b"<html>\n<title> - H.R. 52, THE FAIR HEALTH INFORMATION PRACTICES ACT OF 1997</title>\n<body><pre>[House Hearing, 105 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n       H.R. 52, THE FAIR HEALTH INFORMATION PRACTICES ACT OF 1997\n=======================================================================\n\n\n\n                                HEARING\n\n                               before the\n\n                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,\n                      INFORMATION, AND TECHNOLOGY\n\n                                 of the\n\n                        COMMITTEE ON GOVERNMENT\n                          REFORM AND OVERSIGHT\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED FIFTH CONGRESS\n\n                             FIRST SESSION\n\n                                   ON\n\n                                H.R. 52\n\n     TO ESTABLISH A CODE OF FAIR INFORMATION PRACTICES FOR HEALTH \nINFORMATION, TO AMEND SECTION 552A OF TITLE 5, UNITED STATES CODE, AND \n                           FOR OTHER PURPOSES\n\n                               __________\n\n                              JUNE 5, 1997\n\n                               __________\n\n                           Serial No. 105-58\n\n                               __________\n\nPrinted for the use of the Committee on Government Reform and Oversight\n\n\n\n\n\n\n                          U.S. GOVERNMENT PRINTING OFFICE\n45-252                             WASHINGTON : 2002\n_____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  \nFax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001\n\n\n\n\n\n\n\n\n              COMMITTEE ON GOVERNMENT REFORM AND OVERSIGHT\n\n                     DAN BURTON, Indiana, Chairman\nBENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California\nJ. DENNIS HASTERT, Illinois          TOM LANTOS, California\nCONSTANCE A. MORELLA, Maryland       ROBERT E. WISE, Jr., West Virginia\nCHRISTOPHER SHAYS, Connecticut       MAJOR R. OWENS, New York\nSTEVEN SCHIFF, New Mexico            EDOLPHUS TOWNS, New York\nCHRISTOPHER COX, California          PAUL E. KANJORSKI, Pennsylvania\nILEANA ROS-LEHTINEN, Florida         GARY A. CONDIT, California\nJOHN M. McHUGH, New York             CAROLYN B. MALONEY, New York\nSTEPHEN HORN, California             THOMAS M. BARRETT, Wisconsin\nJOHN L. MICA, Florida                ELEANOR HOLMES NORTON, Washington, \nTHOMAS M. DAVIS, Virginia                DC\nDAVID M. McINTOSH, Indiana           CHAKA FATTAH, Pennsylvania\nMARK E. SOUDER, Indiana              ELIJAH E. CUMMINGS, Maryland\nJOE SCARBOROUGH, Florida             DENNIS J. KUCINICH, Ohio\nJOHN B. SHADEGG, Arizona             ROD R. BLAGOJEVICH, Illinois\nSTEVEN C. LaTOURETTE, Ohio           DANNY K. DAVIS, Illinois\nMARSHALL ``MARK'' SANFORD, South     JOHN F. TIERNEY, Massachusetts\n    Carolina                         JIM TURNER, Texas\nJOHN E. SUNUNU, New Hampshire        THOMAS H. ALLEN, Maine\nPETE SESSIONS, Texas                 HAROLD E. FORD, Jr., Tennessee\nMICHAEL PAPPAS, New Jersey                       ------\nVINCE SNOWBARGER, Kansas             BERNARD SANDERS, Vermont \nBOB BARR, Georgia                        (Independent)\nROB PORTMAN, Ohio\n                      Kevin Binger, Staff Director\n                 Daniel R. Moll, Deputy Staff Director\n                       Judith McCoy, Chief Clerk\n                 Phil Schiliro, Minority Staff Director\n                                 ------                                \n\n   Subcommittee on Government Management, Information, and Technology\n\n                   STEPHEN HORN, California, Chairman\nPETE SESSIONS, Texas                 CAROLYN B. MALONEY, New York\nTHOMAS DAVIS, Virginia               PAUL E. KANJORSKI, Pennsylvania\nJOE SCARBOROUGH, Florida             MAJOR R. OWENS, New York\nMARSHALL ``MARK'' SANFORD, South     ROD R. BLAGOJEVICH, Illinois\n    Carolina                         DANNY K. DAVIS, Illinois\nJOHN E. SUNUNU, New Hampshire\n------ ------\n\n                               Ex Officio\n\nDAN BURTON, Indiana                  HENRY A. WAXMAN, California\n          J. Russell George, Staff Director and Chief Counsel\n                         Mark Uncapher, Counsel\n                 John Hynes, Professional Staff Member\n                          Andrea Miller, Clerk\n           David McMillen, Minority Professional Staff Member\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on June 5, 1997.....................................     1\n    Text of H.R. 52..............................................     1\nStatement of:\n    Condit, Hon. Gary A., a Representative in Congress from the \n      State of California........................................    27\n    Gabriel, Dr. Sherine, Department of Health Services Research, \n      Mayo Clinic, representing the Healthcare Leadership \n      Council; Dr. Elizabeth Andrews, Glaxo Wellcome Inc., \n      representing the Pharmaceutical Research and Manufacturers \n      Association; and Dr. Steven Kenny Hoge, chair, Council on \n      Psychiatry and Law of the American Psychiatric Association.    97\n    Goldman, Janlori, visiting scholar, Georgetown University Law \n      Center, and affiliated with the Center for Democracy and \n      Technology; Dr. Donald J. Palmisano, member, Board of \n      Trustees, American Medical Association; and Merida L. \n      Johns, Ph.D., president, American Health Information \n      Management Association.....................................    53\n    Stearns, Hon. Cliff, a Representative in Congress from the \n      State of Florida...........................................    32\nLetters, statements, etc., submitted for the record by:\n    Andrews, Dr. Elizabeth, Glaxo Wellcome Inc., representing the \n      Pharmaceutical Research and Manufacturers Association:\n        Information concerning informed consent..................   158\n        Prepared statement of....................................   116\n    Condit, Hon. Gary A., a Representative in Congress from the \n      State of California, prepared statement of.................    29\n    Gabriel, Dr. Sherine, Department of Health Services Research, \n      Mayo Clinic, representing the Healthcare Leadership \n      Council, prepared statement of.............................   100\n    Hoge, Dr. Steven Kenny, chair, Council on Psychiatry and Law \n      of the American Psychiatric Association, prepared statement \n      of.........................................................   128\n    Johns, Merida L., Ph.D., president, American Health \n      Information Management Association, prepared statement of..    67\n    Maloney, Hon. Carolyn B., a Representative in Congress from \n      the State of New York, prepared statement of...............    49\n    Palmisano, Dr. Donald J., member, Board of Trustees, American \n      Medical Association, prepared statement of.................    59\n    Shays, Hon. Christopher, a Representative in Congress from \n      the State of Connecticut, prepared statement of............    41\n    Slaughter, Hon. Louise M., a Representative in Congress from \n      the State of New York, prepared statement of...............    43\n    Stearns, Hon. Cliff, a Representative in Congress from the \n      State of Florida, prepared statement of....................    34\n\n\n\n\n\n\n\n\n\n\n\n\n\n       H.R. 52: THE FAIR HEALTH INFORMATION PRACTICES ACT OF 1997\n\n                              ----------                              \n\n\n                         THURSDAY, JUNE 5, 1997\n\n                  House of Representatives,\nSubcommittee on Government Management, Information, \n                                    and Technology,\n              Committee on Government Reform and Oversight,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 9:32 a.m., in \nroom 2154, Rayburn House Office Building, Hon. Stephen Horn \n(chairman of the subcommittee) presiding.\n    Present: Representatives Horn, Sessions, and Maloney.\n    Staff present: J. Russell George, staff director and chief \ncounsel; Mark Uncapher, counsel; John Hynes, professional staff \nmember; Andrea Miller, clerk; and David McMillen and Ron \nStroman, minority professional staff members.\n    Mr. Horn. The Subcommittee on Government Management, \nInformation, and Technology will come to order.\n    We are here today to consider the issue of medical records \nprivacy and H.R. 52, the Fair Health Information Practices Act \nof 1997, introduced by Representative Condit of California.\n    [The text of H.R. 52 follows:]\n\n105th CONGRESS\n1st Session\n                                H.R. 52\n\n     To establish a code of fair information practices for health \ninformation, to amend section 552a of title 5, United States Code, and \n                          for other purposes.\n\n                                 ______\n                                 \n\n                    IN THE HOUSE OF REPRESENTATIVES\n\n                            January 7, 1997\n\n  Mr. Condit introduced the following bill; which was referred to the \nCommittee on Commerce, and in addition to the Committees on Government \n      Reform and Oversight, and the Judiciary, for a period to be \nsubsequently determined by the Speaker, in each case for consideration \n  of such provisions as fall within the jurisdiction of the committee \n                               concerned\n\n                                 ______\n                                 \n\n                                 A BILL\n\n     To establish a code of fair information practices for health \ninformation, to amend section 552a of title 5, United States Code, and \n                          for other purposes.\n\n    Be it enacted by the Senate and House of Representatives of the \nUnited States of America in Congress assembled,\n\nSECTION 1. SHORT TITLE; TABLE OF CONTENTS.\n\n    (a) Short Title.--This Act may be cited as the ``Fair Health \nInformation Practices Act of 1997''.\n    (b) Table of Contents.--The table of contents for this Act is as \nfollows:\n\nSec. 1. Short title; table of contents.\nSec. 2. Findings and purposes.\nSec. 3. Definitions.\n\n               TITLE I--FAIR HEALTH INFORMATION PRACTICES\n\n           Subtitle A--Duties of Health Information Trustees\n\nSec. 101. Inspection of protected health information.\nSec. 102. Amendment of protected health information.\nSec. 103. Notice of information practices.\nSec. 104. Disclosure history.\nSec. 105. Security.\n\n     Subtitle B--Use and Disclosure of Protected Health Information\n\nSec. 111. General limitations on use and disclosure.\nSec. 112. Authorizations for disclosure of protected health \n    information.\nSec. 113. Treatment, payment, and oversight.\nSec. 114. Next of kin and directory information.\nSec. 115. Public health.\nSec. 116. Health research.\nSec. 117. Emergency circumstances.\nSec. 118. Judicial and administrative purposes.\nSec. 119. Law enforcement.\nSec. 120. Subpoenas, warrants, and search warrants.\n\n           Subtitle C--Access Procedures and Challenge Rights\n\nSec. 131. Access procedures for law enforcement subpoenas, warrants, \n    and search warrants.\nSec. 132. Challenge procedures for law enforcement subpoenas.\nSec. 133. Access and challenge procedures for other subpoenas.\nSec. 134. Construction of subtitle; suspension of statute of \n    limitations.\nSec. 135. Responsibilities of Secretary.\n\n                  Subtitle D--Miscellaneous Provisions\n\nSec. 141. Payment card and electronic payment transactions.\nSec. 142. Access to protected health information outside of the United \n    States.\nSec. 143. Standards for electronic documents and communications.\nSec. 144. Duties and authorities of affiliated persons.\nSec. 145. Agents and attorneys.\nSec. 146. Minors.\nSec. 147. Maintenance of certain protected health information.\n\n                        Subtitle E--Enforcement\n\nSec. 151. Civil actions.\nSec. 152. Civil money penalties.\nSec. 153. Alternative dispute resolution.\nSec. 154. Amendments to criminal law.\n\n          TITLE II--AMENDMENTS TO TITLE 5, UNITED STATES CODE\n\nSec. 201. Amendments to title 5, United States Code.\n\n   TITLE III--REGULATIONS, RESEARCH, AND EDUCATION; EFFECTIVE DATES; \n             APPLICABILITY; AND RELATIONSHIP TO OTHER LAWS\n\nSec. 301. Regulations; research and education.\nSec. 302. Effective dates.\nSec. 303. Applicability.\nSec. 304. Relationship to other laws.\n\nSEC. 2. FINDINGS AND PURPOSES.\n\n    (a) Findings.--The Congress finds as follows:\n            (1) The right to privacy is a personal and fundamental \n        right protected by the Constitution of the United States.\n            (2) The improper use or disclosure of personally \n        identifiable health information about an individual may cause \n        significant harm to the interests of the individual in privacy \n        and health care, and may unfairly affect the ability of the \n        individual to obtain employment, education, insurance, credit, \n        and other necessities.\n            (3) Current legal protections for health information vary \n        from State to State and are inadequate to meet the need for \n        fair information practices standards.\n            (4) The movement of individuals and health information \n        across State lines, access to and exchange of health \n        information from automated data banks and networks, and the \n        emergence of multistate health care providers and payors create \n        a compelling need for uniform Federal law, rules, and \n        procedures governing the use, maintenance, and disclosure of \n        health information.\n            (5) Uniform rules governing the use, maintenance, and \n        disclosure of health information are an essential part of \n        health care reform, are necessary to support the \n        computerization of health information, and can reduce the cost \n        of providing health services by making the necessary transfer \n        of health information more efficient.\n            (6) An individual needs access to health information about \n        the individual as a matter of fairness, to enable the \n        individual to make informed decisions about health care, and to \n        correct inaccurate or incomplete information.\n    (b) Purposes.--The purposes of this Act are as follows:\n            (1) To define the rights of an individual with respect to \n        health information about the individual that is created or \n        maintained as part of the health treatment and payment process.\n            (2) To define the rights and responsibilities of a person \n        who creates or maintains individually identifiable health \n        information that originates or is used in the health treatment \n        or payment process.\n            (3) To establish effective mechanisms to enforce the rights \n        and responsibilities defined in this Act.\n\nSEC. 3. DEFINITIONS.\n\n    (a) Definitions Relating to Protected Health Information.--For \npurposes of this Act:\n            (1) Disclose.--The term ``disclose'', when used with \n        respect to protected health information that is held by a \n        health information trustee, means to provide access to the \n        information, but only if such access is provided by the trustee \n        to a person other than--\n                    (A) the trustee or an officer or employee of the \n                trustee;\n                    (B) an affiliated person of the trustee; or\n                    (C) a protected individual who is a subject of the \n                information.\n            (2) Disclosure.--The term ``disclosure'' means the act or \n        an instance of disclosing.\n            (3) Protected health information.--The term ``protected \n        health information'' means any information, whether oral or \n        recorded in any form or medium--\n                    (A) that is created or received in a State by--\n                            (i) a health care provider;\n                            (ii) a health benefit plan sponsor;\n                            (iii) a health oversight agency; or\n                            (iv) a public health authority;\n                    (B) that relates in any way to the past, present, \n                or future physical or mental health or condition or \n                functional status of a protected individual, the \n                provision of health care to a protected individual, or \n                payment for the provision of health care to a protected \n                individual; and\n                    (C) that--\n                            (i) identifies the individual; or\n                            (ii) with respect to which there is a \n                        reasonable basis to believe that the \n                        information can be used to identify the \n                        individual.\n            (4) Protected individual.--The term ``protected \n        individual'' means an individual who, with respect to a date--\n                    (A) is living on the date; or\n                    (B) has died within the 2-year period ending on the \n                date.\n            (5) Use.--The term ``use'', when used with respect to \n        protected health information that is held by a health \n        information trustee, means--\n                    (A) to use, or provide access to, the information \n                in any manner that does not constitute a disclosure; or\n                    (B) any act or instance of using, or providing \n                access, described in subparagraph (A).\n    (b) Definitions Relating to Health Information Trustees.--For \npurposes of this Act:\n            (1) Carrier.--The term ``carrier'' means a licensed \n        insurance company, a hospital or medical service corporation \n        (including an existing Blue Cross or Blue Shield organization, \n        within the meaning of section 833(c)(2) of the Internal Revenue \n        Code of 1986), a health maintenance organization, or other \n        entity licensed or certified by a State to provide health \n        insurance or health benefits.\n            (2) Health benefit plan.