SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
49–195CC
1998
PATIENT CONFIDENTIALITY
HEARING
before the
SUBCOMMITTEE ON HEALTH
of the
COMMITTEE ON WAYS AND MEANS
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTH CONGRESS
FIRST SESSION
MARCH 24, 1998
Serial 105–23
Page 2 PREV PAGE TOP OF DOC
Printed for the use of the Committee on Ways and Means
COMMITTEE ON WAYS AND MEANS
BILL ARCHER, Texas, Chairman
PHILIP M. CRANE, Illinois
BILL THOMAS, California
E. CLAY SHAW, Jr., Florida
NANCY L. JOHNSON, Connecticut
JIM BUNNING, Kentucky
AMO HOUGHTON, New York
WALLY HERGER, California
JIM McCRERY, Louisiana
DAVE CAMP, Michigan
JIM RAMSTAD, Minnesota
JIM NUSSLE, Iowa
SAM JOHNSON, Texas
JENNIFER DUNN, Washington
MAC COLLINS, Georgia
ROB PORTMAN, Ohio
PHILIP S. ENGLISH, Pennsylvania
JOHN ENSIGN, Nevada
JON CHRISTENSEN, Nebraska
Page 3 PREV PAGE TOP OF DOC
WES WATKINS, Oklahoma
J.D. HAYWORTH, Arizona
JERRY WELLER, Illinois
KENNY HULSHOF, Missouri
CHARLES B. RANGEL, New York
FORTNEY PETE STARK, California
ROBERT T. MATSUI, California
BARBARA B. KENNELLY, Connecticut
WILLIAM J. COYNE, Pennsylvania
SANDER M. LEVIN, Michigan
BENJAMIN L. CARDIN, Maryland
JIM McDERMOTT, Washington
GERALD D. KLECZKA, Wisconsin
JOHN LEWIS, Georgia
RICHARD E. NEAL, Massachusetts
MICHAEL R. McNULTY, New York
WILLIAM J. JEFFERSON, Louisiana
JOHN S. TANNER, Tennessee
XAVIER BECERRA, California
KAREN L. THURMAN, Florida
A.L. Singleton, Chief of Staff
Janice Mays, Minority Chief Counsel
Page 4 PREV PAGE TOP OF DOC
Subcommittee on Health
BILL THOMAS, California, Chairman
NANCY L. JOHNSON, Connecticut
JIM McCRERY, Louisiana
JOHN ENSIGN, Nevada
JON CHRISTENSEN, Nebraska
PHILIP M. CRANE, Illinois
AMO HOUGHTON, New York
SAM JOHNSON, Texas
FORTNEY PETE STARK, California
BENJAMIN L. CARDIN, Maryland
GERALD D. KLECZKA, Wisconsin
JOHN LEWIS, Georgia
XAVIER BECERRA, California
Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public hearing records of the Committee on Ways and Means are also published in electronic form. The printed hearing record remains the official version. Because electronic submissions are used to prepare both printed and electronic versions of the hearing record, the process of converting between various electronic formats may introduce unintentional errors or omissions. Such occurrences are inherent in the current publication process and should diminish as the process is further refined. The electronic version of the hearing record does not include materials which were not submitted in an electronic format. These materials are kept on file in the official Committee records.
Page 5 PREV PAGE TOP OF DOC
C O N T E N T S
Advisory of March 17, 1998, announcing the hearing
WITNESSES
American Medical Management, Jim Sloane
Borowitz, Stephen M., M.D., University of Virginia Health Sciences Center
Goldman, Janlori, Georgetown University
MacGregor Medical Association, James Birge, M.D., and Jim Sloane, American Medical Management
Mayo Clinic, Sherine E. Gabriel, M.D
Merck Research Laboratories, and Merck & Co., Inc., Harry A., Guess, M.D
U.S. National Committee on Vital and Health Statistics, Don E. Detmer, M.D
SUBMISSIONS FOR THE RECORD
American Association of Health Plans, statement
American Association of Occupational Health Nurses, statement
American College of Occupational and Environmental Medicine, Arlington Heights, IL, statement
American Hospital Association, statement
Avorn, Jerome L., M.D., and Elizabeth Andrews, International Society for Pharmacoepidemiology, letter and attachments
Frantz, Rita, National Pressure Ulcer Advisory Panel, Alexandria, VA, statement
Page 6 PREV PAGE TOP OF DOC
Healthcare Leadership Council, statement
International Society for Pharmacoepidemiology, Jerome L. Avorn, M.D., and Elizabeth Andrews, letter and attachments
Medical Group Management Association, statement
National Breast Cancer Coalition, statement
National Pressure Ulcer Advisory Panel, Alexandria, VA, Rita Frantz, statement
Shays, Hon. Christopher, a Representative in Congress from the State of Connecticut, statement
PATIENT CONFIDENTIALITY
TUESDAY, MARCH 24, 1998
House of Representatives,
Committee on Ways and Means,
Subcommittee on Health,
Washington, DC.
The Subcommittee met, pursuant to call, at 10 a.m., in room 1100, Longworth House Office Building, Hon. Bill Thomas (Chairman of the Subcommittee) presiding.
[The advisory announcing the hearing follows:]
ADVISORY
FROM THE COMMITTEE ON WAYS AND MEANS
Page 7 PREV PAGE TOP OF DOC
SUBCOMMITTEE ON HEALTH
CONTACT: (202) 225–3943
FOR IMMEDIATE RELEASE
March 17, 1998
No. HL–20
Thomas Announces Hearing on
Patient Confidentiality
Congressman Bill Thomas (R–CA), Chairman, Subcommittee on Health of the Committee on Ways and Means, today announced that the Subcommittee will hold a hearing on patient confidentiality. The hearing will take place on Tuesday, March 24, 1998, in the main Committee hearing room, 1100 Longworth House Office Building, beginning at 10:00 a.m.
In view of the limited time available to hear witnesses, oral testimony at this hearing will be from invited witnesses only. However, any individual or organization not scheduled for an oral appearance may submit a written statement for consideration by the Committee and for inclusion in the printed record of the hearing.
BACKGROUND:
Page 8 PREV PAGE TOP OF DOC
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of Health and Human Services to submit to the Congress ''detailed recommendations with respect to the privacy of individually identifiable health information.'' In developing her recommendations, the Secretary was required to consult with the National Committee on Vital and Health Statistics and the Attorney General. The Secretary released her report on September 11, 1997, and Congress has until August 1999 to pass legislation to protect individual patient confidentiality. If the Congress does not enact legislation, HIPAA directs the Secretary to issue her own final enforceable regulations by February 2000.
Health care information is used for a variety of purposes including research, disease prevention, quality assurance, and outcomes measurements. In recent years, health care information has moved away from paper records to electronic records. This innovation provides tremendous opportunities for medical advances as well as new challenges for maintaining patient confidentiality. The Administration's recent announcement of a delay in the implementation of the HIPAA administrative simplification provisions underscores the complexity of maintaining confidentiality in an information age.
In announcing the hearing, Chairman Thomas stated: ''Our nation has a great history of leadership in medical advances and health care innovation. I have seen, first hand, examples of health care data being used to help in the discovery of new medical techniques and technologies. In addition, outcomes studies and consumer information based on up-to-date health care data can make our nation's health care system better, services more readily available, and care more affordable. However, it is essential that patient confidentiality concerns are addressed while maintaining access to data to promote better health.''
Page 9 PREV PAGE TOP OF DOC
FOCUS OF THE HEARING:
The hearing will focus on patient confidentiality from the perspective of the health care consumers, physicians, providers, and researchers.
DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:
Any person or organization wishing to submit a written statement for the printed record of the hearing should submit at least six (6) single-space legal-size copies of their statement, along with an IBM compatible 3.5-inch diskette in ASCII DOS Text or WordPerfect 5.1 format only, with their name, address, and hearing date noted on a label, by the close of business, Tuesday, April 7, 1998 , to A.L. Singleton, Chief of Staff, Committee on Ways and Means, U.S. House of Representatives, 1102 Longworth House Office Building, Washington, D.C. 20515. If those filing written statements wish to have their statements distributed to the press and interested public at the hearing, they may deliver 200 additional copies for this purpose to the Subcommittee on Health office, room 1136 Longworth House Office Building, at least one hour before the hearing begins.
FORMATTING REQUIREMENTS:
Each statement presented for printing to the Committee by a witness, any written statement or exhibit submitted for the printed record or any written comments in response to a request for written comments must conform to the guidelines listed below. Any statement or exhibit not in compliance with these guidelines will not be printed, but will be maintained in the Committee files for review and use by the Committee.
Page 10 PREV PAGE TOP OF DOC
1. All statements and any accompanying exhibits for printing must be typed in single space on legal-size paper and may not exceed a total of 10 pages including attachments. At the same time written statements are submitted to the Committee, witnesses are now requested to submit their statements on an IBM compatible 3.5-inch diskette in ASCII DOS Text or WordPerfect 5.1 format. Witnesses are advised that the Committee will rely on electronic submissions for printing the official hearing record.
2. Copies of whole documents submitted as exhibit material will not be accepted for printing. Instead, exhibit material should be referenced and quoted or paraphrased. All exhibit material not meeting these specifications will be maintained in the Committee files for review and use by the Committee.
3. A witness appearing at a public hearing, or submitting a statement for the record of a public hearing, or submitting written comments in response to a published request for comments by the Committee, must include on his statement or submission a list of all clients, persons, or organizations on whose behalf the witness appears.
4. A supplemental sheet must accompany each statement listing the name, full address, a telephone number where the witness or the designated representative may be reached and a topical outline or summary of the comments and recommendations in the full statement. This supplemental sheet will not be included in the printed record.
The above restrictions and limitations apply only to material being submitted for printing. Statements and exhibits or supplementary material submitted solely for distribution to the Members, the press and the public during the course of a public hearing may be submitted in other forms.
Page 11 PREV PAGE TOP OF DOC
Note: All Committee advisories and news releases are available on the World Wide Web at 'HTTP://WWW.HOUSE.GOV/WAYS_MEANS/'.
The Committee seeks to make its facilities accessible to persons with disabilities. If you are in need of special accommodations, please call 202–225–1721 or 202–226–3411 TTD/TTY in advance of the event (four business days notice is requested). Questions with regard to special accommodation needs in general (including availability of Committee materials in alternative formats) may be directed to the Committee as noted above.
