build consensus. We believe that it is critical for our programs to reflect the input, needs, desires of all the affected parties. That means consumers, employers, providers, policy makers, health plans, etc. Achieving consensus among these groups is a hallmark of our work and the reason for our success.

Proposed Standards Changes for 2003 Consent and Notice: Removed requirements for MCOs to obtain routine consent For uses beyond TPO, authorization still required Must give notice of privacy practices (no signature required) Points to mention: NCQA has a wide range of programs relevant to different parts and levels of the system. Core part of our mission is providing information. Much of the information we have is available free of charge on our Web site. We give more of it away free to the media so the HMO report cards you see are usually based on our data. As previously indicated, we build consensus. We believe that it is critical for our programs to reflect the input, needs, desires of all the affected parties. That means consumers, employers, providers, policy makers, health plans, etc. Achieving consensus among these groups is a hallmark of our work and the reason for our success.

Proposed Standards Changes for 2003 Consent and Notice (continued): Requirement to disclose confidentiality policies via MCO’s Web site

Proposed Standards Changes for 2003 Member Rights: Right to access PHI, request restrictions on use, amend and request accounting of disclosures Include HIPAA protections before PHI can be shared with employers

Proposed Standards Changes for 2003 Confidentiality Process: Confidentiality committee no longer required (may be Chief Privacy Officer) Oversight of confidentiality policies Appeals process for confidentiality issues Process to review requests to use PHI We also look at many, many other things like human subjects research facilities, CVOs, etc.

Proposed Standards Changes for 2003 Contracting Requirements for Delegates: Similar to Business Associate contracting requirements Likely to be applicable July 2003 for new delegates All others likely to be applicable July 2004

Proposed Standards Changes for 2003 Contracting Requirements for Delegates (continued): If delegate arrangement includes use of PHI, contract must: identify permitted uses describe delegates safeguards to protect PHS from inappropriate use or disclosure stipulate that delegate will ensure that subdelegates have similar safeguards

Proposed Standards Changes for 2003 Contracting Requirements for Delegates (continued): require delegate to inform MCO if breaches occur provide for return, destruction or protection of PHI if delegation ends

The NPRM Unintended consequence of consent - restricting the flow of PHI needed for quality assessment and measurement (HEDIS®) Elimination of consent for TPO permits information to flow among Covered Entities in a way that is positive for quality assessment, measurement and improvement This is the IOM set of levels of the health care system that are important in quality It should be noted that in some situations- like solo physician practice-the “organization” and micro environment are one and the same- and in others, like Kaiser- there are several layers in the organization (national (Permanente Medical group, regional (Northern California Permanente), site (Oakland), department (internal medicine) in addition to the micro environment and individual physician-clinician.

The NPRM (continued) Explicit acknowledgement that Covered Entities can disclose PHI to other Covered Entities for quality assessment NCQA is commenting on the need for additional modifications to minimum necessary requirements Some elements of all three exist in most service sectors- in health care professionalism is a much more important force for accountability and quality than in many others- but all three are clearly present. It is critical to try to create a balance among the forces in health care- non of them alone are sufficient for creating accountability and driving quality If the market and professionalism are not sufficient-then regulation is usually imposed in its strongest form. In health care -this is the case in the nursing home sector where both professionalism and the market are relatively weak. In nursing home regulation include federal and state laws and regulations-evaluation (licensing-survey-certification and enforcement) all by government entities. Weakness of this approach is clear both in low level of quality achieved-and in conflict between government roles of purchaser-payer-evaluator and enforcer.

Certification of Business Associates NCQA is considering a program to certify business associates “Satisfactory safeguards” of privacy practices Includes security review and policies and procedures Possible launch early 2003

NCQA’s Business Associate Contracting NCQA is implementing HIPAA readiness initiatives Preparing model business associate contract language Field test — 7/02 - 10/02 Implement from 10/02 - 4/04