--The term ``health benefit plan'' \n        means--\n                    (A) any contract of health insurance, including any \n                hospital or medical service policy or certificate, \n                hospital or medical service plan contract, or health \n                maintenance organization group contract, that is \n                provided by a carrier; and\n                    (B) an employee welfare benefit plan or other \n                arrangement insofar as the plan or arrangement provides \n                health benefits and is funded in a manner other than \n                through the purchase of one or more policies or \n                contracts described in subparagraph (A).\n            (3) Health benefit plan sponsor.--The term ``health benefit \n        plan sponsor'' means a person who, with respect to a specific \n        item of protected health information, receives, creates, uses, \n        maintains, or discloses the information while acting in whole \n        or in part in the capacity of--\n                    (A) a carrier or other person providing a health \n                benefit plan, including any public entity that provides \n                payments for health care items and services under a \n                health benefit plan that are equivalent to payments \n                provided by a private person under such a plan; or\n                    (B) an officer or employee of a person described in \n                subparagraph (A).\n            (4) Health care provider.--The term ``health care \n        provider'' means a person who, with respect to a specific item \n        of protected health information, receives, creates, uses, \n        maintains, or discloses the information while acting in whole \n        or in part in the capacity of--\n                    (A) a person who is licensed, certified, \n                registered, or otherwise authorized by law to provide \n                an item or service that constitutes health care in the \n                ordinary course of business or practice of a \n                profession;\n                    (B) a Federal or State program that directly \n                provides items or services that constitute health care \n                to beneficiaries; or\n                    (C) an officer or employee of a person described in \n                subparagraph (A) or (B).\n            (5) Health information trustee.--The term ``health \n        information trustee'' means--\n                    (A) a health care provider;\n                    (B) a health oversight agency;\n                    (C) a health benefit plan sponsor;\n                    (D) a public health authority;\n                    (E) a health researcher; or\n                    (F) a person who, with respect to a specific item \n                of protected health information, is not described in \n                subparagraphs (A) through (E) but receives the \n                information--\n                            (i) pursuant to--\n                                    (I) section 117 (relating to \n                                emergency circumstances);\n                                    (II) section 118 (relating to \n                                judicial and administrative purposes);\n                                    (III) section 119 (relating to law \n                                enforcement); or\n                                    (IV) section 120 (relating to \n                                subpoenas, warrants, and search \n                                warrants); or\n                            (ii) while acting in whole or in part in \n                        the capacity of an officer or employee of a \n                        person described in clause (i).\n            (6) Health oversight agency.--The term ``health oversight \n        agency'' means a person who, with respect to a specific item of \n        protected health information, receives, creates, uses, \n        maintains, or discloses the information while acting in whole \n        or in part in the capacity of--\n                    (A) a person who performs or oversees the \n                performance of an assessment, evaluation, \n                determination, or investigation relating to the \n                licensing, accreditation, or certification of health \n                care providers;\n                    (B) a person who--\n                            (i) performs or oversees the performance of \n                        an audit, assessment, evaluation, \n                        determination, or investigation relating to the \n                        effectiveness of, compliance with, or \n                        applicability of, legal, fiscal, medical, or \n                        scientific standards or aspects of performance \n                        related to the delivery of, or payment for, \n                        health care; and\n                            (ii) is a public agency, acting on behalf \n                        of a public agency, acting pursuant to a \n                        requirement of a public agency, or carrying out \n                        activities under a State or Federal statute \n                        regulating the assessment, evaluation, \n                        determination, or investigation; or\n                    (C) an officer or employee of a person described in \n                subparagraph (A) or (B).\n            (7) Health researcher.--The term ``health researcher'' \n        means a person who, with respect to a specific item of \n        protected health information, receives the information--\n                    (A) pursuant to section 116 (relating to health \n                research); or\n                    (B) while acting in whole or in part in the \n                capacity of an officer or employee of a person \n                described in subparagraph (A).\n            (8) Public health authority.--The term ``public health \n        authority'' means a person who, with respect to a specific item \n        of protected health information, receives, creates, uses, \n        maintains, or discloses the information while acting in whole \n        or in part in the capacity of--\n                    (A) an authority of the United States, a State, or \n                a political subdivision of a State that is responsible \n                for public health matters;\n                    (B) a person acting under the direction of such an \n                authority; or\n                    (C) an officer or employee of a person described in \n                subparagraph (A) or (B).\n    (c) Other Definitions.--For purposes of this Act:\n            (1) Affiliated person.--The term ``affiliated person'' \n        means a person who--\n                    (A) is not a health information trustee;\n                    (B) is a contractor, subcontractor, associate, or \n                subsidiary of a person who is a health information \n                trustee; and\n                    (C) pursuant to an agreement or other relationship \n                with such trustee, receives, creates, uses, maintains, \n                or discloses protected health information.\n            (2) Approved health research project.--The term ``approved \n        health research project'' means a biomedical, epidemiological, \n        or health services research or statistics project, or a \n        research project on behavioral and social factors affecting \n        health, that has been approved by a certified institutional \n        review board.\n            (3) Certified institutional review board.--The term \n        ``certified institutional review board'' means a board--\n                    (A) established by an entity to review research \n                involving protected health information and the rights \n                of protected individuals conducted at or supported by \n                the entity;\n                    (B) established in accordance with regulations of \n                the Secretary under section 116(d)(1); and\n                    (C) certified by the Secretary under section \n                116(d)(2).\n            (4) Health care.--The term ``health care''--\n                    (A) means--\n                            (i) any preventive, diagnostic, \n                        therapeutic, rehabilitative, maintenance, or \n                        palliative care, counseling, service, or \n                        procedure--\n                                    (I) with respect to the physical or \n                                mental condition, or functional status, \n                                of an individual; or\n                                    (II) affecting the structure or \n                                function of the human body or any part \n                                of the human body, including banking of \n                                blood, sperm, organs, or any other \n                                tissue; or\n                            (ii) any sale or dispensing of a drug, \n                        device, equipment, or other item to an \n                        individual, or for the use of an individual, \n                        pursuant to a prescription; but\n                    (B) does not include any item or service that is \n                not furnished for the purpose of maintaining or \n                improving the health of an individual.\n            (5) Law enforcement inquiry.--The term ``law enforcement \n        inquiry'' means a lawful investigation or official proceeding \n        inquiring into a violation of, or failure to comply with, any \n        criminal or civil statute or any regulation, rule, or order \n        issued pursuant to such a statute.\n            (6) Person.--The term ``person'' includes an authority of \n        the United States, a State, or a political subdivision of a \n        State.\n            (7) Secretary.--The term ``Secretary'' means the Secretary \n        of Health and Human Services.\n            (8) State.--The term ``State'' includes the District of \n        Columbia, Puerto Rico, the Virgin Islands, Guam, American \n        Samoa, and the Northern Mariana Islands.\n\n               TITLE I--FAIR HEALTH INFORMATION PRACTICES\n\n           Subtitle A--Duties of Health Information Trustees\n\nSEC. 101. INSPECTION OF PROTECTED HEALTH INFORMATION.\n\n    (a) In General.--Except as provided in subsection (b), a health \ninformation trustee described in subsection (g)--\n            (1) shall permit a protected individual to inspect any \n        protected health information about the individual that the \n        trustee maintains, any record with respect to such information \n        required under section 104, and any copy of an authorization \n        required under section 112 that pertains to such information;\n            (2) shall provide the protected individual with a copy of \n        the information, upon request by the individual and subject to \n        any conditions imposed by the trustee under subsection (d), in \n        any form or format requested by the individual, if the \n        information is readily reproducible by the trustee in such form \n        or format;\n            (3) shall permit a person who has been designated in \n        writing by the protected individual to inspect the information \n        on behalf of the individual or to accompany the individual \n        during the inspection; and\n            (4) may offer to explain or interpret information that is \n        inspected or copied under this subsection.\n    (b) Exceptions.--A health information trustee is not required by \nthis section to permit inspection or copying of protected health \ninformation by a protected individual if any of the following \nconditions apply:\n            (1) Information about others.--The information relates to \n        an individual, other than the protected individual or a health \n        care provider, and the trustee determines in the exercise of \n        reasonable professional judgment that inspection or copying of \n        the information would cause sufficient harm to one or both of \n        the individuals so as to outweigh the desirability of \n        permitting access.\n            (2) Endangerment to life or safety.--Inspection or copying \n        of the information could reasonably be expected to endanger the \n        life or physical safety of an individual.\n            (3) Confidential source.--The information identifies or \n        could reasonably lead to the identification of an individual \n        (other than a health care provider) who provided information \n        under a promise of confidentiality to a health care provider \n        concerning a protected individual who is a subject of the \n        information.\n            (4) Administrative purposes.--The information--\n                    (A) is used by the trustee solely for \n                administrative purposes and not in the provision of \n                health care to a protected individual who is a subject \n                of the information; and\n                    (B) is not disclosed by the trustee to any person.\n            (5) Duplicative information.--The information duplicates \n        information available for inspection under subsection (a).\n            (6) Information compiled in anticipation of litigation.--\n        The information is compiled principally--\n                    (A) in anticipation of a civil, criminal, or \n                administrative action or proceeding; or\n                    (B) for use in such an action or proceeding.\n    (c) Inspection and Copying of Segregable Portion.--A health \ninformation trustee shall permit inspection and copying under \nsubsection (a) of any reasonably segregable portion of a record after \ndeletion of any portion that is exempt under subsection (b).\n    (d) Conditions.--A health information trustee may--\n            (1) require a written request for the inspection and \n        copying of protected health information under this section; and\n            (2) charge a reasonable cost-based fee for--\n                    (A) permitting inspection of information under this \n                section; and\n                    (B) providing a copy of protected health \n                information under this section.\n    (e) Statement of Reasons for Denial.--If a health information \ntrustee denies in whole or in part a request for inspection or copying \nunder this section, the trustee shall provide the protected individual \nwho made the request with a written statement of the reasons for the \ndenial.\n    (f) Deadline.--A health information trustee shall comply with or \ndeny a request for inspection or copying of protected health \ninformation under this section within the 30-day period beginning on \nthe date the trustee receives the request.\n    (g) Applicability.--This section applies to a health information \ntrustee who is--\n            (1) a health benefit plan sponsor;\n            (2) a health care provider;\n            (3) a health oversight agency; or\n            (4) a public health authority.\n\nSEC. 102. AMENDMENT OF PROTECTED HEALTH INFORMATION.\n\n    (a) In General.--A health information trustee described in \nsubsection (f) shall, within the 45-day period beginning on the date \nthe trustee receives from a protected individual about whom the trustee \nmaintains protected health information a written request that the \ntrustee correct or amend the information, complete the duties described \nin one of the following paragraphs:\n            (1) Correction or amendment and notification.--The trustee \n        shall--\n                    (A) make the correction or amendment requested;\n                    (B) inform the protected individual of the \n                amendment or correction that has been made;\n                    (C) make reasonable efforts to inform any person \n                who is identified by the protected individual, who is \n                not an employee of the trustee, and to whom the \n                uncorrected or unamended portion of the information was \n                previously disclosed of the correction or amendment \n                that has been made; and\n                    (D) at the request of the individual, make \n                reasonable efforts to inform any known source of the \n                uncorrected or unamended portion of the information \n                about the correction or amendment that has been made.\n            (2) Reasons for refusal and review procedures.--The trustee \n        shall inform the protected individual of--\n                    (A) the reasons for the refusal of the trustee to \n                make the correction or amendment;\n                    (B) any procedures for further review of the \n                refusal; and\n                    (C) the individual's right to file with the trustee \n                a concise statement setting forth the requested \n                correction or amendment and the individual's reasons \n                for disagreeing with the refusal of the trustee.\n    (b) Standards for Correction or Amendment.--A trustee shall correct \nor amend protected health information in accordance with a request made \nunder subsection (a) if the trustee determines that the information is \nnot accurate, relevant, timely, or complete for the purposes for which \nthe information may be used or disclosed by the trustee.\n    (c) Statement of Disagreement.--After a protected individual has \nfiled a statement of disagreement under subsection (a)(2)(C), the \ntrustee, in any subsequent disclosure of the disputed portion of the \ninformation, shall include a copy of the individual's statement and may \ninclude a concise statement of the trustee's reasons for not making the \nrequested correction or amendment.\n    (d) Construction.--This section may not be construed to require a \nhealth information trustee to conduct a hearing or proceeding \nconcerning a request for a correction or amendment to protected health \ninformation the trustee maintains.\n    (e) Correction.--For purposes of subsection (a), a correction is \ndeemed to have been made to protected health information when--\n            (1) information that is not timely, accurate, relevant, or \n        complete is clearly marked as incorrect; or\n            (2) supplementary correct information is made part of the \n        information and adequately cross-referenced.