—————
Chairman THOMAS. The Subcommittee will come to order.
Each day, millions of Americans receive medical treatment. Increasingly, patients receive their care from a multifaceted system of health care entities and professionals. As our health care system has evolved from a solo practitioner to complex integrated health systems and everything in between, so has the challenge of ensuring that patients' private information is not improperly disclosed and used for inappropriate purposes.
National attention regarding the confidentiality of patient information was heightened with the passage of the Health Insurance Portability and Accountability Act of 1996. This act required the Secretary of Health and Human Services to consult with the National Committee on Vital and Health Statistics and the Attorney General and to report to the Congress her ''detailed recommendations with respect to the privacy of individually identifiable health information.'' The Secretary released a report on September 11, 1997. Congress now has until August 1999 to pass legislation to protect that individual patient confidentiality. Without legislation, the law says the Secretary will write her own regulations.
Page 12 PREV PAGE TOP OF DOC
Today this Subcommittee begins its exploration of this important topic. We will hear from experts representing various parts of the health care system who will share with us their views regarding the confidentiality of patient information. In reading their testimony, it was clear to me we are dealing with a very important but very delicate issue. If the Congress errs on the side of overprotection, we could stifle medical innovation and research which would adversely impact public health. Likewise, if we fail to provide the American public with adequate reassurance that their individually identifiable information is protected, some may avoid, delay, or carry out protective behavioral patterns dealing with necessary treatments.
Time is critical, not just because the Secretary will issue her own regulations in August 1999 if Congress does not act, but as we will hear on one of our panels today, if Congress does not act, States are already acting. And we run the chance, if we do not provide at least guidance if not some uniformity, of a crazy quilt pattern confronting us in which no one's wishes are granted, and that is a very real possibility.
[The opening statement follows:]
Opening Statement of Chairman Bill Thomas
Each day, millions of Americans receive medical treatment. Increasingly, patients receive their care from a multi-faceted system of health care entities and professionals. As our health care system has evolved—from the solo practitioner to complex integrated health systems—so has the challenge of ensuring that patients' private information is not improperly disclosed and used for inappropriate purposes.
National attention regarding the confidentiality of patient information was heightened with the passage of the Health Insurance Portability and Accountability Act of 1996. This Act required the Secretary of Health and Human Services to consult with the National Committee on Vital and Health Statistics and the Attorney General and to report to the Congress her ''detailed recommendations with respect to the privacy of individually identifiable health information.'' The Secretary released her report on September 11, 1997. The Congress now has until August 1999 to pass legislation to protect individual patient confidentiality. Without legislation, the Secretary will write her own regulations.
Page 13 PREV PAGE TOP OF DOC
Today, this Subcommittee begins its exploration of this important topic. We will hear from several experts, representing various parts of the health care system, who will share with us their views regarding the confidentiality of patient information. In reading their testimony, it was clear to me that we are dealing with a very delicate issue. If the Congress errs on the side of over-protection, we could stifle medical innovation and research which would adversely impact public health. Likewise, if we fail to provide the American public with adequate reassurance that their individually identifiable information is protected, some may avoid or delay necessary treatments.
I look forward to hearing from our first witness, Dr. Don Detmer, Chair of the National Committee on Vital and Health Statistics.
—————
Chairman THOMAS. I look forward to hearing from all of our witnesses, but our first witness, Dr. Don Detmer, is the chair of the National Committee on Vital and Health Statistics. And Dr. Detmer, before I recognize you, I would ask my colleague from Wisconsin if he has any opening statement. Or if he has a written statement from the Ranking Member, I would make that a part of the record. But I would recognize the gentleman from Wisconsin.
Mr. KLECZKA. Mr. Chairman, I do not know if Mr. Stark has an opening statement, but if he does, I would ask that that be included. I would also like to introduce into the record a statement from myself on this timely issue.
I want to acknowledge the Chairman's interest in the subject matter, although when he talks about overprotection, I don't think we are anywhere near that problem when it comes to a patient's records. In fact, just a short time ago in the local papers, I think two or three local drugstores were involved in selling their patient lists to drug companies. In response to that, consumers received mailings from drug companies.
Page 14 PREV PAGE TOP OF DOC
I think privacy concerns are something we should be taking more seriously in this Congress, not only as it deals with the Internet and Social Security numbers, but now we have seen in the most recent past a series of drugstores selling their patient lists. I think Congress should not sit idly by while all this continues to happen. I think we should be proactive and err on the side of the consumer.
Thank you, Mr. Chairman.
[The opening statement follows:]
Opening Statement of Congressman Jerry Kleczka
I am pleased Chairwoman Thomas has called this hearing on medical privacy today. This public debate will draw attention to one of the most important issues facing the subcommittee and American public: guaranteeing the privacy of all Americans' personal and medical information. This guarantee is particularly important given the rapid technological advances and awe-inspiring medical discoveries being made every day.
I was appalled, as I am sure many of my colleagues were, to read in recent Washington Post articles about drugstores selling confidential patientprescription information to outside companies for marketing purposes. While the companies in question quickly changed their practices when consumers expressed outrage at these revelations, the practice of selling prescription information to third parties continues to go on throughout the nation.
Imagine simply going to the local drug store to fill a prescription, and, without your permission, the pharmacist behind the counter transmits your medical and prescription information to a direct marketing firm. Certainly, innocent consumers filling prescriptions should have at the very least an expectation of privacy. Sending confidential prescription information to a marketing company that has absolutely no medical expertise or purpose for receiving that information other than to profit from it raises serious ethical questions. I believe legitimate checks can and should be placed on this type of practice.
Page 15 PREV PAGE TOP OF DOC
Too many Americans operate under the assumption that their private medical records are just that, private. However, in today's computer age where personal information can be transmitted across the country quite literally at a push of a button, threats to the privacy of individuals' medical records have never been greater. While this technological innovation has provided opportunities for and lead to important medical advances, it has come with price—the price of sacrificing one's personal privacy and security.
There are, of course, appropriate uses for electronically transmitting medical information. For example, managed care networks, insurers, medical researchers, or benefits managers arguably have legitimate needs for quick and easy access to medical records. However, the idea that potentially thousands of individuals could gain access to this electronic data—something so sacred and private as a diagnosis of mental illness or terminal illness, for example—gives me pause. I find it even more troubling that this private information can and is electronically transmitted for absolutely no legitimate medical purpose. Transmitting this information to a third-party solely to improve the profit margins of a pharmaceutical company is simply unconscionable.
The Health Insurance Portability and Accountability Act of 1996 required the Secretary of Health and Human Services to submit detailed recommendations with respect to the privacy of individual's health information. The Secretary released her report this past September and we in Congress have until August 1999 to pass legislation protecting patient confidentiality. My hope is that as we prepare this legislation Congress will not only reflect back on the testimony heard today, but also on the missteps and breaches of confidentiality that have occurred in the past and place strong protections for the future.
Page 16 PREV PAGE TOP OF DOC
—————
Chairman THOMAS. I thank the gentleman. Our goal is not to err on either side but to pass informed legislation. Our goal is not to legislate by anecdote but be informed legislators. That is the purpose of this hearing.
And with that, I recognize Dr. Detmer and tell him that the written statement he has will be made a part of the written record, without objection, and you can address us in any way you see fit in the time you have available.
Dr. DETMER. Thank you very much, Mr. Chairman. Good morning.
Chairman THOMAS. I will tell you in advance these microphones are unidirectional and you have to speak directly into them and relatively close.
STATEMENT OF DON E. DETMER, M.D., CHAIRMAN, U.S. NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
Dr. DETMER. I appreciate the opportunity to appear before the Subcommittee on this extraordinarily important legislative issue. Privacy, confidentiality, and security of individual health information touches the lives of all Americans in a very personal way, and your actions will influence the future course of health care and the future of medicine itself.
I am a university professor and senior vice president at the University of Virginia and a practicing surgeon. I am here today in my role as chair of the National Committee on Vital and Health Statistics. As you are aware, the committee is a nearly 50-year-old statutory public advisory body to the Secretary of Health and Human Services on health data privacy and health information policy. Its 18 members include four practicing physicians.
Through the mandates of the 1996 Health Insurance Portability and Accountability Act, the committee's responsibilities were broadened to encompass health statistics, privacy, and computer-based clinical records for both the public and private sector. Last June the committee provided its initial recommendations to the Secretary and she, in turn, submitted her detailed recommendations to Congress last September.
Page 17 PREV PAGE TOP OF DOC
All in all, the committee held over 20 days, full days, of public hearings and heard from more than 200 witnesses who discussed data standards, privacy, and security issues. The hearings included representatives from across the entire spectrum of the health community. This extensive public consultation was immensely helpful to us as we formulated our recommendations to Secretary Shalala, and we continue to hold hearings to further refine our advice.
Our hearings showed strong and widespread support for Federal health privacy legislation. At the same time, it is clear our society has not yet reached a consensus about the definition and boundaries of privacy in an information age. The committee has concluded that our Nation faces a privacy crisis today, and legislation is urgently needed to address two policy deficiencies.
First, we lack solid Federal legislation on fair information practices for personal health information. Second, we lack sufficient antidiscrimination statutes to keep personal health information from being used against citizens in areas such as employment and insurability. With the fast pace of progress in medicine and technology, this further complicates an already complex situation.
With the exception of one abstention, all the recommendations from the Committee were unanimous. What does the committee wish to see in this legislation?
We want a law that requires creators and users of identifiable health information to ensure a full range of fair information practices, including the patient's right of access to his or her records, the right to seek amendment of records, and the right to be informed about users and uses of health information.
We seek reasonable restrictions and conditions on access to and use of personally identifiable health information that maintains protections for the information as it passes into the hands of secondary and tertiary users, so that there are no loopholes that allow information to escape appropriate controls.
Page 18 PREV PAGE TOP OF DOC
We seek adequate security for health data, no matter what media are used to create, transmit, or store data. That is, we wish the protections to apply to the data itself and not to whatever medium or technology is used.
We want those who create and use personally specific health information to accept accountability for actions that affect privacy interests of patients. We support sanctions when restrictions are violated.
We wish to promote the use of nonidentifiable, coded, or encrypted information when a function can be fully and substantially accomplished without more specific identifiers.
The committee strongly supports the use of health records for all forms of legitimate health research without a case-by-case patient consent for access to such data, subject to independent review of research protocols and other procedural protections for patients.
The committee also strongly supports the use of health records for public health purposes, subject to substantive and procedural barriers commensurate with the importance of public health function.
The committee believes patients need strong substantive and procedural protections if their records are to be disclosed to law enforcement officials.
The committee strongly supports limiting use and disclosure of identifiable information to the minimum amount necessary to accomplish the purpose. The committee also strongly believes when identifiable health information is made available for nonhealth uses, patients deserve a strong assurance that the data will not be used to harm them.
We urge the Congress to pass such legislation during this session, since we do not believe the HIPAA privacy regulatory authority is an adequate alternative to legislation.
Clearly, with the continued development of computer-based patient health records, it would be best to integrate the appropriate security and policy procedures into the emerging architecture of such systems, and this will require action now rather than later since these systems are being built as I speak to you. Action now should allow us to avoid a variant of the ''year 2000'' problem in this age of computers.
Page 19 PREV PAGE TOP OF DOC
The committee recognizes drafting and passage of the health privacy law will not be easy. Health privacy legislation presents hard choices and difficult tradeoffs. Health records are primarily used for the treatment of patients, to improve the quality of care, reduce the cost of health care, expand the availability of health care, protect the public health, and assure public accountability of the health care system. Privacy competes with all of these objectives, and it will not be easy to strike a widely accepted balance between privacy and these other worthy goals. The new legislation must reflect the current structure and legislative framework for health care and allow for continued progress in health care.
In summary, two sets of legislation are needed. The first involves the relationship between privacy as defined by principles of fair information practices; and the second relates to concerns about discrimination based on health status or conditions. The antidiscrimination provisions of HIPAA need to be expanded to cover all aspects.
Whether or not general privacy concerns and discrimination concerns should be addressed together in the same piece of legislation, you can best decide. An already complex health privacy accountability bill may not be the best place to sort out responses to the important discrimination problems.
The National Committee on Vital and Health Statistics calls on everyone to work together in good faith. Everyone should benefit from a well-crafted set of fair information practices for health information. Patients will have new rights and greater protections for sensitive information. Critically important, trust in the provider-patient relationship will be preserved. Providers and insurers will have clearer rules and responsibilities. Secondary users will know when they can and cannot have information and what their obligations and penalties are if these obligations are ignored.
The committee is pleased to provide a public forum for continued advice on these issues, and we look forward to working with you and others to achieve a comprehensive and balanced public privacy health information law.
Page 20 PREV PAGE TOP OF DOC
Thank you, Mr. Chairman. I would be happy to answer questions.
[The prepared statement follows:]
Statement of Don E. Detmer, M.D., Chairman, U.S. National Committee on Vital and Health Statistics
Introduction
Thank you, Mr. Chairman. It is a pleasure to appear before the Committee today to discuss health information privacy, confidentiality, and security issues. I am currently University Professor and Senior Vice President at the University of Virginia and a practicing surgeon. I appear before you today in my role as chair of the National Committee on Vital and Health Statistics (NCVHS). The NCVHS is the statutory public advisory body to the Secretary of Health and Human Services on health data, privacy and national health information policy.
The NCVHS has a distinguished, nearly fifty year history of providing the government with broad based advice on health data issues, including data needed to assure the quality of care, meet public health needs as well as data needs for other purposes. In 1996, the Health Insurance Portability and Accountability Act (HIPAA) assigned the committee new responsibilities for health information policy development on data standards, privacy, and computer-based clinical records for both the public and private sectors.
The Committee is made up of 18 members, sixteen appointed by the HHS Secretary, one appointed by the Speaker of the House and one appointed by the President pro tempore of the Senate. Members are appointed from among individuals who have distinguished themselves in a variety of fields ranging from privacy and security of health information to the provision of health services and population-based public health. Four of the current members are practicing physicians.
Page 21 PREV PAGE TOP OF DOC
As a result of the passage of HIPAA, the nation has the potential to achieve major improvements in the quality and effectiveness of health care and the efficiency of the health sector through improved information technology. And the law provides this opportunity in a national framework that protects the privacy and security of health information. The primary focus of the law is on private health insurance reform. However, the provisions on Administrative Simplification outline a new national framework for health data standards, security and health information privacy in the U.S.
Today, I will focus on the health information privacy provisions of HIPAA, and especially on the NCVHS's recommendations to HHS relating to health information privacy. HIPAA required that the Secretary of Health and Human Services submit ''detailed recommendations'' to the Congress ''with respect to the privacy of individually identifiable health information.'' In preparing her recommendations, the Secretary was directed to consult with the National Committee on Vital and Health Statistics. Last June, the NCVHS provided our initial recommendations on privacy, confidentiality, and security to Secretary Shalala. She, in turn, submitted her detailed recommendations to Congress last September.
Our full report is available on the NCVHS website: http://aspe.os.dhhs.gov/ncvhs, and the Secretary's privacy recommendations are available on the HHS administrative simplification website: http://aspe.os.dhhs.gov.admnsimp.
NCVHS Health Information Privacy Recommendations
As a basis for our privacy recommendations, the NCVHS held six full days of public hearings last year during which we heard from over 40 witnesses. All in all, we held over 20 full days of public hearings and heard from more than 200 witnesses who discussed data standards, privacy and security issues. The hearings included representatives from across the entire spectrum of the health community, including the privacy community, research, public health, quality assurance, insurance, managed care, law enforcement and oversight, providers, claims processors, the drug industry, federal agencies and consumer interest groups. This public consultation was immensely helpful to us as we formulated our recommendations to Secretary Shalala.
Page 22 PREV PAGE TOP OF DOC
First of all, our hearings showed strong and widespread support for federal health privacy legislation. And with the exception of one abstention, all recommendations of the committee were unanimous. The committee had difficulty with the definition of privacy as it relates to the confidentiality and security of person-specific health information. It chose to use the word ''privacy'' in its report mainly since the word has been the major term used in public discussion of this topic. The culture has yet to reach a consensus on what privacy should mean in contemporary society.
Be that as it may, the committee concluded that the United States is in the midst of a health privacy crisis. The protection of health records has eroded significantly in the last two decades. Major contributing factors are ongoing institutional changes in the structure of the health care system and the lack of modern privacy legislation. Without a federal health privacy law, patient protections will continue to deteriorate in the future.
We also concluded that the importance of trust in the provider-patient relationship must be preserved. Patients must feel comfortable in communicating sensitive personal information. Delays in passing privacy legislation will allow additional and uncontrolled uses of health information to develop. Failure to address health data privacy concerns can undermine public confidence in the health care system, expose patients to continuing invasions of privacy, subject record keepers to potentially significant legal liability, and interfere with the ability of health care providers and others to operate the health care delivery and payment system in an effective and efficient manner.
The greater the delay in imposing meaningful controls on inappropriate use and disclosure of identifiable health information, the more difficult it may be to generate enthusiasm for instituting necessary restrictions on use and disclosure, or change the way that information is acquired, maintained, and used. Clearly, with the continued development of computer-based patient record systems, it would be best to integrate the appropriate security and policy procedures into the emerging architecture of such systems.
Page 23 PREV PAGE TOP OF DOC
The NCVHS recommended that the Secretary and the Administration assign the highest priority to the development of a strong position on health privacy that provides the highest possible level of protection for the privacy rights of patients. Any realistic proposal must properly balance the important and well-established interests of patients in the protection of their health information and the legitimate needs of the health care system to provide and pay for health care in an efficient, effective and fair manner while supporting the responsible use of health records for public health and health research, and other legitimate social purposes.
The Health Insurance Portability and Accountability Act provides that if the Congress does not pass privacy legislation by August 1999, then the Secretary of HHS is authorized to issue regulations containing standards for the privacy of electronic administrative and financial transactions. However, the Committee found a clear and strong preference for a comprehensive legislative solution, rather than addressing health privacy through the regulatory process alone.
It is difficult to address health privacy requirements in a piecemeal fashion. Rules that only cover electronic health care transactions but not paper-based transactions or other types of health records could prove very difficult to develop or administer. Further, the committee firmly believes that policy on data confidentiality and security should not be contingent upon the form, medium, or technology used to record or work with health data, e.g., paper, fax, or an electronic medium.
Consequently, the NCVHS strongly recommends that the Congress enact a health privacy law before it adjourns this fall. Leaders in both House and Senate should publicly endorse the need for strong and effective privacy legislation that provides meaningful protections to patients. Congressional leaders should ask relevant legislative committees to agree to a timetable for action. The Congress should not treat the existence of the regulatory authority as an adequate alternative to legislation.
Page 24 PREV PAGE TOP OF DOC
The Committee calls for a law that requires creators and users of identifiable health information to——
• ensure a full range of fair information practices, including a patient's right of access to records, right to seek amendment of records, and right to be informed about uses of health information;
• accept reasonable restrictions and conditions on access to and use of identifiable health information;
• maintain protections for health information as it passes into the hands of secondary and tertiary users so that there are no loopholes that allow health information to escape from privacy controls;
• provide adequate security for health data no matter what media are used to create, transmit, or store data;
• accept accountability for actions that affect the privacy interests of patients;
• promote the use of non-identifiable, coded, or encrypted information when a function can be fully or substantially accomplished without more specific identifiers.
The law must also impose restrictions on disclosure and use of the information and impose sanctions for violations.
The Committee strongly supports the use of health records for health research without a case by case patient consent for access to such data, subject to independent review of research protocols and other procedural protections for patients.
The Committee also strongly supports the use of health records for public health purposes, subject to substantive and procedural barriers commensurate with the importance of the public health functions.
Page 25 PREV PAGE TOP OF DOC
The Committee believes that patients need strong substantive and procedural protections if their health records are to be disclosed to law enforcement officials.
The Committee strongly supports limiting use and disclosure of identifiable information to the minimum amount necessary to accomplish the purpose. The Committee also strongly believes that when identifiable health information is made available for non-health uses, patients deserve a strong assurance that the data will not be used to harm them.