\n    (f) Applicability.--This section applies to a health information \ntrustee who is--\n            (1) a health benefit plan sponsor;\n            (2) a health care provider;\n            (3) a health oversight agency; or\n            (4) a public health authority.\n\nSEC. 103. NOTICE OF INFORMATION PRACTICES.\n\n    (a) Preparation of Notice.--A health information trustee described \nin subsection (d) shall prepare a written notice of information \npractices describing the following:\n            (1) The rights under this Act of a protected individual who \n        is the subject of protected health information, including the \n        right to inspect and copy such information and the right to \n        seek amendments to such information, and the procedures for \n        authorizing disclosures of protected health information and for \n        revoking such authorizations.\n            (2) The procedures established by the trustee for the \n        exercise of such rights.\n            (3) The uses and disclosures of protected health \n        information that are authorized under this Act.\n    (b) Dissemination of Notice.--A health information trustee--\n            (1) shall, upon request, provide any person with a copy of \n        the trustee's notice of information practices (described in \n        subsection (a)); and\n            (2) shall make reasonable efforts to inform persons in a \n        clear and conspicuous manner of the existence and availability \n        of such notice.\n    (c) Model Notices.--Not later than July 1, 1999, the Secretary, \nafter notice and opportunity for public comment, shall develop and \ndisseminate model notices of information practices for use by health \ninformation trustees under this section.\n    (d) Applicability.--This section applies to a health information \ntrustee who is--\n            (1) a health benefit plan sponsor;\n            (2) a health care provider; or\n            (3) a health oversight agency.\n\nSEC. 104. DISCLOSURE HISTORY.\n\n    (a) In General.--Except as provided in subsection (b) and section \n114, each health information trustee shall create and maintain, with \nrespect to any protected health information the trustee discloses, a \nrecord of--\n            (1) the date and purpose of the disclosure;\n            (2) the name of the person to whom the disclosure was made;\n            (3) the address of the person to whom the disclosure was \n        made or the location to which the disclosure was made; and\n            (4) where practicable, a description of the information \n        disclosed.\n    (b) Regulations.--Not later than July 1, 1999, the Secretary shall \npromulgate regulations that exempt a health information trustee from \nmaintaining a record under subsection (a) with respect protected health \ninformation disclosed by the trustee for purposes of peer review, \nlicensing, certification, accreditation, and similar activities.\n\nSEC. 105. SECURITY.\n\n    (a) In General.--Each health information trustee who receives or \ncreates protected health information that is subject to this Act shall \nmaintain reasonable and appropriate administrative, technical, and \nphysical safeguards--\n            (1) to ensure the integrity and confidentiality of the \n        information;\n            (2) to protect against any reasonably anticipated--\n                    (A) threats or hazards to the security or integrity \n                of the information; and\n                    (B) unauthorized uses or disclosures of the \n                information; and\n            (3) otherwise ensure compliance with this Act by the \n        trustee and the officers and employees of the trustee.\n    (b) Guidelines.--Not later than July 1, 1999, the Secretary, after \nnotice and opportunity for public comment, shall develop and \ndisseminate guidelines for the implementation of this section. The \nguidelines shall take into account--\n            (1) the technical capabilities of record systems used to \n        maintain protected health information;\n            (2) the costs of security measures;\n            (3) the need for training persons who have access to \n        protected health information; and\n            (4) the value of audit trails in computerized record \n        systems.\n\n     Subtitle B--Use and Disclosure of Protected Health Information\n\nSEC. 111. GENERAL LIMITATIONS ON USE AND DISCLOSURE.\n\n    (a) Use.--Except as otherwise provided under this Act, a health \ninformation trustee may use protected health information only for a \npurpose--\n            (1) that is compatible with and directly related to the \n        purpose for which the information--\n                    (A) was collected; or\n                    (B) was received by the trustee; or\n            (2) for which the trustee is authorized to disclose the \n        information under this Act.\n    (b) Disclosure.--A health information trustee may disclose \nprotected health information only as authorized under this Act.\n    (c) Scope of Uses and Disclosures.--\n            (1) In general.--A use or disclosure of protected health \n        information by a health information trustee shall be limited, \n        when practicable, to the minimum amount of information \n        necessary to accomplish the purpose for which the information \n        is used or disclosed.\n            (2) Guidelines.--Not later than July 1, 1999, the \n        Secretary, after notice and opportunity for public comment, \n        shall issue guidelines to implement paragraph (1), which shall \n        take into account the technical capabilities of the record \n        systems used to maintain protected health information and the \n        costs of limiting use and disclosure.\n    (d) Identification of Disclosed Information as Protected \nInformation.--Except with respect to protected health information that \nis disclosed under section 114 (relating to next of kin and directory \ninformation), a health information trustee may disclose protected \nhealth information only if the recipient has been notified that the \ninformation is protected health information that is subject to this \nAct.\n    (e) Agreement to Limit Use or Disclosure.--A health information \ntrustee who receives protected health information from any person \npursuant to a written agreement to restrict use or disclosure of the \ninformation to a greater extent than otherwise would be required under \nthis Act shall comply with the terms of the agreement, except where use \nor disclosure of the information in violation of the agreement is \nrequired by law. A trustee who fails to comply with the preceding \nsentence shall be subject to section 151 (relating to civil actions) \nwith respect to such failure.\n    (f) No General Requirement to Disclose.--Nothing in this Act shall \nbe construed to require a health information trustee to disclose \nprotected health information not otherwise required to be disclosed by \nlaw.\n\nSEC. 112. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH \n                    INFORMATION.\n\n    (a) Written Authorizations.--A health information trustee may \ndisclose protected health information pursuant to an authorization \nexecuted by the protected individual who is the subject of the \ninformation, if each of the following requirements is satisfied:\n            (1) Writing.--The authorization is in writing, signed by \n        the individual, and dated on the date of such signature.\n            (2) Separate form.--The authorization is not on a form used \n        to authorize or facilitate the provision of, or payment for, \n        health care.\n            (3) Trustee described.--The trustee is specifically named \n        or generically described in the authorization as authorized to \n        disclose such information.\n            (4) Recipient described.--The person to whom the \n        information is to be disclosed is specifically named or \n        generically described in the authorization as a person to whom \n        such information may be disclosed.\n            (5) Statement of intended uses and disclosures received.--\n        The authorization contains an acknowledgment that the \n        individual has received a statement described in subsection (b) \n        from such person.\n            (6) Information described.--The information to be disclosed \n        is described in the authorization.\n            (7) Authorization timely received.--The authorization is \n        received by the trustee during a period described in subsection \n        (c)(1).\n            (8) Disclosure timely made.--The disclosure occurs during a \n        period described in subsection (c)(2).\n    (b) Statement of Intended Uses and Disclosures.--\n            (1) In general.--A person who wishes to receive from a \n        health information trustee protected health information about a \n        protected individual pursuant to an authorization executed by \n        the individual shall supply the individual, in writing and on a \n        form that is distinct from the authorization, with a statement \n        of the uses for which the person intends the information and \n        the disclosures the person intends to make of the information. \n        Such statement shall be supplied before the authorization is \n        executed.\n            (2) Enforcement.--If the person uses or discloses the \n        information in a manner that is inconsistent with such \n        statement, the person shall be subject to section 151 (relating \n        to civil actions) with respect to such failure, except where \n        such use or disclosure is required by law.\n            (3) Model statements.--Not later than July 1, 1999, the \n        Secretary, after notice and opportunity for public comment, \n        shall develop and disseminate model statements of intended uses \n        and disclosures of the type described in paragraph (1).\n    (c) Time Limitations on Authorizations.--\n            (1) Receipt by trustee.--For purposes of subsection (a)(7), \n        an authorization is timely received if it is received by the \n        trustee during--\n                    (A) the 1-year period beginning on the date that \n                the authorization is signed under subsection (a)(1), if \n                the authorization permits the disclosure of protected \n                health information to--\n                            (i) a health benefit plan sponsor;\n                            (ii) a health care provider;\n                            (iii) a health oversight agency;\n                            (iv) a public health authority;\n                            (v) a health researcher; or\n                            (vi) a person who provides counseling or \n                        social services to individuals; or\n                    (B) the 30-day period beginning on the date that \n                the authorization is signed under subsection (a)(1), if \n                the authorization permits the disclosure of protected \n                health information to a person other than a person \n                described in subparagraph (A).\n            (2) Disclosure by trustee.--For purposes of subsection \n        (a)(8), a disclosure is timely made if it occurs before--\n                    (A) the date or event (if any) specified in the \n                authorization upon which the authorization expires; and\n                    (B) the expiration of the 6-month period beginning \n                on the date the trustee receives the authorization.\n    (d) Revocation or Amendment of Authorization.--\n            (1) In general.--A protected individual in writing may \n        revoke or amend an authorization described in subsection (a), \n        in whole or in part, at any time, except insofar as--\n                    (A) disclosure of protected health information has \n                been authorized to permit validation of expenditures \n                based on health condition by a government authority; or\n                    (B) action has been taken in reliance on the \n                authorization.\n            (2) Notice of revocation.--A health information trustee who \n        discloses protected health information in reliance on an \n        authorization that has been revoked shall not be subject to any \n        liability or penalty under this Act if--\n                    (A) the reliance was in good faith;\n                    (B) the trustee had no notice of the revocation; \n                and\n                    (C) the disclosure was otherwise in accordance with \n                the requirements of this section.\n    (e) Additional Requirements of Trustee.--A health information \ntrustee may impose requirements for an authorization that are in \naddition to the requirements in this section.\n    (f) Copy.--A health information trustee who discloses protected \nhealth information pursuant to an authorization under this section \nshall maintain a copy of the authorization.\n    (g) Construction.--This section may not be construed--\n            (1) to require a health information trustee to disclose \n        protected health information; or\n            (2) to limit the right of a health information trustee to \n        charge a fee for the disclosure or reproduction of protected \n        health information.\n    (h) Subpoenas, Warrants, and Search Warrants.--If a health \ninformation trustee discloses protected health information pursuant to \nan authorization in order to comply with an administrative subpoena or \nwarrant or a judicial subpoena or search warrant, the authorization--\n            (1) shall specifically authorize the disclosure for the \n        purpose of permitting the trustee to comply with the subpoena, \n        warrant, or search warrant; and\n            (2) shall otherwise meet the requirements in this section.\n\nSEC. 113. TREATMENT, PAYMENT, AND OVERSIGHT.\n\n    (a) Disclosures by Plans, Providers, and Oversight Agencies.--A \nhealth information trustee described in subsection (d) may disclose \nprotected health information to a health benefit plan sponsor, health \ncare provider, or health oversight agency if the disclosure is--\n            (1) for the purpose of providing health care and a \n        protected individual who is a subject of the information has \n        not previously objected to the disclosure in writing;\n            (2) for the purpose of providing for the payment for health \n        care furnished to an individual; or\n            (3) for use by a health oversight agency for a purpose that \n        is described in subparagraph (A) or (B)(i) of section 3(b)(6).\n    (b) Disclosures by Certain Other Trustees.--A health information \ntrustee may disclose protected health information to a health care \nprovider if--\n            (1) the disclosure is for the purpose described in \n        subsection (a)(1); and\n            (2) the trustee--\n                    (A) is a public health authority;\n                    (B) received protected health information pursuant \n                to section 117 (relating to emergency circumstances); \n                or\n                    (C) is an officer or employee of a trustee \n                described in subparagraph (B).\n    (c) Use in Action Against Individual.--A person who receives \nprotected health information about a protected individual through a \ndisclosure under this section may not use or disclose the information \nin any administrative, civil, or criminal action or investigation \ndirected against the individual, except an action or investigation \narising out of and related to receipt of health care or payment for \nhealth care.\n    (d) Applicability.--A health information trustee referred to in \nsubsection (a) is any of the following:\n            (1) A health benefit plan sponsor.\n            (2) A health care provider.\n            (3) A health oversight agency.\n\nSEC. 114. NEXT OF KIN AND DIRECTORY INFORMATION.\n\n    (a) Next of Kin.--A health information trustee who is a health care \nprovider, who received protected health information pursuant to section \n117 (relating to emergency circumstances), or who is an officer or \nemployee of such a recipient may orally disclose protected health \ninformation about a protected individual to the next of kin of the \nindividual (as defined under State law), or to a person with whom the \nindividual has a close personal relationship, if--\n            (1) the trustee has no reason to believe that the \n        individual would consider the information especially sensitive;\n            (2) the individual has not previously objected to the \n        disclosure;\n            (3) the disclosure is consistent with good medical or other \n        professional practice; and\n            (4) the information disclosed is limited to information \n        about health care that is being provided to the individual at \n        or about the time of the disclosure.\n    (b) Directory Information.--\n            (1) In general.--A health information trustee who is a \n        health care provider, who received protected health information \n        pursuant to section 117 (relating to emergency circumstances), \n        or who is an officer or employee of such a recipient may \n        disclose to any person the information described in paragraph \n        (2) if--\n                    (A) a protected individual who is a subject of the \n                information has not objected in writing to the \n                disclosure;\n                    (B) the disclosure is otherwise consistent with \n                good medical and other professional practice; and\n                    (C) the information does not reveal specific \n                information about the physical or mental condition or \n                functional status of a protected individual or about \n                the health care provided to a protected individual.\n            (2) Information described.--The information referred to in \n        paragraph (1) is the following:\n                    (A) The name of an individual receiving health care \n                from a health care provider on a premises controlled by \n                the provider.