The Committee recognizes that the drafting and passage of a health privacy law will not be easy. Health privacy legislation presents hard choices and difficult tradeoffs. Health records are primarily used for the treatment of patients and to improve the quality of health care, reduce the costs of health care, expand the availability of health care, protect the public health, and assure public accountability of the health care system. Privacy competes with all of these objectives, and it will not be easy to strike a widely accepted balance between privacy and these other worthy goals. As mentioned earlier, the task is not made any easier by the lack of agreement about what privacy even means in contemporary American society.
In our hearings, users of health information uniformly expressed strong support for privacy legislation. However, most users also asked that no—or at most few—new restrictions be placed on their ability to collect, use, and disclose health information. The Committee believes that it is unfair and unreasonable for any health data user to expect that health privacy legislation will not require some change in policy and practice. Everyone—patients and record keepers alike—will benefit from health privacy legislation, and everyone is likely to pay some price for the legislation.
At the same time, the Committee recognizes that privacy legislation must take into account the complexity and the needs of the current health care delivery and payment system. New legislation must reflect the current structure and legislative framework for health care. Changes can and must be made, but no one can expect that the health care system will be restructured solely in the interests of privacy and without regard to cost. Indeed, achieving cost savings from administrative simplification was a key driver behind the Health Insurance Portability and Accountability Act of 1996. The Committee has no doubt that a privacy bill can be passed that balances the interests of patients with the needs of the health care system.
Page 26 PREV PAGE TOP OF DOC
The Committee also recognizes that passing legislation will not end either the debate or the struggle to accomplish desired improvements. Once a law passes, record keepers will have to change to accommodate the new rules, federal and state agencies will have to oversee implementation of the new law, and the Congress may be called upon to refine the law in the future. International data protection standards are being developed, and the United States needs to be a full partner in this effort.
Special Issues
Let me now turn to several additional issues that we heard about in our hearings.
Need for Anti-Discrimination Law
One issue that arose from time to time during the hearings was the relationship between privacy (as defined by principles of fair information practices) and discrimination. Clearly some motivation for protecting health information is to prevent the discriminatory use of the information both inside and outside the health care setting. Patients receiving care for some health conditions or who have been the subject of genetic testing have been and continue to be the subject of discrimination in employment, insurance, and elsewhere. Several current bills address the possible discriminatory use of genetic information.
Discrimination based on health status and condition remains a major and important concern, and it deserves a legislative solution. Whether or not general privacy concerns and discrimination concerns should be addressed together in the same piece of legislation, you can best decide. However, an already complex health privacy and confidentiality bill may not the best place to sort out responses to equally complex discrimination problems. The Committee suggests that privacy and discrimination issues both deserve explicit legislative treatment. The Committee urges the Congress to consider legislation expanding the anti-discrimination provisions of HIPAA to cover all aspects of discrimination based on health status and condition.
Page 27 PREV PAGE TOP OF DOC
Preemption
Perhaps the most difficult conflict identified during our hearings is over preemption of state laws. Among large segments of the health industry, a major benefit to federal legislation is a high degree of regulatory uniformity throughout the country. The interstate nature of health care treatment and payment activities is readily apparent. By one estimate, approximately half of the U.S. population lives near the border of another state. To have a patient work in the District of Columbia, reside in Maryland, and receive care in Virginia creates a nightmare for the health care system to track unless substantial uniformity of policies and procedures exists. It will be difficult for many involved in electronic transfers of health data to accept any proposal that does not offer significant relief from the prospect of 50 different state laws establishing separate rules.
On the other hand, it would be difficult for many patient groups, privacy advocates and perhaps some provider groups to accept any proposal that does not allow states to adopt stronger privacy protections as specified in the HIPAA. People disagree whether existing state laws offer greater protection than most of the current federal proposals. There is strong support in some communities for a solid federal confidentiality standard that allows states to erect stronger privacy barriers. This was the approach that Secretary Shalala recommended last September.
The Committee suggests, however, that this issue need not be treated as a single problem with a single solution. The conflicts need to be broken down into components, and each component analyzed separately. In some areas, the case for federal preemption may be strong. For example, it may be unnecessarily complex to support 50 different patient access procedures. On the other hand, the need to recognize the diversity of state public health laws is already clearly reflected in most proposals. No one has suggested or is likely to support a uniform federal public health law. A narrower and careful analysis of preemption may help to minimize the admittedly strong conflicts here and may point to more effective resolutions. However, if sufficient national conformity is not achieved, both national and international objectives cannot be met.
Page 28 PREV PAGE TOP OF DOC
The Committee stands willing to respond to such remaining issues in new legislation if and as the Congress desires.
Unique Health Identifier for Individuals
Because of privacy concerns, the NCVHS has recommended that HHS not adopt a standard for unique identifier for individuals as called for in HIPAA until privacy legislation is enacted. The NCVHS stated that ''...it would be unwise and premature to proceed to select and implement such an identifier in the absence of legislation to assure the confidentiality of individually identifiable health information and to preserve an individual's right to privacy.''
The NCVHS outlined three sets of concerns. First, we noted that the selection of a unique health identifier for individuals will become the focus of tremendous public attention and interest, far beyond that afforded to other health privacy decisions. No choice, the Committee concluded, should be made without more public notice, hearings and comment.
Second, we concluded that, until a new federal law adequately protects the confidentiality of the health record, it is not possible to make a sufficiently informed choice about an identification number or procedure. The degree of formal legal protection in such a law will have a major influence on both the decision itself and the public acceptance of that decision. Indeed, we would hope that passage of a comprehensive health privacy law would make the choice of an identifier easier, e.g., less threatening.
Finally, the NCVHS stated that a unique health identifier could not be protected from misuses under current law, notwithstanding the criminal penalties for wrongful disclosure enacted in HIPAA.
At the same time, the Committee feels an obligation to address the law and provide advice on this controversial matter. Accordingly, we are planning to hold several public hearings around the country to gather information and explore the issue further. This will be done in conjunction with the planned publication by HHS of a Notice of Intent to gather descriptive and evaluative information on unique identifiers for use in the health system on a systematic basis, including current practices, before developing any further recommendations. Lack of unanimity from the committee on this topic may occur, reflecting the difficult nature of the problem.
Page 29 PREV PAGE TOP OF DOC
Computer Technology
Testimony received by the Committee showed that computers are perceived differently by different individuals and groups. Some view them as major threats to patient privacy and others as tools for offering far greater protection of personal health data than is achievable with paper records. In terms of limiting release to selected information, computer-based data offers the greatest potential to avoid revealing patient identifiers. Others see computerized repositories of health data as magnets for hackers and other abusers and presume huge health data repositories are forthcoming. Testimony suggested that the real threats to computerized information—as with paper records—come from insiders and not from hackers. Unfortunately, this debate is hampered by a lack of sufficient, good health services research on the frequency and seriousness of problems in this area. Anecdotal information abounds with legitimate questions remaining as to its validity and representativeness.
Some have suggested that the patient authorization process should be expanded and that patients should be asked or permitted to make decisions about whether their information may or may not be computerized. The Committee is not sympathetic to the notion that patients should have a choice in the technology used to create, store and transmit health information. This is not a choice that record subjects for records maintained by other third party record keepers such as banks and employers. Requiring health record keepers—who are spending vast sums on computerization—to retain parallel paper systems is impractical and costly. It would deny the benefits and savings that the Congress has already determined will result from increased use of modern information technology.
Computers are an inevitable part of modern health care and indeed are intrinsic to the actual delivery of hospital care today. In addition, computer technology can provide strengthened confidentiality protections for personal health information. We should move on to debate the proper protections for records in a computerized environment. One response would be increased criminal and civil penalties for misuse of computerized health records. These penalties should apply to both inside and outside abusers of health data.
Page 30 PREV PAGE TOP OF DOC
Law Enforcement
Testimony revealed sharp differences over the standards and procedures that should govern law enforcement access to health records. The law enforcement community contends that its track record accessing health records is a good one and that its access authority is not abused. Some health care providers and privacy advocates, however, seek to establish higher standards that would require law enforcement requests for records to obtain court orders, to provide patient notice, and to expressly justify each access to records.
Several privacy proposals would prevent use of health records against the record subject if an investigation of a provider brought to light criminal activity by the patient other than health care fraud.
This is the one major one area where the NCVHS respectfully differs from Secretary Shalala's recommendations. She recommended no changes to existing laws relating to law enforcement access to personal health information. Striking a balance between the needs of law enforcement and the privacy interests of patients is difficult but a crucial piece of this entire puzzle.
The Committee believes that patients need strong substantive and procedural protections if their health records are to be disclosed to law enforcement officials. Investigators should be required to justify the need for patient identifiers and to remove identifiers at the earliest possible opportunity. Other HIPAA provisions restrict the use of health information against the subject of the record unless the investigation arises out of and is directly related to health care fraud. If law enforcement wants to use the record in another way, it must first obtain a court order. That is one procedural barrier that is also included in several current privacy legislative proposals. Other proposals go further by requiring notice to the patient in some cases.
Page 31 PREV PAGE TOP OF DOC
Conclusion
The NCVHS calls on everyone to work together in good faith. It is crucial that the Congress pass a balanced law as quickly as possible. Each year, health information becomes available for new uses, often without any legal, administrative, or policy barriers. Unless legislation passes soon, the risks to both patients and record keepers grow.
Everyone should benefit from a well-crafted set of fair information practices for health information. Patients will have new rights and greater protections for sensitive information. Providers and insurers will have clearer responsibilities and rules. Secondary users will know when they can have health information, when they cannot, what their obligations are, and what penalties will result if these obligations are ignored. None of these benefits will be achieved unless everyone approaches the legislative process with a spirit of compromise.
The NCVHS is pleased to provide a public forum for deliberation and advice on these issues, and we look forward to working with HHS, the Executive Branch and the Congress on a comprehensive and balanced health information privacy law.
Thank you, Mr Chairman. I would be happy to answer any questions.
—————
Chairman THOMAS. Thank you very much, Doctor. I guess the easiest way to start would be to indicate that in your testimony you said that Congress should not treat the existence of the regulatory authority as an adequate alternative to legislation.
Page 32 PREV PAGE TOP OF DOC
Would you expand on that? Do you have any particular concerns about the Department of Health and Human Service's ability to promulgate such regulations? Or is it just too important to leave up to an agency, and Congress' responsibility ought to be to grapple with this question? What is it that worries you about letting the process go the way the legislation is structured?
Dr. DETMER. The key limitation of the process is that the law, as written, covers electronic and computer-based information and not paper and other forms, and that is the principal concern. So, essentially, the legislation really has a more limited scope.
The committee also feels the legislation dealing with this more broadly can generally craft a better response.
Chairman THOMAS. I have been impressed with the learning curve of a number of individuals who have been almost outspoken, I guess, advocates for privacy, and their understanding of that. Electronic data can, if done properly, be even better protected than paper records.
Do you believe there is any role currently or in the near future for a rather directed movement toward electronic rather than the keeping of paper records; either carrots or sticks of some sort to move more rapidly into electronic recordkeeping?
Dr. DETMER. Yes. First, I would echo your initial comment, but very strong differences of opinion exist about this issue. Those of us who have actually worked in both the paper era as well as, or have a professional interest in the electronic approach, feel that actually there are a number of advantages to computer-based records. You can encrypt it, you can extract solely the information you are interested in and move it along, otherwise keeping the rest of the record behind. You also have audit trails that can be helpful.
The point is that with the complexity of health care moving the way it is in terms of the technology, the care itself, the medical information and such, I think the only way we will have high quality, cost-effective care is with computer-based record systems. And, as a country, we have not done what we could do to move this technology forward.
Page 33 PREV PAGE TOP OF DOC
A key requirement for progress in this technology relates to what we are here today for—privacy legislation is an absolutely essential foundation brick needed if we are to see the real benefits of this technology develop.
[The following was subsequently received:]
In its administrative simplification requirements, the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(Public Law 104–191, Aug. 21, 1996) calls for uniform standards for electronic transactions in health administration precisely because separate standards developed at other than the national level are not workable.
The Recommendations of the Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996 (September 11, 1997), noted that
[t]here is continuing movement toward a computer-based patient medical record, with national standards for content and format, and the possibility of ready interstate transmission as needed for patient care. A major impetus toward adopting this type of record was a report of the Institute of Medicine in 1991 that recommended adoption of the computer-based patient record as the standard for all patient care records. Likewise, increasing use of telemedicine means that patient information will often cross State lines, sometimes in real-time delivery of care. This promising development is an important facet of the National Information Infrastructure because of its potential to provide greater access to quality health care for all Americans, especially those living in rural and remote areas.
The National Committee on Vital and Health Statistics (NCVHS) last year held six days of hearings involving witnesses from the full spectrum of public and private constituencies concerned with privacy, consumer interests, and operation of the health care system. Testimony received at these hearings showed that ''computers are perceived both as threats to patient privacy and as tools for protecting personal health data. Some see computerized information as the best way to support greater use of data without revealing patient identifiers. With traditional paper records, for example, the difficulties of creating non-identifiable data are typically significant. It may be impractical and very time-consuming to make a complete copy of a paper record with all identifying data removed. With a computer record, the administrative burden of creating anonymized records may be insignificant. Others see computerized repositories of health data as magnets for hackers and other abusers.'' Further testimony suggested that
Page 34 PREV PAGE TOP OF DOC
[T]he real threats to computerized information—as with paper records—come from insiders and not from hackers.
Nevertheless, because of the important and increasing role of computers in health care, it is important to be sensitive to both public perceptions and to the possibility that abuses of computerized health records will increase in the future. One response would be increased criminal and civil penalties for misuse of computerized health records. These penalties should apply to both inside and outside abusers of health data.
The Committee noted that it is often overlooked that computers contribute directly to improved patient care in many ways, and that debates on the proper role of computers and electronic records often focus only on the threats to privacy and not the benefits for patients. The committee concluded that a more balanced discussion about the value and the risks of computers is essential, and
that we need to do more to develop and implement technological protections for health records. Technology offers the possibility that we can use records for socially beneficial purposes while fully protecting privacy at the same time. Greater use of nonidentifiable, coded, or encrypted records can make everyone better off at little or no cost. Technology will not cure all problems related to the use of identifiable information, but it can diminish the intensity and scope of the problems. This may be the most promising area for additional development.
The NCVHS has not addressed incentives or disincentives for the keeping of electronic records. A new NCVHS workgroup on Computer-based Patient Records may address this issue in the future.
Page 35 PREV PAGE TOP OF DOC
—————
Chairman THOMAS. Let me ask the question a slightly different way. Are our efforts enhanced, do we make the job easier or more difficult based upon the way we approach how we are going to legislate; that is, try to deal with the very sensitive question of privacy for both individually identifiable records and encrypted records, whether they be electronic or paper; or if we put a serious emphasis on trying to create a timeline in which we move to the electronic era and then deal with the same concerns about individually identified records? I am wondering which, in your opinion, would get us there in the most efficacious way.
Dr. DETMER. I think if we acted on this issue—if you acted on this issue in this session——
Chairman THOMAS. I assure you it is going to be ''we.''
Dr. DETMER. Well, I would hope so. In any event, if this is acted upon in this session, I honestly think the field is moving forward, but there are also things that would be in the public's interest that the Congress could also do to facilitate the development of computer-based health records.
We have in this country fairly well-developed hospital information systems compared to those for primary care and smaller care units. If you look at the United Kingdom or the Netherlands, for example, they have put in some tax benefits as well as equipment writeoffs that really have moved that technology forward.
And, incidentally, they have privacy legislation in place, and the populations in both of those countries feel quite good actually in that sense about this issue. I am not saying to every last person, but as a development I think it is seen as a positive thing.
Chairman THOMAS. The difficulty, of course, is that Great Britain is a unitary country and we are a Federal system, and States have proper roles to play in a number of areas. Dealing directly with individuals, for example, with regard to health and welfare, is one of the roles the States have to play which makes our job more difficult to bridge those differences.
Page 36 PREV PAGE TOP OF DOC
In looking at the information, one of the concerns I think is warranted by the individuals who do not want to err, who are concerned on the side of the right to privacy, is the access to those identifiable patient records. Does it seem reasonable that if we, for example, move toward a system which would allow for a determination of who accessed the records, to make that accessing of the records available to individuals?
I know you can place extreme punishment on people misusing that information. But I think the most chilling effect often on people misusing that information is to make it easily known as to who it is that is accessing those records. That is the first part of the question.
The second part, since that involves enforcement in a very direct way, it is too simplistic to view the role of the Federal Government and the State legislators as perhaps dividing it along that line; that where there are identifiable personal records, that could be a very proper and appropriate role for the States to deal with how you deal with that information; and the encrypted records, primarily for research, far more often travel across State lines, are collected for purposes that should have a set of protocols properly approved by an appropriate agency? Is that too simplistic a view?
Dr. DETMER. The difficulty, unfortunately, is we have been getting testimony in some of our recent hearings in particular that the ability to assure the data are securely encrypted, clearly identifiable, or are clearly not identifiable is not likely to be that airtight.
The fact of the matter is, almost all of these things can be open to manipulation, if you will. The most likely assurance you will be getting encrypted or nonidentifiable data, which involves a lot of the information, will simply be from the fact that you have strong sanctions in place. People will clearly want to just use nonidentifiable data as much as possible to avoid, obviously, the exposure to sanctions for misuse.
Page 37 PREV PAGE TOP OF DOC
It would be tough to get back directly to your question, to craft language in that kind of a dichotomous approach.
Chairman THOMAS. But would you respond directly to the point of having the ability to have a clear trail from the identifiable electronic data and providing it to, for example, the individual, as to who it is that has been looking at the records?
Dr. DETMER. Yes, I think certainly the trail, the idea of audit trails is a protection. It is also true, of course, depending on how much information you keep relating to all the trails and who is involved, that that also then becomes, if it is overdone, yet another set of information that could then be abused and hence invade privacy. So all of these things have a balance that has to be struck.
[The following was subsequently received:]
The NCVHS provided its recommendations on adoption of security standards in a letter to the Secretary, HHS, dated September 9, 1997. In providing a series of principles and recommendations for the Secretary's consideration, the Committee stated that in order for health information systems to be secure, there must be monitoring of access. Specifically, ''[o]rganizations should develop audit trails and mechanisms to review access to information systems to identify authorized users who misuse their privileges and perform unauthorized actions and detect attempts by intruders to access systems.''
—————
Chairman THOMAS. And then finally, I know it was in your testimony but I want to underscore it, the administration in making its initial proposals placed a privileged category for law enforcement agencies, and you voiced some concern about that.
Page 38 PREV PAGE TOP OF DOC
My assumption is we all understand the importance of that, but that in your opinion they probably carved out too big an island, too exclusive an approach for law enforcement?
Dr. DETMER. Yes. With all respect, this was the only area of significant difference between the committee's recommendations and the Secretary's recommendations. We urged substantive procedural protections. We felt law enforcement should justify their need for personal identifiers, remove those identifiers at the earliest possible moment, unless needed for fraud investigation, and a court order seemed appropriate for access.
There was a huge array of issues we had to look at. We did not spend a detailed amount of time on this, and probably will deserve to spend more, but clearly we did differ from the Secretary in that and we urged more protections.
Chairman THOMAS. Thank you very much, Doctor. Obviously, we will rely on you in your ongoing examination. My belief is this is an area that could change relatively quickly in terms of techniques that are being developed, especially when we are looking at an August 1999 deadline. At least, I certainly hope so.
Thank you very much for your input.
Does the gentleman from Wisconsin wish to inquire?
Mr. KLECZKA. With respect to research currently being done by managed care companies, is that being done with the informed consent of the individuals?
Dr. DETMER. Right now we have very much a patchwork of incomplete and inadequate protections generally. I think most managed care companies do in fact—and health care organizations—do in fact try to protect the data of patients. Obviously, we do not have full information. In fact, one of the problems of this whole field is a relative lack of the kind of research base that would be very useful to us as a committee, as well as to you in your roles.
Page 39 PREV PAGE TOP OF DOC
In general, if you have health professionals involved in the work, whether it is the quality work or cost effectiveness or whatever, utilization work, health professionals have a genuine concern for confidentiality. And I am not sure it is always done ideally by health professionals, but it has been part of their upbringing from the time they got into the health professions. There is a bit perhaps less dedication and concern for privacy as you get beyond the health professionals themselves.
[The following was subsequently received:]
We do not know. The Committee does not have information on this area.