\n                    (B) The location of the individual on such \n                premises.\n                    (C) The general health status of the individual, \n                described in terms of critical, poor, fair, stable, \n                satisfactory, or terms denoting similar conditions.\n    (c) No Disclosure Record Required.--A health information trustee \nwho discloses protected health information under this section is not \nrequired to create and maintain a record of the disclosure under \nsection 104.\n    (d) Recipients.--A person to whom protected health information is \ndisclosed under this section shall not, by reason of such disclosure, \nbe subject to any requirement under this Act.\n\nSEC. 115. PUBLIC HEALTH.\n\n    (a) In General.--A health information trustee who is a health care \nprovider or a public health authority may disclose protected health \ninformation to--\n            (1) a public health authority for use in legally \n        authorized--\n                    (A) disease or injury reporting;\n                    (B) public health surveillance; or\n                    (C) public health investigation or intervention; or\n            (2) an individual who is authorized by law to receive the \n        information in a public health intervention.\n    (b) Use in Action Against Individual.--A public health authority \nwho receives protected health information about a protected individual \nthrough a disclosure under this section may not use or disclose the \ninformation in any administrative, civil, or criminal action or \ninvestigation directed against the individual, except where the use or \ndisclosure is authorized by law for protection of the public health.\n    (c) Individual Recipients.--An individual to whom protected health \ninformation is disclosed under subsection (a)(2) shall not, by reason \nof such disclosure, be subject to any requirement under this Act.\n\nSEC. 116. HEALTH RESEARCH.\n\n    (a) In General.--A health information trustee described in \nsubsection (c) may disclose protected health information to a person \nif--\n            (1) the person is conducting an approved health research \n        project;\n            (2) the information is to be used in the project; and\n            (3) the project has been determined by a certified \n        institutional review board to be--\n                    (A) of sufficient importance so as to outweigh the \n                intrusion into the privacy of the protected individual \n                who is the subject of the information that would result \n                from the disclosure; and\n                    (B) impracticable to conduct without the \n                information.\n    (b) Limitations on Use and Disclosure; Obligations of Recipient.--A \nhealth researcher who receives protected health information about a \nprotected individual pursuant to subsection (a)--\n            (1) may use the information solely for purposes of an \n        approved health research project;\n            (2) may not use or disclose the information in any \n        administrative, civil, or criminal action or investigation \n        directed against the individual; and\n            (3) shall remove or destroy, at the earliest opportunity \n        consistent with the purposes of the approved health research \n        project in connection with which the disclosure was made, \n        information that would enable an individual to be identified, \n        unless a certified institutional review board has determined \n        that there is a health or research justification for retention \n        of such identifiers and there is an adequate plan to protect \n        the identifiers from use and disclosure that is inconsistent \n        with this Act.\n    (c) Applicability.--A health information trustee referred to in \nsubsection (a) is any health information trustee other than a person \nwho, with respect to the specific protected health information to be \ndisclosed under such subsection, received the information--\n            (1) pursuant to--\n                    (A) section 118 (relating to judicial and \n                administrative purposes);\n                    (B) paragraph (1), (2), (3), or (4) of section \n                119(a) (relating to law enforcement); or\n                    (C) section 120 (relating to subpoenas, warrants, \n                and search warrants); or\n            (2) while acting in whole or in part in the capacity of an \n        officer or employee of a person described in paragraph (1).\n    (d) Requirements for Institutional Review Boards.--\n            (1) Regulations.--Not later than July 1, 1999, the \n        Secretary, after opportunity for notice and comment, shall \n        promulgate regulations establishing requirements for certified \n        institutional review boards under this Act. The regulations \n        shall be based on regulations promulgated under section 491(a) \n        of the Public Health Service Act and shall ensure that \n        certified institutional review boards are qualified to assess \n        and protect the confidentiality of research subjects.\n            (2) Certification.--The Secretary shall certify that an \n        institutional review board satisfies the requirements of the \n        regulations promulgated under paragraph (1).\n\nSEC. 117. EMERGENCY CIRCUMSTANCES.\n\n    (a) In General.--A health information trustee may disclose \nprotected health information if the trustee believes, on reasonable \ngrounds, that the disclosure is necessary to prevent or lessen a \nserious and imminent threat to the health or safety of an individual.\n    (b) Use in Action Against Individual.--A person who receives \nprotected health information about a protected individual through a \ndisclosure under this section may not use or disclose the information \nin any administrative, civil, or criminal action or investigation \ndirected against the individual, except an action or investigation \narising out of and related to receipt of health care or payment for \nhealth care.\n\nSEC. 118. JUDICIAL AND ADMINISTRATIVE PURPOSES.\n\n    (a) In General.--A health information trustee described in \nsubsection (d) may disclose protected health information--\n            (1) pursuant to the Federal Rules of Civil Procedure, the \n        Federal Rules of Criminal Procedure, or comparable rules of \n        other courts or administrative agencies in connection with \n        litigation or proceedings to which a protected individual who \n        is a subject of the information is a party and in which the \n        individual has placed the individual's physical or mental \n        condition or functional status in issue;\n            (2) if directed by a court in connection with a court-\n        ordered examination of an individual; or\n            (3) to assist in the identification of a dead individual.\n    (b) Written Statement.--A person seeking protected health \ninformation about a protected individual held by health information \ntrustee under--\n            (1) subsection (a)(1)--\n                    (A) shall notify the protected individual or the \n                attorney of the protected individual of the request for \n                the information;\n                    (B) shall provide the trustee with a signed \n                document attesting--\n                            (i) that the protected individual is a \n                        party to the litigation or proceedings for \n                        which the information is sought;\n                            (ii) that the individual has placed the \n                        individual's physical or mental condition or \n                        functional status in issue; and\n                            (iii) the date on which the protected \n                        individual or the attorney of the protected \n                        individual was notified under subparagraph (A); \n                        and\n                    (C) shall not accept any requested protected health \n                information from the trustee until the termination of \n                the 10-day period beginning on the date notice was \n                given under subparagraph (A); or\n            (2) subsection (a)(3) shall provide the trustee with a \n        written statement that the information is sought to assist in \n        the identification of a dead individual.\n    (c) Use and Disclosure.--A person to whom protected health \ninformation is disclosed under this section may use and disclose the \ninformation only to accomplish the purpose for which the disclosure was \nmade.\n    (d) Applicability.--A health information trustee referred to in \nsubsection (a) is any of the following:\n            (1) A health benefit plan sponsor.\n            (2) A health care provider.\n            (3) A health oversight agency.\n            (4) A person who, with respect to the specific protected \n        health information to be disclosed under such subsection, \n        received the information--\n                    (A) pursuant to--\n                            (i) section 117 (relating to emergency \n                        circumstances); or\n                            (ii) section 120 (relating to subpoenas, \n                        warrants, and search warrants); or\n                    (B) while acting in whole or in part in the \n                capacity of an officer or employee of a person \n                described in subparagraph (A).\n\nSEC. 119. LAW ENFORCEMENT.\n\n    (a) In General.--A health information trustee may disclose \nprotected health information to a law enforcement agency, other than a \nhealth oversight agency--\n            (1) if the information is disclosed for use in an \n        investigation or prosecution of a health information trustee;\n            (2) in connection with criminal activity committed against \n        the trustee or an affiliated person of the trustee or on \n        premises controlled by the trustee; or\n            (3) if the information is needed to determine whether a \n        crime has been committed and the nature of any crime that may \n        have been committed (other than a crime that may have been \n        committed by the protected individual who is the subject of the \n        information).\n    (b) Additional Authority of Certain Trustees.--A health information \ntrustee who is not a public health authority or a health researcher may \ndisclose protected health information to a law enforcement agency \n(other than a health oversight agency)--\n            (1) to assist in the identification or location of a \n        victim, fugitive, or witness in a law enforcement inquiry;\n            (2) pursuant to a law requiring the reporting of specific \n        health care information to law enforcement authorities; or\n            (3) if the information is specific health information \n        described in paragraph (2) and the trustee is operated by a \n        Federal agency;\n    (c) Certification.--Where a law enforcement agency requests a \nhealth information trustee to disclose protected health information \nunder subsection (a) or (b)(1), the agency shall provide the trustee \nwith a written certification that--\n            (1) is signed by a supervisory official of a rank \n        designated by the head of the agency;\n            (2) specifies the information requested; and\n            (3) states that the information is needed for a lawful \n        purpose under this section.\n    (d) Restrictions on Disclosure and Use.--A person who receives \nprotected health information about a protected individual through a \ndisclosure under this section may not use or disclose the information--\n            (1) in any administrative, civil, or criminal action or \n        investigation directed against the individual, except an action \n        or investigation arising out of and directly related to the \n        action or investigation for which the information was obtained; \n        and\n            (2) otherwise unless the use or disclosure is necessary to \n        fulfill the purpose for which the information was obtained and \n        is not prohibited by any other provision of law.\n\nSEC. 120. SUBPOENAS, WARRANTS, AND SEARCH WARRANTS.\n\n    (a) In General.--A health information trustee described in \nsubsection (g) may disclose protected health information if the \ndisclosure is pursuant to any of the following:\n            (1) A subpoena issued under the authority of a grand jury \n        and the trustee is provided a written certification by the \n        grand jury that the grand jury has complied with the applicable \n        access provisions of section 131.\n            (2) An administrative subpoena or warrant or a judicial \n        subpoena or search warrant and the trustee is provided a \n        written certification by the person seeking the information \n        that the person has complied with the applicable access \n        provisions of section 131 or 133(a).\n            (3) An administrative subpoena or warrant or a judicial \n        subpoena or search warrant and the disclosure otherwise meets \n        the conditions of one of sections 113 through 119.\n    (b) Authority of All Trustees.--Any health information trustee may \ndisclose protected health information if the disclosure is pursuant to \nsubsection (a)(3).\n    (c) Restrictions on Use and Disclosure.--Protected health \ninformation about a protected individual that is disclosed by a health \ninformation trustee pursuant to--\n            (1) subsection (a)(2) may not be otherwise used or \n        disclosed by the recipient unless the use or disclosure is \n        necessary to fulfill the purpose for which the information was \n        obtained; and\n            (2) subsection (a)(3) may not be used or disclosed by the \n        recipient unless the recipient complies with the conditions and \n        restrictions on use and disclosure with which the recipient \n        would have been required to comply if the disclosure by the \n        trustee had been made under the section referred to in \n        subsection (a)(3) the conditions of which were met by the \n        disclosure.\n    (d) Restrictions on Grand Juries.--Protected health information \nthat is disclosed by a health information trustee under subsection \n(a)(1)--\n            (1) shall be returnable on a date when the grand jury is in \n        session and actually presented to the grand jury;\n            (2) shall be used only for the purpose of considering \n        whether to issue an indictment or report by that grand jury, or \n        for the purpose of prosecuting a crime for which that \n        indictment or report is issued, or for a purpose authorized by \n        rule 6(e) of the Federal Rules of Criminal Procedure or a \n        comparable State rule;\n            (3) shall be destroyed or returned to the trustee if not \n        used for one of the purposes specified in paragraph (2); and\n            (4) shall not be maintained, or a description of the \n        contents of such information shall not be maintained, by any \n        government authority other than in the sealed records of the \n        grand jury, unless such information has been used in the \n        prosecution of a crime for which the grand jury issued an \n        indictment or presentment or for a purpose authorized by rule \n        6(e) of the Federal Rules of Criminal Procedure or a comparable \n        State rule.\n    (e) Use in Action Against Individual.--A person who receives \nprotected health information about a protected individual through a \ndisclosure under this section may not use or disclose the information \nin any administrative, civil, or criminal action or investigation \ndirected against the individual, except an action or investigation \narising out of and directly related to the inquiry for which the \ninformation was obtained;\n    (f) Construction.--Nothing in this section shall be construed as \nauthority for a health information trustee to refuse to comply with a \nvalid administrative subpoena or warrant or a valid judicial subpoena \nor search warrant that meets the requirements of this Act.\n    (g) Applicability.--A health information trustee referred to in \nsubsection (a) is any trustee other than the following:\n            (1) A public health authority.\n            (2) A health researcher.\n\n           Subtitle C--Access Procedures and Challenge Rights\n\nSEC. 131. ACCESS PROCEDURES FOR LAW ENFORCEMENT SUBPOENAS, WARRANTS, \n                    AND SEARCH WARRANTS.\n\n    (a) Probable Cause Requirement.--A government authority may not \nobtain protected health information about a protected individual from a \nhealth information trustee under paragraph (1) or (2) of section 120(a) \nfor use in a law enforcement inquiry unless there is probable cause to \nbelieve that the information is relevant to a legitimate law \nenforcement inquiry being conducted by the government authority.\n    (b) Warrants and Search Warrants.--A government authority that \nobtains protected health information about a protected individual from \na health information trustee under circumstances described in \nsubsection (a) and pursuant to a warrant or search warrant shall, not \nlater than 30 days after the date the warrant was served on the \ntrustee, serve the individual with, or mail to the last known address \nof the individual, a copy of the warrant.\n    (c) Subpoenas.--Except as provided in subsection (d), a government \nauthority may not obtain protected health information about a protected \nindividual from a health information trustee under circumstances \ndescribed in subsection (a) and pursuant to a subpoena unless a copy of \nthe subpoena has been served by hand delivery upon the individual, or \nmailed to the last known address of the individual, on or before the \ndate on which the subpoena was served on the trustee, together with a \nnotice (published by the Secretary under section 135(1)) of the \nindividual's right to challenge the subpoena in accordance with section \n132, and--\n            (1) 30 days have passed from the date of service, or 30 \n        days have passed from the date of mailing, and within such time \n        period the individual has not initiated a challenge in \n        accordance with section 132; or\n            (2) disclosure is ordered by a court under section 132.\n    (d) Application for Delay.--\n            (1) In general.--A government authority may apply to an \n        appropriate court to delay (for an initial period of not longer \n        than 90 days) serving a copy of a subpoena and a notice \n        otherwise required under subsection (c) with respect to a law \n        enforcement inquiry. The government authority may apply to the \n        court for extensions of the delay.\n            (2) Reasons for delay.--An application for a delay, or \n        extension of a delay, under this subsection shall state, with \n        reasonable specificity, the reasons why the delay or extension \n        is being sought.\n            (3) Ex parte order.--The court shall enter an ex parte \n        order delaying, or extending the delay of, the notice and an \n        order prohibiting the trustee from revealing the request for, \n        or the disclosure of, the protected health information being \n        sought if the court finds that--\n                    (A) the inquiry being conducted is within the \n                lawful jurisdiction of the government authority seeking \n                the protected health information;\n                    (B) there is probable cause to believe that the \n                protected health information being sought is relevant \n                to a legitimate law enforcement inquiry being conducted \n                by the government authority;\n                    (C) the government authority's need for the \n                information outweighs the privacy interest of the \n                protected individual who is the subject of the \n                information; and\n                    (D) there are reasonable grounds to believe that \n                receipt of a notice by the individual will result in--\n                            (i) endangering the life or physical safety \n                        of any individual;\n                            (ii) flight from prosecution;\n                            (iii) destruction of or tampering with \n                        evidence or the information being sought; or\n                            (iv) intimidation of potential witnesses.\n            (4) Service of application on individual.--Upon the \n        expiration of a period of delay of notice under this \n        subsection, the government authority shall serve upon the \n        individual, with the service of the subpoena and the notice, a \n        copy of any applications filed and approved under this \n        subsection.\n\nSEC. 132. CHALLENGE PROCEDURES FOR LAW ENFORCEMENT SUBPOENAS.\n\n    (a) Motion to Quash Subpoena.--Within 30 days of the date of \nservice, or 30 days of the date of mailing, of a subpoena of a \ngovernment authority seeking protected health information about a \nprotected individual from a health information trustee under paragraph \n(1) or (2) of section 120(a) (except a subpoena to which section 133 \napplies), the individual may file (without filing fee) a motion to \nquash the subpoena--\n            (1) in the case of a State judicial subpoena, in the court \n        which issued the subpoena;\n            (2) in the case of a subpoena issued under the authority of \n        a State that is not a State judicial subpoena, in a court of \n        competent jurisdiction;\n            (3) in the case of a subpoena issued under the authority of \n        a Federal court, in any court of the United States of competent \n        jurisdiction; or\n            (4) in the case of any other subpoena issued under the \n        authority of the United States, in--\n                    (A) the United States district court for the \n                district in which the individual resides or in which \n                the subpoena was issued; or\n                    (B) another United States district court of \n                competent jurisdiction.\n    (b) Copy.--A copy of the motion shall be served by the individual \nupon the government authority by delivery of registered or certified \nmail.\n    (c) Affidavits and Sworn Documents.--The government authority may \nfile with the court such affidavits and other sworn documents as \nsustain the validity of the subpoena. The individual may file with the \ncourt, within 5 days of the date of the authority's filing, affidavits \nand sworn documents in response to the authority's filing. The court, \nupon the request of the individual, the government authority, or both, \nmay proceed in camera.\n    (d) Proceedings and Decision on Motion.--The court may conduct such \nproceedings as it deems appropriate to rule on the motion. All such \nproceedings shall be completed, and the motion ruled on, within 10 \ncalendar days of the date of the government authority's filing.\n    (e) Extension of Time Limits for Good Cause.--The court, for good \ncause shown, may at any time in its discretion enlarge the time limits \nestablished by subsections (c) and (d).\n    (f) Standard for Decision.--A court may deny a motion under \nsubsection (a) if it finds that there is probable cause to believe that \nthe protected health information being sought is relevant to a \nlegitimate law enforcement inquiry being conducted by the government \nauthority, unless the court finds that the individual's privacy \ninterest outweighs the government authority's need for the information. \nThe individual shall have the burden of demonstrating that the \nindividual's privacy interest outweighs the need established by the \ngovernment authority for the information.\n    (g) Specific Considerations With Respect to Privacy Interest.--In \ndetermining under subsection (f) whether an individual's privacy \ninterest outweighs the government authority's need for the information, \nthe court shall consider--\n            (1) the particular purpose for which the information was \n        collected by the trustee;\n            (2) the degree to which disclosure of the information will \n        embarrass, injure, or invade the privacy of the individual;\n            (3) the effect of the disclosure on the individual's future \n        health care;\n            (4) the importance of the inquiry being conducted by the \n        government authority, and the importance of the information to \n        that inquiry; and\n            (5) any other factor deemed relevant by the court.\n    (h) Attorney's Fees.--In the case of any motion brought under \nsubsection (a) in which the individual has substantially prevailed, the \ncourt, in its discretion, may assess against a government authority a \nreasonable attorney's fee and other litigation costs (including expert \nfees) reasonably incurred.\n    (i) No Interlocutory Appeal.--A court ruling denying a motion to \nquash under this section shall not be deemed a final order and no \ninterlocutory appeal may be taken therefrom by the individual. An \nappeal of such a ruling may be taken by the individual within such \nperiod of time as is provided by law as part of any appeal from a final \norder in any legal proceeding initiated against the individual arising \nout of or based upon the protected health information disclosed.\n\nSEC. 133. ACCESS AND CHALLENGE PROCEDURES FOR OTHER SUBPOENAS.\n\n    (a) In General.--A person (other than a government authority \nseeking protected health information under circumstances described in \nsection 131(a)) may not obtain protected health information about a \nprotected individual from a health information trustee pursuant to a \nsubpoena under section 120(a)(2) unless--\n            (1) a copy of the subpoena has been served upon the \n        individual or mailed to the last known address of the \n        individual on or before the date on which the subpoena was \n        served on the trustee, together with a notice (published by the \n        Secretary under section 135(2)) of the individual's right to \n        challenge the subpoena, in accordance with subsection (b); and\n            (2) either--\n                    (A) 30 days have passed from the date of service or \n                30 days have passed from the date of the mailing and \n                within such time period the individual has not \n                initiated a challenge in accordance with subsection \n                (b); or\n                    (B) disclosure is ordered by a court under such \n                subsection.\n    (b) Motion to Quash.--Within 30 days of the date of service or 30 \ndays of the date of mailing of a subpoena seeking protected health \ninformation about a protected individual from a health information \ntrustee under subsection (a), the individual may file (without filing \nfee) in any court of competent jurisdiction, a motion to quash the \nsubpoena, with a copy served on the person seeking the information. The \nindividual may oppose, or seek to limit, the subpoena on any grounds \nthat would otherwise be available if the individual were in possession \nof the information.\n    (c) Standard for Decision.--The court shall grant an individual's \nmotion under subsection (b) if the person seeking the information has \nnot sustained the burden of demonstrating that--\n            (1) there are reasonable grounds to believe that the \n        information will be relevant to a lawsuit or other judicial or \n        administrative proceeding; and\n            (2) the need of the person for the information outweighs \n        the privacy interest of the individual.\n    (d) Specific Considerations With Respect to Privacy Interest.--In \ndetermining under subsection (c) whether the need of the person for the \ninformation outweighs the privacy interest of the individual, the court \nshall consider--\n            (1) the particular purpose for which the information was \n        collected by the trustee;\n            (2) the degree to which disclosure of the information will \n        embarrass, injure, or invade the privacy of the individual;\n            (3) the effect of the disclosure on the individual's future \n        health care;\n            (4) the importance of the information to the lawsuit or \n        proceeding; and\n            (5) any other factor deemed relevant by the court.\n    (e) Attorney's Fees.--In the case of any motion brought under \nsubsection (b) by an individual against a person in which the \nindividual has substantially prevailed, the court, in its discretion, \nmay assess against the person a reasonable attorney's fee and other \nlitigation costs (including expert fees) reasonably incurred.\n\nSEC. 134. CONSTRUCTION OF SUBTITLE; SUSPENSION OF STATUTE OF \n                    LIMITATIONS.\n\n    (a) In General.--Nothing in this subtitle shall affect the right of \na health information trustee to challenge a request for protected \nhealth information. Nothing in this subtitle shall entitle a protected \nindividual to assert the rights of a health information trustee.\n    (b) Effect of Motion on Statute of Limitations.--If an individual \nwho is the subject of protected health information files a motion under \nthis subtitle which has the effect of delaying the access of a \ngovernment authority to such information, the period beginning on the \ndate such motion was filed and ending on the date on which the motion \nis decided shall be excluded in computing any period of limitations \nwithin which the government authority may commence any civil or \ncriminal action in connection with which the access is sought.\n\nSEC. 135. RESPONSIBILITIES OF SECRETARY.\n\n    Not later than July 1, 1999, the Secretary, after notice and \nopportunity for public comment, shall develop and disseminate brief, \nclear, and easily understood model notices--\n            (1) for use under subsection (c) of section 131, detailing \n        the rights of a protected individual who wishes to challenge, \n        under section 132, the disclosure of protected health \n        information about the individual under such subsection; and\n            (2) for use under subsection (a) of section 133, detailing \n        the rights of a protected individual who wishes to challenge, \n        under subsection (b) of such section, the disclosure of \n        protected health information about the individual under such \n        section.\n\n                  Subtitle D--Miscellaneous Provisions\n\nSEC. 141. PAYMENT CARD AND ELECTRONIC PAYMENT TRANSACTIONS.\n\n    (a) Payment for Health Care Through Card or Electronic Means.--If a \nprotected individual pays a health information trustee for health care \nby presenting a debit, credit, or other payment card or account number, \nor by any other electronic payment means, the trustee may disclose to a \nperson described in subsection (b) only such protected health \ninformation about the individual as is necessary for the processing of \nthe payment transaction or the billing or collection of amounts charged \nto, debited from, or otherwise paid by, the individual using the card, \nnumber, or other electronic payment means.\n    (b) Transaction Processing.--A person who is a debit, credit, or \nother payment card issuer, is otherwise directly involved in the \nprocessing of payment transactions involving such cards or other \nelectronic payment transactions, or is otherwise directly involved in \nthe billing or collection of amounts paid through such means, may only \nuse or disclose protected health information about a protected \nindividual that has been disclosed in accordance with subsection (a) \nwhen necessary for--\n            (1) the authorization, settlement, billing or collection of \n        amounts charged to, debited from, or otherwise paid by, the \n        individual using a debit, credit, or other payment card or \n        account number, or by other electronic payment means;\n            (2) the transfer of receivables, accounts, or interest \n        therein;\n            (3) the audit of the credit, debit, or other payment card \n        account information;\n            (4) compliance with Federal, State, or local law; or\n            (5) a properly authorized civil, criminal, or regulatory \n        investigation by Federal, State, or local authorities.\n\nSEC. 142. ACCESS TO PROTECTED HEALTH INFORMATION OUTSIDE OF THE UNITED \n                    STATES.\n\n    (a) In General.--Notwithstanding the provisions of subtitle B, and \nexcept as provided in subsection (b), a health information trustee may \nnot permit any person who is not in a State to have access to protected \nhealth information about a protected individual unless one or more of \nthe following conditions exist:\n            (1) Specific authorization.--The individual has \n        specifically consented to the provision of such access outside \n        of the United States in an authorization that meets the \n        requirements of section 112.\n            (2) Equivalent protection.--The provision of such access is \n        authorized under this Act and the Secretary has determined that \n        there are fair information practices for protected health \n        information in the jurisdiction where the access will be \n        provided that provide protections for individuals and protected \n        health information that are equivalent to the protections \n        provided for by this Act.\n            (3) Access required by law.--The provision of such access \n        is required under--\n                    (A) a Federal statute; or\n                    (B) a treaty or other international agreement \n                applicable to the United States.\n    (b) Exceptions.--Subsection (a) does not apply where the provision \nof access to protected health information--\n            (1) is to a foreign public health authority;\n            (2) is authorized under section 114 (relating to next of \n        kin and directory information), 116 (relating to health \n        research), or 117 (relating to emergency circumstances); or\n            (3) is necessary for the purpose of providing for payment \n        for health care that has been provided to an individual.\n\nSEC. 143. STANDARDS FOR ELECTRONIC DOCUMENTS AND COMMUNICATIONS.\n\n    (a) Standards.--Not later than July 1, 1999, the Secretary, after \nnotice and opportunity for public comment and in consultation with \nappropriate private standard-setting organizations and other interested \nparties, shall establish standards with respect to the \ncreation,transmission, receipt, and maintenance, in electronic and \nmagnetic form, of each type of written document specifically required \nor authorized under this Act. Where a signature is required under any \nother provision of this Act, such standards shall provide for an \nelectronic or magnetic substitute that serves the functional equivalent \nof a signature.\n    (b) Treatment of Complying Documents and Communications.--An \nelectronic or magnetic document or communication that satisfies the \nstandards established under subsection (a) with respect to such \ndocument or communication shall be treated as satisfying the \nrequirements of this Act that apply to an equivalent written document.\n\nSEC. 144. DUTIES AND AUTHORITIES OF AFFILIATED PERSONS.\n\n    (a) Requirements on Trustees.--\n            (1) Provision of information.--A health information trustee \n        may provide protected health information to a person who, with \n        respect to the trustee, is an affiliated person and may permit \n        the affiliated person to use such information, only for the \n        purpose of conducting, supporting, or facilitating an activity \n        that the trustee is authorized to undertake.\n            (2) Notice to affiliated person.--A health information \n        trustee shall notify a person who, with respect to the trustee, \n        is an affiliated person of any duties under this Act that the \n        affiliated person is required to fulfill and of any authorities \n        under this Act that the affiliated person is authorized to \n        exercise.\n    (b) Duties of Affiliated Persons.--\n            (1) In general.--An affiliated person shall fulfill any \n        duty under this Act that--\n                    (A) the health information trustee with whom the \n                person has an agreement or relationship described in \n                section 3(c)(1)(C) is required to fulfill; and\n                    (B) the person has undertaken to fulfill pursuant \n                to such agreement or relationship.