—————
Mr. KLECZKA. Later this year the European Union is scheduled to come down with a directive relative to transferring of data to a third country, and that directive indicates that they want to ensure the level of protection. Currently, does this country meet the criteria that is set forth in that directive?
Dr. DETMER. It is not precisely clear to me that it does. If you really look at it pretty literally, I would say it does not. This is not a formal committee view, that is my own assessment of this. The committee has not formally assessed the matter.
But I do think it is important for us, and it does speak to the issue of States' preemption. If we do not have a Federal law that is sufficiently recognizable as a national standard, we certainly could be open to the clear interpretation that we would not be meeting the EU guidelines, and it would prevent us from being able to share information for purposes of research and other social benefit.
Page 40 PREV PAGE TOP OF DOC
[The following was subsequently received:]
The EU directive is a very comprehensive privacy law covering all personal data and designates an official with power to regulate private sector use of personal data. The U.S. does not have a comprehensive legal scheme of data protection, nor an official who has privacy protection as a sole responsibility on a nationwide, or government-wide basis. Rather, it has a number of separate State and Federal laws, but no privacy law generally applicable to all data.
—————
Mr. KLECZKA. What would be the impact on this country in terms of trade and research should we not meet the criteria and so forth in the directive?
Dr. DETMER. I have not seen specific estimates, but in terms of looking certainly at drug development and other activities that are in the public's interest, I think it would have an adverse impact on what would otherwise be a desirable thing.
[The following was subsequently received:]
The impact is not yet clear. It is our understanding that the Commerce Department and the State Department have been involved in discussions with EU staff. Within the Department of Health and Human Services, the HHS Data Council is surveying its staff and operational divisions to determine the extent to which individually identifiable personal data moves from the EU to the U.S.
Page 41 PREV PAGE TOP OF DOC
—————
Mr. KLECZKA. It is your view, at this point at least, we do not currently meet the specifics of that directive?
Dr. DETMER. That is my own personal interpretation, yes.
[The following was subsequently received:]
We believe that the U.S. may not currently meet all of the criteria of the EU directive.
—————
Mr. KLECZKA. What is the timing of that? It is supposed to come down later this year?
Dr. DETMER. I do not know the specific time. I could get back to you on that, but it is coming along, though, that is for sure. But exactly specifically——
Mr. KLECZKA. I have information the effective date is October of this year.
Dr. DETMER. You sound like you have the information.
Page 42 PREV PAGE TOP OF DOC
Mr. KLECZKA. Thank you very much.
Chairman THOMAS. Does the gentleman from Louisiana wish to inquire?
Mr. MCCRERY. Just a couple of questions, Mr. Chairman.
Dr. Detmer, I want you to expound a little bit on the question of preemption of State laws. I am a little concerned about what I perceive to be the Secretary's recommendation that we have a national law, a national standard, but that we allow the States to enact stricter standards.
How is that going to solve the problem of uniformity? It seems to me to be contradictory. Can you expound upon that?
Dr. DETMER. Well, this is a very complex issue. The committee, to the extent it has spoken to this, feels like it is worth splitting out this issue and not looking at it in a totally either all Federal, no State, or wide open and a weak Federal floor, if you will.
There may be areas where it might be very wise to in fact allow State standards. For example, the area of public health law. The States have very well-developed public health laws that have been developed in very good collaboration with the Federal Government. So I think our general attitude would be you should look at preemption piece by piece.
Speaking personally, you are going to be hearing from a witness from Minnesota. If you do see, as the Chairman said, States doing too much experimentation, 50 points of light in my view is not necessarily going to give us enough clarity on this. If you have a sufficiently high standard, the States will not seek to do more. In some areas, like public health law, it is probably the best approach to acknowledge that body of law.
[The following was subsequently received:]
Page 43 PREV PAGE TOP OF DOC
Preemption of state laws was the most difficult conflict identified at the hearings we held, and did not yield a clear answer. The NCVHS addressed preemption specifically in its recommendations to the Secretary (June 27, 1997), as follows:
Among large segments of the health industry, a major benefit to federal legislation is a high degree of regulatory uniformity throughout the country. The interstate nature of health care treatment and payment activities is readily apparent. It will be difficult for many involved in electronic transfers of health data to accept any proposal that does not offer significant relief from the prospect of 50 different state laws establishing separate rules.
On the other hand, it would be difficult for many patient groups, privacy advocates and perhaps some provider groups to accept any proposal that does not allow states to adopt stronger privacy protections as specified in the HIPAA. People disagree whether existing state laws offer greater protection than most of the current federal proposals, but a proposal is not a law so judgments in this area are premature. There is strong support in some communities for a minimum federal confidentiality standard that allows states to erect stronger privacy barriers. HIPAA already reflects a policy that stronger state laws should be allowed to prevail.
Existing proposals differ on preemption. Most preserve existing state mental health and public health laws, but the scope of this language is unclear. H.R. 52 adds a new idea to the mix by allowing states to pass additional restrictions on access to health records by state officials.
The Committee suggests, however, that this issue need not be treated as a single problem with a single solution. The conflicts need to be broken down into components, and each component analyzed separately. In some areas, the case for federal preemption may be stronger. For example, it may be unnecessarily complex to support 50 different patient access procedures. On the other hand, the need to recognize the diversity of state public health laws is already clearly reflected in most proposals. No one has suggested or is likely to support a uniform federal public health law. A narrower and careful analysis of preemption may help to minimize the admittedly strong conflicts here and may point to more effective resolutions. However, if sufficient national conformity is not achieved, both national and international objectives cannot be met.
Page 44 PREV PAGE TOP OF DOC
—————
Mr. MCCRERY. Can you briefly, if you feel comfortable doing this, either on the part of the commission or on your own part, outline for us the reasons for having a national standard?
Dr. DETMER. Well, I think clearly the most critical one in my view, speaking as a practicing physician and looking at the fact that much of the population in this country lives near State borders, if we have stiff penalties in place, let us say a patient works in the District, lives in Virginia, and gets their care in Maryland. You will have different States which will have different standards, with still very stiff Federal penalties. Trying to keep that straight, both as a patient and as the provider, it strikes me as really making it very difficult, and we do want to have an effective law.
If I were just to speak to one thing, that is, in my mind, one of the most compelling arguments to be made for strict Federal preemption. But, again, I would be happy to try to get back to you with more specific direction on this very important issue. Without question, it is one of the more controversial areas of this legislation.
[The following was subsequently received:]
The existing legal structure does not effectively control information about individuals' health. Federal legislation, establishing a basic national standard of confidentiality, is necessary to provide rights for patients and define responsibilities for record keepers. The Committee's position on this is reflected in its recommendations to the Secretary (June 27, 1997) wherein it made a number of principal findings:
Page 45 PREV PAGE TOP OF DOC
The United States is in the midst of a health privacy crisis. The protection of health records has eroded significantly in the last two decades. Major contributing factors are ongoing institutional changes in the structure of the health care system and the lack of modern privacy legislation. Without a federal health privacy law, patient protections will continue to deteriorate in the future.
The importance of trust in the provider-patient relationship must be preserved. Patients must feel comfortable in communicating sensitive personal information.
Delays in passing privacy legislation will allow additional and uncontrolled uses of health information to develop. Failure to address health privacy will also undermine public confidence in the health care system, expose patients to continuing invasions of privacy, subject record keepers to potentially significant legal liability, and interfere with the ability of health care providers and others to operate the health care delivery and payment system in an effective and efficient manner. The greater the delay in imposing meaningful controls on inappropriate use and disclosure of identifiable individual information, the more difficult it will be to overcome institutional resistance to restrictions on use and disclosure or changing the way that information is acquired and used. On the other hand, the confidentiality of the provider-patient relationship and the confidentiality of health records had been the foundation by which the health care system helps ensure the best possible health care. It is not easy to strike a fair balance between these some times competing concerns.
—————
Mr. MCCRERY. Thank you. That would be helpful, because looking over your testimony, it is not real clear to me, anyway, what your recommendation is.
Page 46 PREV PAGE TOP OF DOC
Dr. DETMER. OK.
Mr. MCCRERY. If you could be more specific, that would be very helpful.
Second question. You talk about needing to guard against discrimination in a number of areas, including insurance. Most people, when they apply for insurance, are they not asked to reveal any health conditions that would have an impact? So what is the problem on discrimination in insurance?
If you see that as a problem, perhaps we should move to some sort of community rating. That would resolve that. Do you want to comment on that?
Dr. DETMER. We have not talked about the issue of community rating as an issue per se. I do think that the very concept of health insurance, though, is it is to be something that is there for people when they are sick. And if indeed you reveal you have illnesses and then you cannot get any coverage, or it is so extravagant or expensive you cannot afford it, then the very concept of insurance is not there.
At some level this is a very important question and is obviously a question that goes beyond the privacy legislation, certainly, but I think it is a very critical question: Do people get coverage for effective services or not? That is a community rating kind of issue.
[The following was subsequently received:]
To the extent that the NCVHS has addressed this matter, its discussions have included the following points. The relationship between privacy (as defined by principles of fair information practices) and discrimination is an issue that was raised a number of times during the NCVHS hearings last year. Some motivation for protecting health information is to prevent the discriminatory use of the information both inside and outside the health care setting. Patients receiving care for some health conditions or who have been the subject of genetic testing have been and continue to be the subject of discrimination in employment, insurance, and elsewhere. Several current Congressional bills address the possible discriminatory use of genetic information.
Page 47 PREV PAGE TOP OF DOC
Discrimination based on health status and condition remains a major and important concern. While the Committee has not focused its full attention on discrimination, legislative responses are appropriate. It is not clear, however, that general privacy concerns and discrimination concerns must be or should be addressed together in the same piece of legislation. An already complex health privacy bill is not the best place to sort out responses to equally complex discrimination problems. The Committee suggested in its recommendations to the Secretary (June 27, 1997) that privacy and discrimination issues deserve separate legislative treatment. The problems of discrimination are important, but not enough work has been done to explore the content of anti-discrimination legislation. The Committee urged the Secretary to propose legislation expanding the anti-discrimination provisions of HIPAA to cover all aspects of discrimination based on health status and condition.
—————
Mr. MCCRERY. Thank you.
Chairman THOMAS. Does the gentleman from California wish to inquire?
Mr. BECERRA. Let me ask a question, and this may be somewhat premature, since we are trying to figure out what we believe confidentiality or privacy to be and how we address it, but certainly some of what we want to protect will have to be done through statute.