\n            (2) Construction of other subtitles.--With respect to a \n        duty described in paragraph (1) that an affiliated person is \n        required to fulfill, the person shall be considered a health \n        information trustee for purposes of this Act. The person shall \n        be subject to subtitle E (relating to enforcement) with respect \n        to any such duty that the person fails to fulfill.\n            (3) Effect on trustee.--An agreement or relationship with \n        an affiliated person does not relieve a health information \n        trustee of any duty or liability under this Act.\n    (b) Authorities of Affiliated Persons.--\n            (1) In general.--An affiliated person may only exercise an \n        authority under this Act that the health information trustee \n        with whom the person is affiliated may exercise and that the \n        person has been given by the trustee pursuant to an agreement \n        or relationship described in section 3(c)(1)(C). With respect \n        to any such authority, the person shall be considered a health \n        information trustee for purposes of this Act. The person shall \n        be subject to subtitle E (relating to enforcement) with respect \n        to any act that exceeds such authority.\n            (2) Effect on trustee.--An agreement or relationship with \n        an affiliated person does not affect the authority of a health \n        information trustee under this Act.\n\nSEC. 145. AGENTS AND ATTORNEYS.\n\n    (a) In General.--Except as provided in subsections (b) and (c), a \nperson who is authorized by law (on grounds other than an individual's \nminority), or by an instrument recognized under law, to act as an \nagent, attorney, proxy, or other legal representative for a protected \nindividual or the estate of a protected individual, or otherwise to \nexercise the rights of the individual or estate, may, to the extent \nauthorized, exercise and discharge the rights of the individual or \nestate under this Act.\n    (b) Health Care Power of Attorney.--A person who is authorized by \nlaw (on grounds other than an individual's minority), or by an \ninstrument recognized under law, to make decisions about the provision \nof health care to an individual who is incapacitated may exercise and \ndischarge the rights of the individual under this Act to the extent \nnecessary to effectuate the terms or purposes of the grant of \nauthority.\n    (c) No Court Declaration.--If a health care provider determines \nthat an individual, who has not been declared to be legally \nincompetent, suffers from a medical condition that prevents the \nindividual from acting knowingly or effectively on the individual's own \nbehalf, the right of the individual to authorize disclosure under \nsection 112 may be exercised and discharged in the best interest of the \nindividual by--\n            (1) a person described in subsection (b) with respect to \n        the individual;\n            (2) a person described in subsection (a) with respect to \n        the individual, but only if a person described in paragraph (1) \n        cannot be contacted after a reasonable effort;\n            (3) the next of kin of the individual, but only if a person \n        described in paragraph (1) or (2) cannot be contacted after a \n        reasonable effort; or\n            (4) the health care provider, but only if a person \n        described in paragraph (1), (2), or (3) cannot be contacted \n        after a reasonable effort.\n\nSEC. 146. MINORS.\n\n    (a) Individuals Who Are 18 or Legally Capable.--In the case of an \nindividual--\n            (1) who is 18 years of age or older, all rights of the \n        individual shall be exercised by the individual, except as \n        provided in section 145; or\n            (2) who, acting alone, has the legal capacity to apply for \n        and obtain health care and has sought such care, the individual \n        shall exercise all rights of an individual under this Act with \n        respect to protected health information relating to such care.\n    (b) Individuals Under 18.--Except as provided in subsection (a)(2), \nin the case of an individual who is--\n            (1) under 14 years of age, all the individual's rights \n        under this Act shall be exercised through the parent or legal \n        guardian of the individual; or\n            (2) 14, 15, 16, or 17 years of age, the right of inspection \n        (under section 101), the right of amendment (under section \n        102), and the right to authorize disclosure of protected health \n        information (under section 112) of the individual may be \n        exercised either by the individual or by the parent or legal \n        guardian of the individual.\n\nSEC. 147. MAINTENANCE OF CERTAIN PROTECTED HEALTH INFORMATION.\n\n    (a) In General.--A State shall establish a process under which the \nprotected health information described in subsection (b) that is \nmaintained by a person described in subsection (c) is delivered to, and \nmaintained by, the State or an individual or entity designated by the \nState.\n    (b) Information Described.--The protected health information \nreferred to in subsection (a) is protected health information that--\n            (1) is recorded in any form or medium;\n            (2) is created by--\n                    (A) a health care provider; or\n                    (B) a health benefit plan sponsor that provides \n                benefits in the form of items and services to enrollees \n                and not in the form of reimbursement for items and \n                services; and\n            (3) relates in any way to the past, present, or future \n        physical or mental health or condition or functional status of \n        a protected individual or the provision of health care to a \n        protected individual.\n    (c) Persons Described.--A person referred to in subsection (a) is \nany of the following:\n            (1) A health care facility previously located in the State \n        that has closed.\n            (2) A professional practice previously operated by a health \n        care provider in the State that has closed.\n            (3) A health benefit plan sponsor that--\n                    (A) previously provided benefits in the form of \n                items and services to enrollees in the State; and\n                    (B) has ceased to do business.\n\n                        Subtitle E--Enforcement\n\nSEC. 151. CIVIL ACTIONS.\n\n    (a) In General.--Any individual whose right under this Act has been \nknowingly or negligently violated--\n            (1) by a health information trustee, or any other person, \n        who is not described in paragraph (2), (3), (4), or (5) may \n        maintain a civil action for actual damages and for equitable \n        relief against the health information trustee or other person;\n            (2) by an officer or employee of the United States while \n        the officer or employee was acting within the scope of the \n        office or employment may maintain a civil action for actual \n        damages and for equitable relief against the United States;\n            (3) by an officer or employee of any government authority \n        of a State that has waived its sovereign immunity to a claim \n        for damages resulting from a violation of this Act while the \n        officer or employee was acting within the scope of the office \n        or employment may maintain a civil action for actual damages \n        and for equitable relief against the State government;\n            (4) by an officer or employee of a government of a State \n        that is not described in paragraph (3) may maintain a civil \n        action for actual damages and for equitable relief against the \n        officer or employee; or\n            (5) by an officer or employee of a government authority \n        while the officer or employee was not acting within the scope \n        of the office or employment may maintain a civil action for \n        actual damages and for equitable relief against the officer or \n        employee.\n    (b) Knowing Violations.--Any individual entitled to recover actual \ndamages under this section because of a knowing violation of a \nprovision of this Act (other than subsection (c) or (d) of section 111) \nshall be entitled to recover the amount of the actual damages \ndemonstrated or $5000, whichever is greater.\n    (c) Actual Damages.--For purposes of this section, the term \n``actual damages'' includes damages paid to compensate an individual \nfor nonpecuniary losses such as physical and mental injury as well as \ndamages paid to compensate for pecuniary losses.\n    (d) Punitive Damages; Attorney's Fees.--In any action brought under \nthis section in which the complainant has prevailed because of a \nknowing violation of a provision of this Act (other than subsection (c) \nor (d) of section 111), the court may, in addition to any relief \nawarded under subsections (a) and (b), award such punitive damages as \nmay be warranted. In such an action, the court, in its discretion, may \nallow the prevailing party a reasonable attorney's fee (including \nexpert fees) as part of the costs, and the United States shall be \nliable for costs the same as a private person.\n    (e) Limitation.--A civil action under this section may not be \ncommenced more than 2 years after the date on which the aggrieved \nindividual discovered the violation or the date on which the aggrieved \nindividual had a reasonable opportunity to discover the violation, \nwhichever occurs first.\n    (f) Inspection and Amendment.--If a health information trustee has \nestablished a formal internal procedure that allows an individual who \nhas been denied inspection or amendment of protected health information \nto appeal the denial, the individual may not maintain a civil action in \nconnection with the denial until the earlier of--\n            (1) the date the appeal procedure has been exhausted; or\n            (2) the date that is 4 months after the date on which the \n        appeal procedure was initiated.\n    (g) No Liability for Permissible Disclosures.--A health information \ntrustee who makes a disclosure of protected health information about a \nprotected individual that is permitted by this Act and not otherwise \nprohibited by State or Federal statute shall not be liable to the \nindividual for the disclosure under common law.\n    (h) No Liability for Institutional Review Board Determinations.--If \nthe members of a certified institutional review board have in good \nfaith determined that an approved health research project is of \nsufficient importance so as to outweigh the intrusion into the privacy \nof an individual pursuant to section 116(a)(1), the members, the board, \nand the parent institution of the boardshall not be liable to the \nindividual as a result of such determination.\n    (i) Good Faith Reliance on Certification.--A health information \ntrustee who relies in good faith on a certification by a government \nauthority or other person and discloses protected health information \nabout an individual in accordance with this Act shall not be liable to \nthe individual for such disclosure.\n\nSEC. 152. CIVIL MONEY PENALTIES.\n\n    (a) Violation.--Any health information trustee who the Secretary \ndetermines has demonstrated a pattern or practice of failure to comply \nwith the provisions of this Act shall be subject, in addition to any \nother penalties that may be prescribed by law, to a civil money penalty \nof not more than $10,000 for each such failure. In determining the \namount of any penalty to be assessed under the procedures established \nunder subsection (b), the Secretary shall take into account the \nprevious record of compliance of the person being assessed with the \napplicable requirements of this Act and the gravity of the violation.\n    (b) Procedures for Imposition of Penalties.--The provisions of \nsection 1128A of the Social Security Act (other than subsections (a) \nand (b)) shall apply to the imposition of a civil monetary penalty \nunder this section in the same manner as such provisions apply with \nrespect to the imposition of a penalty under section 1128A of such Act.\n\nSEC. 153. ALTERNATIVE DISPUTE RESOLUTION.\n\n    (a) In General.--Not later than July 1, 1999, the Secretary shall, \nby regulation, develop alternative dispute resolution methods for use \nby individuals, health information trustees, and other persons in \nresolving claims under section 151.\n    (b) Effect on Initiation of Civil Actions.--\n            (1) In general.--Subject to paragraph (2), the regulations \n        established under subsection (a) may provide that an individual \n        alleging that a right of the individual under this Act has been \n        violated shall pursue at least one alternative dispute \n        resolution method developed under such subsection as a \n        condition precedent to commencing a civil action under section \n        151.\n            (2) Limitation.--Such regulations may not require an \n        individual to refrain from commencing a civil action to pursue \n        one or more alternative dispute resolution method for a period \n        that is greater than 6 months.\n            (3) Suspension of statute of limitations.--The regulations \n        established by the Secretary under subsection (a) may provide \n        that a period in which an individual described in paragraph (1) \n        pursues (as defined by the Secretary) an alternative dispute \n        resolution method under this section shall be excluded in \n        computing the period of limitations under section 151(e).\n    (c) Methods.--The methods under subsection (a) shall include at \nleast the following:\n            (1) Arbitration.--The use of arbitration.\n            (2) Mediation.--The use of mediation.\n            (3) Early offers of settlement.--The use of a process under \n        which parties make early offers of settlement.\n    (d) Standards for Establishing Methods.--In developing alternative \ndispute resolution methods under subsection (a), the Secretary shall \nensure that the methods promote the resolution of claims in a manner \nthat--\n            (1) is affordable for the parties involved;\n            (2) provides for timely and fair resolution of claims; and\n            (3) provides for reasonably convenient access to dispute \n        resolution for individuals.\n\nSEC. 154. AMENDMENTS TO CRIMINAL LAW.\n\n    (a) In General.--Title 18, United States Code, is amended by \ninserting after chapter 73 the following:\n\n          ``CHAPTER 74--OBTAINING PROTECTED HEALTH INFORMATION\n\n``Sec.\n``1531. Definitions.\n``1532. Obtaining protected health information under false pretenses.\n``1533. Monetary gain from obtaining protected health information under \n    false pretenses.\n``1534. Knowing and unlawful obtaining of protected health information.\n``1535. Monetary gain from knowing and unlawful obtaining of protected \n    health information.\n``1536. Knowing and unlawful use or disclosure of protected health \n    information.\n``1537. Monetary gain from knowing and unlawful sale, transfer, or use \n    of protected health information.\n\n``Sec. 1531. Definitions\n\n    ``As used in this chapter--\n            ``(1) the term `health information trustee' has the meaning \n        given such term in section 3(b)(5) of the Fair Health \n        Information Practices Act of 1997;\n            ``(2) the term `protected health information' has the \n        meaning given such term in section 3(a)(3) of such Act; and\n            ``(3) the term `protected individual' has the meaning given \n        such term in section 3(a)(4) of such Act.\n\n``Sec. 1532. Obtaining protected health information under false \n                    pretenses\n\n    ``Whoever under false pretenses--\n            ``(1) requests or obtains protected health information from \n        a health information trustee; or\n            ``(2) obtains from a protected individual an authorization \n        for the disclosure of protected health information about the \n        individual maintained by a health information trustee;\nshall be fined under this title or imprisoned not more than 5 years, or \nboth.\n\n``Sec. 1533. Monetary gain from obtaining protected health information \n                    under false pretenses\n\n    ``Whoever under false pretenses--\n            ``(1) requests or obtains protected health information from \n        a health information trustee with the intent to sell, transfer, \n        or use such information for profit or monetary gain; or\n            ``(2) obtains from a protected individual an authorization \n        for the disclosure of protected health information about the \n        individual maintained by a health information trustee with the \n        intent to sell, transfer, or use such authorization for profit \n        or monetary gain;\nand knowingly sells, transfers, or uses such information or \nauthorization for profit or monetary gain shall be fined under this \ntitle or imprisoned not more than 10 years, or both.\n\n``Sec. 1534. Knowing and unlawful obtaining of protected health \n                    information\n\n    ``Whoever knowingly obtains protected health information from a \nhealth information trustee in violation ofthe Fair Health Information \nPractices Act of 1997, knowing that such obtaining is unlawful, shall \nbe fined under this title or imprisoned not more than 5 years, or both.\n\n``Sec. 1535. Monetary gain from knowing and unlawful obtaining of \n                    protected health information\n\n    ``Whoever knowingly--\n            ``(1) obtains protected health information from a health \n        information trustee in violation of the Fair Health Information \n        Practices Act of 1997, knowing that such obtaining is unlawful \n        and with the intent to sell, transfer, or use such information \n        for profit or monetary gain; and\n            ``(2) knowingly sells, transfers, or uses such information \n        for profit or monetary gain;\nshall be fined under this title or imprisoned not more than 10 years, \nor both.\n\n``Sec. 1536. Knowing and unlawful use or disclosure of protected health \n                    information\n\n    ``Whoever knowingly uses or discloses protected health information \nin violation of the Fair Health Information Practices Act of 1997, \nknowing that such use or disclosure is unlawful, shall be fined under \nthis title or imprisoned not more than 5 years, or both.\n\n``Sec. 1537. Monetary gain from knowing and unlawful sale, transfer, or \n                    use of protected health information\n\n    ``Whoever knowingly sells, transfers, or uses protected health \ninformation in violation of the Fair Health Information Practices Act \nof 1997, knowing that such sale, transfer, or use is unlawful, shall be \nfined under this title or imprisoned not more than 10 years, or \nboth.''.\n    (b) Clerical Amendment.--The table of chapters for part I of title \n18, United States Code, is amended by inserting after the item relating \nto chapter 73 the following:\n\n``74. Obtaining protected health information.....................1531''.\n\n          TITLE II--AMENDMENTS TO TITLE 5, UNITED STATES CODE\n\nSEC. 201. AMENDMENTS TO TITLE 5, UNITED STATES CODE.\n\n    (a) New Subsection.--Section 552a of title 5, United States Code, \nis amended by adding at the end the following:\n\n    ``(w) Medical Exemptions.--The head of an agency that is a health \ninformation trustee (as defined in section 3(b)(5) of the Fair Health \nInformation Practices Act of 1997) shall promulgate rules, in \naccordance with the requirements (including general notice) of \nsubsections (b)(1), (b)(2), (b)(3), (c), and (e) of section 553 of this \ntitle, to exempt a system of records within the agency, to the extent \nthat the system of records contains protected health information (as \ndefined in section 3(a)(3) of such Act), from all provisions of this \nsection except subsections (e)(1), (e)(2), subparagraphs (A) through \n(C) and (E) through (I) of subsection (e)(4), and subsections (e)(5), \n(e)(6), (e)(9), (e)(12), (l), (n), (o), (p), (q), (r), and (u).''.\n    (b) Repeal.--Section 552a(f)(3) of title 5, United States Code, is \namended by striking ``pertaining to him,'' and all that follows through \nthe semicolon and inserting ``pertaining to the individual;''.\n\n   TITLE III--REGULATIONS, RESEARCH, AND EDUCATION; EFFECTIVE DATES; \n             APPLICABILITY; AND RELATIONSHIP TO OTHER LAWS\n\nSEC. 301. REGULATIONS; RESEARCH AND EDUCATION.\n\n    (a) Regulations.--Not later than July 1, 1999, the Secretary shall \nprescribe regulations to carry out this Act.\n    (b) Research and Technical Support.--The Secretary may sponsor--\n            (1) research relating to the privacy and security of \n        protected health information;\n            (2) the development of consent forms governing disclosure \n        of such information; and\n            (3) the development of technology to implement standards \n        regarding such information.\n    (c) Education.--The Secretary shall establish education and \nawareness programs--\n            (1) to foster adequate security practices by health \n        information trustees;\n            (2) to train personnel of health information trustees \n        respecting the duties of such personnel with respect to \n        protected health information; and\n            (3) to inform individuals and employers who purchase health \n        care respecting their rights with respect to such information.\n    (d) Office of Information Privacy.--\n            (1) Establishment.--There is established in the Department \n        of Health and Human Services, within the Office of the \n        Secretary, an Office of Information Privacy. The Office of \n        Information Privacy shall be headed by a Director, who shall \n        also be the Privacy Adviser of the Department of Health and \n        Human Services. The Director shall be the principal adviser to \n        the Secretary on the effect of the use and disclosure of \n        personally-identifiable information on the privacy of \n        individuals.\n            (2) Duties.--The Director of the Office of Information \n        Privacy shall--\n                    (A) monitor and participate in the development of \n                regulations under this Act;\n                    (B) monitor the implementation of this Act within \n                the Department of Health and Human Services;\n                    (C) advise the Secretary of the effects of current \n                activities and proposed statutory, regulatory, \n                administrative, and budgetary actions on the \n                information privacy of individuals;\n                    (D) monitor the implementation within the \n                Department of Health and Human Services of laws and \n                policies affecting the confidentiality of personally-\n                identifiable health information or other personally-\n                identifiable information;\n                    (E) advise the Secretary on the implications for \n                privacy of automated systems for the collection, \n                storage, analysis, or transfer of personally-\n                identifiable health information or other personally-\n                identifiable information;\n                    (F) engage in, or commission, research and \n                technical studies on the implications of policies and \n                practices for information privacy promulgated by the \n                Secretary;\n                    (G) serve as a point of contact within the \n                Department of Health and Human Services for persons, \n                such as other agencies of the Federal Government, \n                States, foreign governments, international \n                organizations, privacy and consumer advocacy \n                organizations, businesses, nonprofit organizations, and \n                individuals, interested in the effects on privacy of \n                the collection, maintenance, use, and disclosure of \n                personally-identifiable health information or other \n                personally-identifiable information; and\n                    (H) report from time to time to the Secretary, the \n                Congress, and the public on privacy matters.\n\nSEC. 302. EFFECTIVE DATES.\n\n    (a) In General.--Except as provided in subsection (b), this Act, \nand the amendments made by this Act, shall take effect on January 1, \n2000.\n    (b) Provisions Effective Immediately.--\n            (1) In general.--A provision of this Act shall take effect \n        on the date of the enactment of this Act if the provision--\n                    (A) imposes a duty on the Secretary to develop, \n                establish, or promulgate regulations, guidelines, \n                notices, statements, or education and awareness \n                programs; or\n                    (B) authorizes the Secretary to sponsor research or \n                the development of forms or technology.\n            (2) Office of information privacy.--Section 301(d) \n        (relating to the Office of Information Privacy) shall take \n        effect on the date of the enactment of this Act.\n\nSEC. 303. APPLICABILITY.\n\n    (a) Protected Health Information.--Except as provided in \nsubsections (b) and (c), the provisions of this Act shall apply to any \nprotected health information that is received, created, used, \nmaintained, or disclosed by a health information trustee in a State on \nor after January 1, 2000, regardless of whether the information existed \nor was disclosed prior to such date.\n    (b) Exception.--\n            (1) In general.--The provisions of this Act shall not apply \n        to a trustee described in paragraph (2), except with respect to \n        protected health information that is received by the trustee on \n        or after January 1, 2000.\n            (2) Applicability.--A trustee referred to in paragraph (1) \n        is--\n                    (A) a health researcher; or\n                    (B) a person who, with respect to specific \n                protected health information, received the \n                information--\n                            (i) pursuant to--\n                                    (I) section 117 (relating to \n                                emergency circumstances);\n                                    (II) section 118 (relating to \n                                judicial and administrative purposes);\n                                    (III) section 119 (relating to law \n                                enforcement); or\n                                    (IV) section 120 (relating to \n                                subpoenas, warrants, and search \n                                warrants); or\n                            (ii) while acting in whole or in part in \n                        the capacity of an officer or employee of a \n                        person described in clause (i).\n    (c) Authorizations for Disclosures.--An authorization for the \ndisclosure of protected health information about a protected individual \nthat is executed by the individual before January 1, 2000, and is \nrecognized and valid under State law on December 31, 1999, shall remain \nvalid and shall not be subject to the requirements of section 112 until \nJanuary 1, 2001, or the occurrence of the date or event (if any) \nspecified in the authorization upon which the authorization expires, \nwhichever occurs earlier.\n\nSEC. 304. RELATIONSHIP TO OTHER LAWS.\n\n    (a) State Law.--Except as otherwise provided in subsections (b), \n(c), (d), (e), and (g), a State may not establish, continue in effect, \nor enforce any State law to the extent that the law is inconsistent \nwith, or imposes additional requirements with respect to, any of the \nfollowing:\n            (1) A duty of a health information trustee under this Act.\n            (2) An authority of a health information trustee under this \n        Act to disclose protected health information.\n            (3) A provision of subtitle C (relating to access \n        procedures and challenge rights), subtitle D (miscellaneous \n        provisions), or subtitle E (relating to enforcement).\n    (b) Laws Relating to Public Health and Mental Health.--This Act \ndoes not preempt, supersede, or modify the operation of any State law \nregarding public health or mental health to the extent that the law \nprohibits or regulates a disclosure of protected health information \nthat is permitted under this Act.\n    (c) Criminal Penalties.--A State may establish and enforce criminal \npenalties with respect to a failure to comply with a provision of this \nAct.\n    (d) Requirements on State Agencies.--A State may establish, \ncontinue in effect, and enforce any State law to the extent that the \nlaw imposes on a judicial, legislative, or executive agency of the \nState a requirement, limitation, or procedure with respect to the use \nor disclosure of protected health information that is in addition to \nthe requirements, limitations, and procedures imposed under this Act.\n    (e) Privileges.--A privilege that a person has under law in a court \nof a State or the United States or under the rules of any agency of a \nState or the United States may not be diminished, waived, or otherwise \naffected by--\n            (1) the execution by a protected individual of an \n        authorization for disclosure of protected health information \n        under this Act, if the authorization is executed for the \n        purpose of receiving health care or providing for the payment \n        for health care; or\n            (2) any provision of this Act that authorizes the \n        disclosure of protected health information for the purpose of \n        receiving health care or providing for the payment for health \n        care.\n    (f) Department of Veterans Affairs.--The limitations on use and \ndisclosure of protected health information under this Act shall not be \nconstrued to prevent any exchange of such information within and among \ncomponents of the Department of Veterans Affairs that determine \neligibility for or entitlement to, or that provide, benefits under laws \nadministered by the Secretary of Veterans Affairs.\n    (g) Certain Duties Under State or Federal Law.--This Act shall not \nbe construed to preempt, supersede, or modify the operation of any of \nthe following:\n            (1) Any law that provides for the reporting of vital \n        statistics such as birth or death information.\n            (2) Any law requiring the reporting of abuse or neglect \n        information about any individual.\n            (3) Subpart II of part E of title XXVI of the Public Health \n        Service Act (relating to notifications of emergency response \n        employees of possible exposure to infectious diseases).\n            (4) The Americans with Disabilities Act of 1990.\n            (5) Any Federal or State statute that establishes a \n        privilege for records used in health professional peer review \n        activities.\n    (h) Secretarial Authority.--\n            (1) Secretary of health and human services.--A provision of \n        this Act does not preempt, supersede, or modify the operation \n        of section 543 of the Public Health Service Act, except to the \n        extent that the Secretary of Health and Human Services \n        determines through regulations promulgated by such Secretary \n        that the provision provides greater protection for protected \n        health information, and the rights of protected individuals, \n        than is provided under such section 543.\n            (2) Secretary of veterans affairs.--A provision of this Act \n        does not preempt, supersede, or modify the operation of section \n        7332 of title 38, United States Code, except to the extent that \n        the Secretary of Veterans Affairs determines through \n        regulations promulgated by such Secretary that the provision \n        provides greater protection for protected health information, \n        and the rights of protected individuals, than is provided under \n        such section 7332.\n\n    Mr. Horn. No one will make the mistake of thinking that \nmedical privacy is a new issue. It is worth recalling the words \nof Hippocrates. His oath included the following pledge: ``All \nthat may come to my knowledge in the exercise of my profession, \nwhich ought not to be spread abroad, I will keep secret and \nwill never reveal.''\n    Patient information acquired by medical experts is deeply \npersonal and should be kept private. The challenge we now face \nis to protect the timeless value of confidentiality, the \nprivacy between doctor and patient, in a rapidly changing \nhealth care environment. We face an enormous conflict between \nan old value, the right to personal privacy, and the increasing \nneed of our health care system to exchange intimate information \nabout each of us. Managed health care systems must be able to \nexchange information between doctors, insurers, and others. We \nneed to set the rules of the road.\n    At stake are the quality and the value of our health care. \nThe increasing use of information technology and the increasing \ncomplexity of provider arrangements are inevitable. The \nexchange of patient health care information is an integral part \nof the existing health care system. Claims payments require \ndiagnostic information. Communications between primary care \nproviders and other providers, such as specialists or \nhospitals, require patient information to be shared. Pharmacies \nmaintain data bases of past prescriptions.\n    Despite this highly fluid environment for exchanging health \ncare information, no uniform national standard currently exists \nto protect the confidentiality of this information. Moreover, \nthere is little uniformity among State statutes regarding the \nconfidentiality of health care information. Most of the States' \nlaws lack penalties for misuse or misappropriation. Protections \nvary according to both the holder and the type of information.\n    Under last year's Kassebaum-Kennedy act, the Secretary of \nHealth and Human Services is required to recommend privacy \nstandards for health care information to Congress by September \n1997. If Congress does not enact health care privacy \nlegislation by August 1999, the Secretary of Health and Human \nServices is required to promulgate such privacy regulations. In \neffect, the Kassebaum-Kennedy act gave Congress a 3-year window \nof opportunity to enact major health care privacy legislation.\n    An illustration of the difficulties we face is the \nrevolution in the science of genetics, with the mapping of the \nhuman genome. Incredibly sensitive, precise genetic tests have \nbeen developed, genetic screening has become commonplace, and \nan extraordinary array of genetic interventions are being \nexplored.\n    Genetics privacy issues inevitably accompany the scientific \nadvances. Do genetic data differ fundamentally from other \nhealth data? Genetic data could be used prejudicially, such as \nineligibility for employment, financial credit, or life or \nhealth insurance.\n    Issues associated with genetic privacy and possible \ndiscrimination based on genetic information have received \nheightened attention. The House Committee on Commerce has \nestablished a task force on health records and genetic privacy \nchaired by Representative Stearns and Green. Any substantial \nlegislation on the issue of medical records privacy will \ninvolve establishing uniform national rules on the collection \nand protection of personally identifiable health data, \naffirming the rights of patients, setting criteria and \nprocedures for disclosure, their use and security of health \ncare information, focusing responsibilities for ensuring proper \nprotection and use of health care information and establishing \npenalties for wrongful use of the data.\n    The legislation before us today is H.R. 52, the Fair Health \nInformation Practices Act of 1997. Under this bill, medical \nrecords created or used during the process of treatment become \nprotected health information. Furthermore, health care \nproviders are required to maintain appropriate administrative, \ntechnical, and physical safeguards to protect the integrity and \nprivacy of health care information. H.R. 52 would allow \npatients to review their medical records and correct inaccurate \ninformation. It would also place restriction on the release of \ninformation relating to the treatment of patients and on the \npayment for health care services.