The preemption issue, for example, makes it clearly Federal versus State. We will have that dispute. But some areas are probably best protected by regulation because they may need to change periodically and statutes would be too difficult to have constantly amended. Do you have any sense right now, Dr. Detmer, what areas are clearly best left to regulation versus statute? What should we not do?
Page 48 PREV PAGE TOP OF DOC
Dr. DETMER. That is a very tough question and it is one, obviously, I think all the Members of the Subcommittee grappled with. I do not question at all the validity of your basic comment. It is true that if you put too much in a statute, you do not have the flexibility that can come with regulation.
Clearly, I think we do need a set of basic health information practice protections, and those, I think, can be a matter of statute. Exactly how those play out over time are appropriately left to regulation. And certainly as the chair of the national committee that has with a nearly 50-year history of advising government, I think that the NCVHS committee review process is a wonderful mechanism by which regulation can became more attuned to the times and the needs.
Here is a group of private citizens serving and giving expertise to the Government, having an opportunity to hold hearings for wide varieties of folks and then making recommendations. The HIPAA legislation in that regard is a very nice model, because it did lay out a general picture, but then it also mandated that regulations would follow based on explicit hearings and the advice of this Subcommittee.
Mr. BECERRA. Is there any particular area you could identify for us?
Dr. DETMER. Well, I say certainly basic health information practices. I will be happy to get back to you. I think it is a very relevant and critical question actually to the legislation.
Mr. BECERRA. I think to the degree you can help us set the parameters of what we are going to do, if there is something we should clearly leave off the table with regard to statutes and limitations, it would help us quite a bit.
Dr. DETMER. Certainly.
[The following was subsequently received:]
Page 49 PREV PAGE TOP OF DOC
Both the NCVHS in its recommendations to the Secretary (June 27, 1997), and the Secretary in her recommendations to Congress (September 11, 1997), recognized the difficulty in drafting health privacy legislation and recommended a ''safety valve provision.'' Specifically, the Secretary's recommendations noted:
We recommend that there be authority to suspend, by regulation, any provision of the legislation for a limited period in the event of an unforeseen significant threat to health or safety, significant threat to patient privacy, major economic disruption, or manifest unfairness.
The design of precise controls on the use and disclosure of information is a complex task, and it is possible that the legislation would forbid a disclosure, or otherwise constrain behavior, in a way that causes unanticipated hardship.
Authority to suspend a provision would ensure that situations like this could be addressed, on a temporary basis, pending Congressional consideration of amendments.
Federal agencies are accustomed to the flexibility provided by the Privacy Act of 1974, whose routine use provision (5 U.S.C. 552a(a)(7) and (b)(3)) permits agencies to make administrative choices to disclose information beyond the disclosures explicitly allowed in the statute. We do not recommend administrative authority as flexible as the routine use provision, which appears in a law covering all activities of all Federal agencies, and where a statutory catalog of all possible uses of information was not feasible. We recommend a provision to deal with extraordinary situations that may have not been foreseen, and then only for a limited time.
—————
Page 50 PREV PAGE TOP OF DOC
Mr. BECERRA. With regard to the whole issue of the data we collect and how we keep all that information, electronic, paper, and so forth, what do you do with the nonprofit, the community-based clinic that already survives on a shoestring budget, if we determine that the best way to keep information safe is to go toward some electronic mechanism?
How do we help those that are barely surviving to provide health care, to now get to the point where they will abide by statute or regulation requiring them to provide protection to private information?
Dr. DETMER. Very good point. It came up in our hearings. In particular, we had a hearing out in San Francisco where Los Angeles County Hospital came and said, Look, our budgets are so low, the idea we can have a very wonderful, which we would like, information system with what many of you might consider really important and basic information is simply beyond our means.
There is clearly cost involved in this issue, and certainly one of the main drivers of HIPAA was to in fact save money from administration simplification. We again lack the facts and data that would allow us, I think, to really know exactly how big a problem this will be. We know in some areas trying to do much of anything would probably stretch their budget. So there is a tension in here and there is a cost in this.
On the other hand, there is also a general public concern about privacy. We need to have a law but we do need to, I think, look carefully at the costs that that will impose on people.
[The following was subsequently received:]
Section 1173 of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191, Aug. 21, 1996) requires the Secretary to adopt standards for electronic data transactions, but does not mandate that providers exchange information electronically. While issues regarding costs of maintaining and providing information electronically have been raised at its hearings, the Committee has not addressed this issue.
Page 51 PREV PAGE TOP OF DOC
—————
Mr. BECERRA. Thank you, Mr. Chairman.
Chairman THOMAS. In regard to that, though, the next panel will have some comments, and I find the argument on cost a bit analogous to the preventive care arguments we had, that wound up with us finally spending money according to the budget rules. Everyone involved believed that in the long run, a decade, a generation, that we would save money on preventive care. With adequate records, the investment and the ability to keep really accurate records, that a number of areas such as duplicate procedures or missed procedures, that would save customers in the long run, may very well be at least offsetting.
That is not a comfort to someone who has to meet a budget on a quarterly or a yearly basis, but we need to look at all aspects of the decision rather than just very narrowly someone's quarterly accounting on the cost of changing the way in which we provide records both to the patient and to the system.
The other point I wanted to make before I ask you a final question, the gentleman from Louisiana's line of questioning is very, very pertinent, and I have had an ongoing, mostly positive relationship with the insurance business trying to convince them that their real job is to manage risk, not eliminate risk.
Dr. DETMER. Thank you.
Chairman THOMAS. Under the current rules, at the same time, we ought not to shoot the messenger if what they do is provide us, under the current rules, the cost of coverage for particular concerns. That then becomes an immediate problem for the individual, but it becomes a problem for society in examining the way in which the current rules operate.
Page 52 PREV PAGE TOP OF DOC
And that goes to the gentleman from Louisiana's discussion about community rating or getting better risk assessment tools available to us for making these kinds of decisions, because I do not want the industry to pull punches in terms of what the costs of these various conditions would be to insure in the current world. That allows us to make a realistic decision and not an unrealistic one.
Then, finally, as we get into this area which all of us now I think are fairly sensitized to, as to its importance in dealing with privacy, we do not have a comprehensive privacy statute on the books. The string theory of physics for privacy, I think for a very good reason. We do have, though, a number of statutes on the books, and the staff has listed for me the Privacy Act of 1974, Americans With Disabilities Act, the Controlled Substances Act, and most recently, the Balanced Budget Act.
Did the committee review those? And can you give us any lessons learned from the implementation of these earlier Federal statutes, in terms of their either applicability or the difficulty of converting? One of the things we do around here is take something that has worked in the past and apply it to something else. Do you have any cautionary words about the way in which we might approach this particular area of privacy vis-a-vis what we have done in the past and what might be seen as somewhat similar or related areas?
Dr. DETMER. Yes, and the committee has not explicitly dealt with that question, particularly the Balanced Budget Act, which is very current. I think the question is a good one and one that I will put to the committee. I think it could be useful to you to get back on that.
In general, as an offhand comment, I do not think that the process, being the way it operates, it has been that bad. In fact, it has been quite good.
I do want to respond to an earlier comment, if I might. I think my first time to ever testify before you was soon after I had chaired the Institute of Medicine study on computer-based patient records some years ago, and I want to underscore how much I agree personally with what you are saying here. On the basis of that study and other work, we will not get to truly value-based, cost-effective care, even looking at these issues of cost on insurability and such, until we have much finer grain reliable information. That is only going to come actually out of computer-based analysis, properly done, with the appropriate confidentiality protections in place.
Page 53 PREV PAGE TOP OF DOC
[The following was subsequently received:]
The Committee has not examined the Privacy Act or the other laws in any depth in developing its recommendations.
—————
Chairman THOMAS. Well, without it I do not see how we can create some outcomes research that providers will need, that we will need as smart buyers with the taxpayers' money, but, more importantly, providing a body of information to patients so that they can be smart consumers as well, which is one of the fundamental ways we will keep a control on health care costs.
Dr. DETMER. Many of us are grateful for your leadership on that.
Chairman THOMAS. The final comment would be to tie in once again with the gentleman from California. While you look at these various particulars, the other thing I am most concerned about is the balance between statute and regulations. Because, obviously, given the changing technology, we are not going to be able to write a piece of legislation that is probably as flexible as we would like for the near term.
If you could, create some bright lines for us that would be most appropriate in legislation versus areas that probably are going to be changing and we can review, lock up if necessary in legislation in the future, but perhaps might lead to legislation.
My real worry about that is that as this argument for privacy continues, I do want to make sure the Federal statute encompasses the basic structure so that there will not be, for want of a better term, an end run around what we are trying to do by—particularly by States being overly zealous in regulating beyond what is necessary to create those clear and necessary personal privacy and confidentiality protections, but still allowing for the collection of data which will allow us to move forward, both for individuals and for medical science.
Page 54 PREV PAGE TOP OF DOC
[The following was subsequently received from Mr. Detmer:]
As noted above in response to Q9., both the NCVHS recommendations to the Secretary (June 27, 1997) and the Secretary's recommendations to Congress (September 11, 1997) recognized the difficulty in drafting health privacy legislation and recommended a ''safety valve provision.'' The Secretary's recommendations specified that ''[w]e recommend that there be authority to suspend, by regulation, any provision of the legislation for a limited period in the event of an unforeseen significant threat to health or safety, significant threat to patient privacy, major economic disruption, or manifest unfairness.''
—————
Any Members have any additional questions?
The gentleman from California.
Mr. BECERRA. Really quickly, and again this may be premature, was there a great deal of discussion of what you do after privacy information has been disclosed? What about the person who has a mental history and those records are disclosed, or has the AIDS, HIV virus? What happens in that case, when the cat is out of the bag? Did you propose or discuss what should be the remedy in those cases?
Dr. DETMER. Well, I think we do see, as I say, sanctions that should come into play if there are obvious cases of that type. You mentioned both mental health as well as HIV, for example. Clearly, there are some sets of health information that will expose people more than other general data, like a simple blood pressure, pulse reading, say.
Page 55 PREV PAGE TOP OF DOC
The general feeling is that if you really start taking it case by case and trying to look at genetic information, or HIV status, or mental health data, all in separate kinds of all special sorts of cases, that becomes something almost impossible to try to manage sensitively and appropriately. The committee's general feeling is, Let us put in a very good standard and let us have that standard be such that it protects those people, so that in fact your protection does not depend on what disease you unfortunately happen to get or what problem you happen to have.
Mr. BECERRA. If I could ask this, as you all continue, if you could give some close attention to giving us some strong and specific recommendations on sanctions, because there will be all sorts of special interests in this trying to fight to either make them very strong or very weak, and it would help if we had some good guidance from those who are examining the whole issue. Give us a sense of how strong or how weak we should be with regard to sanctions, if in fact we find that information is disclosed.
Dr. DETMER. It is clearly a judgment call. At least I would advocate that you make them sanctions that really look and feel like sanctions, if it looks like a horse and feels like a horse. I really think that needs to happen.
I think they really need to be there, but it is still a question of levels. And you are right, there will clearly be some pressures to make it higher or lower. Again, I will see if I can try to give you some advice on that, if I can.
[The following was subsequently received:]
There is clear consensus that there be strong civil and criminal sanctions. A federal privacy law should, as recommended by the Committee (June 27, 1997) and the Secretary (September 11, 1997), ''provide for punishment for those who misuse personal health information and redress for people who are harmed by its misuse. There should be criminal penalties for obtaining health information under false pretenses, and for knowingly disclosing or using medical information in violation of the Federal privacy law. Individuals whose rights under the law have been violated should be permitted to bring an action for damages and equitable relief.''
Page 56 PREV PAGE TOP OF DOC
—————
Mr. BECERRA. Thank you, very much.
Thank you, Mr. Chairman.
Chairman THOMAS. Looked like a horse and kicked like a mule.
The key to that is where it is personally identifiable and it is electronic, you will know who has done it with the audit trail, and that you allow for relatively tough sanctions but the court system to resolve a number of those on the intensity.
We obviously have access to taxpayer funds for medical purposes to sanction a number of people who are involved in the medical end of it through research or other ways, and a combination of those are what we are going to have to look at.
Dr. DETMER. It is not as though we have no protections or things in place at this point. In fact, I think there is quite a bit of interest and commitment to this. It is just that we do not have a privacy law.
Chairman THOMAS. And to determine which ones appropriately match up.
Dr. DETMER. Exactly.
Mr. BECERRA. The bottom line is, for the patient who has had this information exposed, there is little remedy he can do in terms of money or some type of civil or criminal sanction against that disclosure to make that person now feel whole.
I would think we would want to construct something that provides swift sanctions and, as you said, it really has teeth. Because what you want to do, as you said before, is protect the information from ever being disclosed, especially information that is that sensitive of a nature.
Page 57 PREV PAGE TOP OF DOC
Chairman THOMAS. The gentleman is pursuing a line of deterrence. I understand what you are saying.
Mr. BECERRA. Prevention.
Chairman THOMAS. You probably would not want to go down that road in other areas of discussion, but I clearly think a good example would be a deterrence. If you have a clear indication of someone violating it, a relatively swift and stiff punishment would occur, and we will explore those avenues.
Dr. DETMER. And, in fact, unfortunately many lapses are essentially a person who has no business doing what they are doing. And that is far more the more common area than a problem with the technology itself or something else. It is somebody not respectful of these kinds of data and the personal harm they do to people.
Chairman THOMAS. Well, thank you very much. This is obviously the beginning of a process of producing legislation that will both protect individuals' right to privacy and confidentiality of records and also allow us to continue to access them for legitimate medical and research purposes.
Thank you very much, Doctor.
Dr. DETMER. Thank you.
Chairman THOMAS. We can ask our next panel to come forward.
This will be Dr. Stephen Borowitz, who is associate professor of pediatrics and health evaluation sciences at the University of Virginia, Charlottesville; Janlori Goldman, director of the Health Privacy Project at Georgetown University; Dr. James R. Birge, I believe it is, medical director and chief executive officer of the MacGregor Medical Association in Houston, Texas.
Dr. Borowitz, a copy of your full statement will be placed in the record. You may proceed in the time available in any way you see fit.
Page 58 PREV PAGE TOP OF DOC
STATEMENT OF STEPHEN M. BOROWITZ, M.D., ASSOCIATE PROFESSOR, PEDIATRICS AND HEALTH EVALUATION SCIENCES, UNIVERSITY OF VIRGINIA HEALTH SCIENCES CENTER, CHARLOTTESVILLE, VIRGINIA
Dr. BOROWITZ. Mr. Chairman and Subcommittee Members, my name is Stephen Borowitz and I am associate professor of pediatrics at the University of Virginia. In the next several minutes I hope to show you how information technology can improve health care.
The practice of medicine is information intensive. Forty percent of hospital operating costs result from patient and professional communications, and physicians and nurses spend as much as half of their time documenting. Yet 70 percent of the time, physicians do not have all the information they need. The greatest reason for this is that we continue to keep most medical information in a paper medical record.
The paper record today is little different than 50 years ago, despite an explosion of medical knowledge and technology. Information is not sorted for relevance but rather by source and chronology, so that critical information may be deeply buried. Increasingly, the paper record is serving purposes it was not designed for. It is the source of medical billing documentation and the principal repository for medical-legal information. There is more and more information in the record, much of which has little or no direct clinical relevance.
When compared to paper records, computerized records provide easier and faster access to clinical information. The data are of higher quality, always legible, and can be displayed in a number of different formats. Many organizations are already developing computer-based records.
This is my younger daughter's record at the University of Virginia. This and other systems are searchable. We can search for all of the patient's blood counts, and the results are displayed quickly on a single screen and can be graphed or analyzed. The system also contains text.
Page 59 PREV PAGE TOP OF DOC
This is a hospital discharge summary of a little girl with ulcerative colitis whom I care for. Two days after her hospital discharge she returned late at night with intestinal bleeding. Because of this computerized record, the emergency room physician immediately knew her problem, who should be contacted, and what interventions were appropriate.
Computerized records can contain images such as x rays or electrocardiograms. By being able to view this old electrocardiogram, an emergency room physician can determine that this man complaining of chest pain is experiencing heartburn not a new heart attack.
Perhaps the greatest limitation of the paper-based medical record is that it actually does not exist. Every health care provider who has ever seen a patient has a separate paper record, and these records are viewed as personal notes or reminders rather than part of a larger whole. They are often perceived as owned by health care providers rather than by the patient.
An excellent example of the limitations of the paper record is childhood immunizations. These are the safest and most cost-effective health interventions. Ninety-five percent of children begin the recommended series, and 97 percent are fully immunized upon entry into kindergarten. However, only half of 2-year-olds are fully immunized, yet they are the group at greatest risk for the diseases we are trying to prevent. The number of completely immunized 2-year-olds would go from 50 to 85 percent if we eliminated all missed immunization opportunities.
The biggest barrier to this is the lack of data. Many children change providers or are seen by multiple providers. Half of all children receive immunizations at two or more facilities. This makes responsibility for immunizations ambiguous. Who keeps track of them and who should be responsible?
We have attempted to provide this type of information with Project Vaccine, a shared computerized immunization data base. Here is my younger's daughter immunization record. She is up to date. While this system can recommend immunizations, providers were resistant to this, so we provide current immunization schedules. Over the past 3 years, the rate of completely immunized 2-year-olds in central Virginia has risen from 58 to 78 percent.
Page 60 PREV PAGE TOP OF DOC
In addition to recordkeeping, information technology is influencing the way health care is delivered. For the past 2 years, we have been providing electronic mail consultations across the World Wide Web. Here is the e-mail form directed to me. There is a disclaimer that the information is being conveyed across the Internet and may not be secure or confidential.
Over the past 24 months, I have received more than 1,000 consultations. Here is an example from a parent in rural North Carolina whose 1-year-old son had chronic abdominal difficulties. Nearly 80 percent of my consultations have been initiated by parents. I have received requests from 38 of the 50 States. Clearly, many people out there are seeking information.
I believe information technology is helping to disseminate and redistribute medical information. Information that was previously only available to medical professionals is now available to anybody with access to a computer. This can only help patients and their families to be more active participants in their own health care and to make better and more informed health care decisions.
Thank you.
[The prepared statement follows:]
Statement of Stephen M. Borowitz, M.D., Associate Professor, Pediatrics and Health Evaluation Sciences, University of Virginia Health Sciences Center, Charlottesville, Virginia
Mr. Chairman, Members of the Subcommittee on Health, thank you for your examination of two crucial and intertwined issues confronting our health system: the confidentiality of medical information, and the use of computer and communications technology to improve patient care. My name is Stephen Borowitz. I am a pediatrician who specializes in gastroenterology and nutrition and an Associate Professor of Pediatrics and Health Evaluation Sciences at the University of Virginia. I have long had interests in how information technology can be used to improve the delivery of health care as well as the delivery of medical education. My task today is to give you some idea as to the potential of information technology to improve the coordination of and access to health care, and help physicians and other health care providers become lifelong learners.
Page 61 PREV PAGE TOP OF DOC
While I speak today as an individual physician, I must note that the explosion of information technologies is reaching deeply into every corner of our nation. Today health data can be transferred from facility to facility in seconds, read and interpreted hundreds or thousands of miles away from the patient, stored on a variety of disks, drives, tapes, etc. In health care the global village is rapidly arriving, and patients in that global village could live in the smallest town in rural Virginia or across the world, and be treated by specialists at our Health Sciences Center through the use of telemedicine and other technologies.
I am also a member of the American Medical Informatics Association (AMIA), a national organization dedicated to the development and application of medical informatics in support of patient care, teaching, research, and health care administration. AMIA's more than 3800 physicians, researchers, librarians, information systems managers, and other professionals with expertise in information technologies recognize that the enormous potential for computer and communications technology to improve health care cannot be realized unless individuals and the society-at-large are reasonably certain that safeguards are in place to protect the confidentiality of personal health data in medical records. My comments today reflect not only my own views as a physician who actively uses technology to improve patient care, but also those of many members of AMIA.
The practice of medicine is information intensive. Nearly 40% of hospital operating costs result from patient and professional communication activities. Despite the fact that physicians spend more than a third of their time ''documenting,'' and nurses spend nearly half of their time ''documenting,'' physicians report that 70% of the time they do not have all the inform