\n    Three Members of Congress who have taken the lead on \nmedical records privacy issues will testify today as part of \nour first panel. They are Representative Condit, who is author \nof H.R. 52, as well as Representatives Slaughter and Stearns.\n    Representatives of privacy advocates, health care providers \nand records management organizations will testify on panel II. \nThe witnesses are Ms. Janlori Goldman, visiting scholar at \nGeorgetown University Law Center, who is also affiliated with \nthe Center for Democracy and Technology; Dr. Donald J. \nPalmisano, who is a member of the Board of Trustees, American \nMedical Association; and Dr. Merida Johns, who is president of \nthe American Health Information Management Association.\n    Representatives of medical researchers will testify on \npanel III. Witnesses are Dr. Sherine Gabriel of the Department \nof Health Services Research, Mayo Clinic, representing the \nHealth Care Leadership Council; Dr. Elizabeth Andrews of Glaxo \nWellcome, representing the Pharmaceutical Research and \nManufacturers Association; and Dr. Steven Kenny Hoge, who \nserves as chair of the Council on Psychiatry and Law at the \nAmerican Psychiatric Association.\n    We welcome all of today's witnesses.\n    I have just learned that Mrs. Slaughter will not be here. \nShe asks for her comments to be submitted for the record and \nwithout objection, they will be. We are delighted to have the \nauthor of this legislation with us, Mr. Condit, and it is all \nyours.\n\nSTATEMENT OF HON. GARY A. CONDIT, A REPRESENTATIVE IN CONGRESS \n                  FROM THE STATE OF CALIFORNIA\n\n    Mr. Condit. Thank you, Mr. Chairman. First of all, let me \ncommend you, Mr. Chairman, for gathering us here today to \ndiscuss the privacy of medical records. This is an extremely \nimportant step in addressing the anxiety of many patients and \ncitizens across this country. The time has come for us in \nreforming the way we handle medical records; and this is a very \nsensitive issue, and it is time for us to take a look at how we \nhave been doing this.\n    As more and more medical records are computerized, a \npatient's confidentiality is put at risk, and we have examples \nof that throughout our review of this issue. For this reason, I \nhave introduced the Fair Health Information Practices Act; and \nyou have been kind enough to work with us on that, Mr. Chairman \nand I appreciate that very much.\n    Our guiding principle in drafting this bill is to protect \nthe confidential information contained in medical records and \nprotecting this information once it leaves the physician's \noffice. Under the bill, medical information is protected by \nestablishing uniform Federal rules for handling medical \nrecords; holding those who handle this information accountable \nfor the security and privacy of the medical records.\n    Today, you will hear testimony from a number of people who \nhave expertise in this area, and I look forward to their \ntestimony. We have heard them speak before, over the last \ncouple of years, on this issue. You know, last year, with the \nKennedy-Kassebaum bill, we were given a target date, 1999, to \nenact something. We think this is a good step in the right \ndirection, and I hope we can put something together.\n    Mr. Chairman, I have an extensive statement and some \nbackground information that I would like to submit for the \nrecord, and I would be available here for a few minutes to \nrespond to any comments or questions; and with that, I will \nyield back.\n    Mr. Horn. Well, we appreciate you coming and your statement \nwill be, without objection, part of the record at this point.\n    Mr. Condit. Thank you.\n    [The prepared statement of Hon. Gary A. Condit follows:] \n    [GRAPHIC] [TIFF OMITTED] 45252.001\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.002\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.003\n    \n    Mr. Horn. We now have the distinguished Member from \nFlorida, Mr. Stearns.\n\n STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN CONGRESS \n                   FROM THE STATE OF FLORIDA\n\n    Mr. Stearns. Good morning, Mr. Chairman. I am delighted to \nbe here and want to compliment you on your leadership in having \nthis hearing. While the scope of your hearing today covers \nmedical records in general, I would like to restrict my \ncomments to why I believe we must provide safeguards to prevent \ndiscrimination based on a person's genetic profile.\n    The question of confidentiality of one's medical record is \nsomething that should concern us all. The reason I am here \ntoday is to discuss how we can find a way to ensure that \ntechnological advances in genetic testing proceed while \nprotecting the interests of the individual.\n    Let me state, technology is good, research must be allowed. \nIt is the means and applications of this technology and \nresearch that concerns us all. I believe genetic testing may \nbecome, in fact, a civil rights issue. It could be the civil \nrights issue of the 21st century. Should an insurance company \nbe able to deny children medical coverage because their mother \ndied of an inherited heart defect? Even if children may or may \nnot carry the defect this is a dilemma faced by a father in \nCalifornia who could not get family medical coverage under his \ngroup plan as a result of his wife's death.\n    In another case, a man lost his auto insurance coverage \nbecause he had a genetic condition which affected his muscles. \nAlthough he had a clean driving record stretching back 20 \nyears, genetic information was used to cancel his policy.\n    One young woman was hired as a social worker, and for 8 \nmonths, she received promotions and positive performance \nreviews. However, while conducting a training program on caring \nfor patients with Huntington's disease, she mentioned that she \nhad family members with that condition. She was soon fired and \ninformed by another colleague that it was due to a concern that \nshe might develop Huntington's disease.\n    As these cases show, access to genetic information can \nresult in being denied health insurance, cancellation of auto \ninsurance, and even the loss of a job. These people were \ndiscriminated against based upon their genes. You might be \namazed to know how many of us here in this committee room carry \nmutated genes. The fact is, we all do. Fortunately, most \ngenetic mutations are silent, exhibiting no significant \nconsequences.\n    The National Institutes for Health is home to the Human \nGenome Project. This project is a 15-year study scheduled for \ncompletion in the year 2005. The discoveries made from mapping \nout the entire human genome will mean better early detection, \ntreatment of disease, and even their prevention. These are the \nup sides of genetic research.\n    The examples I provided earlier show genetic information \ncan also be used to discriminate against people. That is where \nCongress should take action to ensure continued progress in \ngenetic research while also protecting people from the misuse \nof genetic information. This issue is moving very quickly, and \nwe need to make some sound public policy decisions now.\n    In the last Congress, I introduced the Genetic Privacy and \nNondiscrimination Act, H.R. 2690, to establish guidelines \nconcerning the disclosure and use of genetic information. My \ngoal was to protect the health privacy of the American people \nwhile not disrupting genetic research efforts. I am currently \ndrafting a similar piece of legislation for the 105th Congress.\n    Last year, I was able to, with the help of others, insert \nlanguage into the Health Care Coverage and Affordability Act \nwhile the measure was in the Commerce Committee, on which I \nsit. As you know, we passed this measure and the President \nsigned it. One provision of this bill prohibits insurance \ncompanies from denying coverage to an employee or beneficiary \non the basis of health status. Health status was defined as an \nindividual's medical condition, claims, experience, receipt of \nhealth care, medical history, evidence of insurability, or \ndisability. The two words that I inserted in the commerce bill \nwere, quote, genetic information. These two words made a good \nbill better, but additional protection and guidelines are still \nneeded. That is one of my priorities in the 105th Congress.\n    Chairman Tom Bliley of the Commerce Committee asked me to \ntake a leading role in establishing policy on these issues by \nchairing the task force on health records and genetic privacy. \nThis bipartisan task force will consider these questions in a \nseries of briefings, meetings, and public hearings.\n    The job of the task force is to answer a number of \nquestions which certainly pertain to medical records and \nprivacy; and some of these are, Mr. Chairman, one, how will we \nprotect the health records of persons with genetic deficiencies \nand still allow scientific research to go forward unimpeded? \nAdditionally, the whole area of, quote, informed consent, end \nquote, must be clarified as it pertains to genetic privacy. How \nwill the thousands of available genetic tests created as a \nresult of the Human Genome Project affect our citizens? And \nthree, what issues are raised by the potential misuse of \ngenetic and other information about an individual?\n    Genetic information is personal, powerful, permanent, and \nsensitive. It not only affects the individual, but it also has \nan impact on offspring and other blood relatives. Genetic \nprivacy must be protected. On the other hand, it is a key to \nthe treatment, cure and prevention of disease, so genetic \nresearch must continue. I see our job is to meet these goals as \nbest we can; it is also an issue of fairness.\n    In conclusion, Mr. Chairman, think about those two little \nboys in California who were denied insurance coverage because \nof an error in a genetic script. This is something that they \ncould not control and did not choose. As I noted, we all have \nerrors in our genetic blueprints. For most of us, it does not \nharm us, but for many, the onset of disease is devastating. We \nowe them a level of privacy and the hope for treatment and \ncure. That is the central mission of my task force and \nlegislation.\n    Thank you, Mr. Chairman.\n    Mr. Horn. I thank you for that very fine statement.\n    [The prepared statement of Hon. Cliff Stearns follows:] \n    [GRAPHIC] [TIFF OMITTED] 45252.004\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.005\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.006\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.007\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.008\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.009\n    \n    Mr. Horn. Let me just put in the record, without objection, \nthe comments of Representative Shays, who is chairman of the \nHuman Resources Subcommittee of our full committee and the \ncomments of Representative Slaughter, who is the author of H.R. \n306, the Genetic Information Nondiscrimination and Health \nInsurance Act. Any other remarks as Members arrive, those \nopening statements will be put in the record.\n    [The prepared statements of Hon. Christopher Shays and Hon. \nLouise M. Slaughter follow:] \n[GRAPHIC] [TIFF OMITTED] 45252.010\n\n[GRAPHIC] [TIFF OMITTED] 45252.011\n\n[GRAPHIC] [TIFF OMITTED] 45252.012\n\n[GRAPHIC] [TIFF OMITTED] 45252.013\n\n[GRAPHIC] [TIFF OMITTED] 45252.014\n\n    Mr. Horn. Let us now, in your limited time, ask a few \nquestions. Given the situation on genetic information in those \ncases, Representative Stearns, that you cited, are truly \nimportant because I happen to have a college classmate whose \nchild had exactly that heart situation. No one thought the \nchild would live past 8, and that child is now in his late 30's \nor early 40's. So genetic information doesn't always have an \ninevitable consequence.\n    And I think the one question here is, should we separate \nthe genetic information aspect from the other privacy aspects \nin the Condit bill, or should we just work on both in one \npiece? What is your feeling on that?\n    Mr. Stearns. Well, I think what Gary is doing is important, \nand I think separating them temporarily until we know enough \nabout it--because as you just pointed out, if a doctor sits \ndown with me and says, Cliff, you have a predisposition because \nof your gene for X, Y, Z, what does that mean in terms of \nprobability theory? Does the environment, the fact I don't \ndrink or smoke or perhaps that I exercise, perhaps where I \nlive, how does that tie in? And what does that predisposition \nmean? We just don't know.\n    We can say, in some genes, it means you are going to die at \na definite date. But for a lot of this, there is going to be a \nhigh level of probability that we have to work out and we \nshould not have the health records impeded while we try to \nunderstand the whole impact of this, in the legal aspect, in \nterms of punitive--allowing research to go ahead, in terms of \ncounseling people. I mean, the issues just open up like \nPandora's box.\n    So I think the whole area of genetics is an issue unto \nitself in how we deal with it, much like we are trying to deal \nwith cloning. And as you know, the President's Commission, I \nthink is going to reveal its recommendations this week or next. \nAnd so this whole area is something that is staggering in terms \nof implication.\n    Mr. Condit. May I respond?\n    As you know, you and I have had discussions, we are looking \nfor a comprehensive approach to medical records and the \nconfidentiality, and so we would like to eventually see \neverything sort of on an even keel here. But I do acknowledge \nthat what Mr. Stearns has brought up here is sort of in a \nspecial category. At this time, we don't have a lot of \ninformation about it, so I do think that there is a time period \nwhere we may want to do as he said, take a special look at it \nand see whether or not it fits under this category. But we \nprobably could work to accommodate it either way, but I think \nhe makes a very good point and one we would probably agree \nwith.\n    I also, Mr. Chairman--if I may, I apologize to you; you \nhave been very kind to hold this hearing today, and I know you \nare going to get a lot of good information. I have another \nobligation I need to get to, but I do have a stack of \ninformation I would like to leave for the record, if I may.\n    Mr. Horn. Without objection, it will be inserted at this \npoint.\n    I just have one question, if you have got a second.\n    On H.R. 52, as put in this year, is there an impact on law \nenforcement investigations? I recall that some law enforcement \nofficials, representatives of the Department of Justice, in \nparticular, expressed concern about your previous legislation, \nH.R. 435, and its effect on law enforcement investigations. Do \nyou know of any similar concerns?\n    Mr. Condit. That is a good point, and I am glad you brought \nit up.\n    It is certainly not my intent to exclude law enforcement \nfrom having access to information that is crucial to them, \nmaybe in a criminal case. So last session when we worked on \nthis issue, we spent a lot of time working with the law \nenforcement industry, and I think we clarified, to their \nsatisfaction, language that they can accept. And I think they \nare protected under this bill, and we have not received, to my \nknowledge, any objection from them on this particular language. \nThey do have access to records when they need them.\n    Mr. Horn. Thank you very much.\n    Mr. Stearns, when I listened to your examples on genetics \nand how insurance companies were doing this and that, it came \nto my mind that the whole reason we have insurance is not just \nto insure well people, but to insure a group of people, and \nthat is what the actuarial tables, it seems to me, are based \nupon; and to deny an individual, just because science has \nprogressed, it bothers me a lot, and we have to do something to \nfigure out how to solve that one.\n    Do you have any other comments you want to make? I don't \nwant to hold you here. I know you have a lot of things to do.\n    Mr. Stearns. Well, Mr. Chairman, in the area of law \nenforcement, also in the area of military, that is another area \nthat health records--in determining availability, access for \nmilitary people, military doctors, putting people in combat; \nand with genetic predisposition, how does that work out if a \nperson has strong allergies or a person has some other problems \nthat would become apparent under stress or would become \napparent under certain conditions? How does that work out, and \nhow is the individual protected, and what does it mean? That is \nan area that we need to have the wisdom of Solomon to figure \nout how to protect health records and at the same time allow \nthe military, the law enforcement and research--most \nimportantly, research--to have access to the records.\n    So, I mean, it is something I commend you and others for \ndoing, and I am delighted to be here.\n    Mr. Horn. Let me just ask if Mr. Sessions has any questions \nhe would like to ask you before you leave.\n    Mr. Sessions. I really have no questions. I would just say \nthat I was unprepared before I walked in today. I knew the \ngeneral subject. I have a little boy with Down's Syndrome, so I \nhave had to ask a lot of these same questions, not only of \nmyself in dealing with him, but also of my son, and how we are \ngoing to deal with him as he progresses.\n    So these are very thought-provoking issues, and I am very \ninterested in your comments today and those of Congressman \nCondit.\n    Mr. Stearns. Dr. Collins, who heads up the Genome Project \nout at the National Institutes of Health--I went out there and \ntoured the facility, and I urge all Members to go out there and \nto actually meet with Dr. Collins and hear his presentation on \nthe future with genetic engineering. It is exciting.\n    For example, with your son and other children that many \nAmericans will have, the hope some day is we can actually go \nback into your DNA and correct things and make things new \nagain, and that is a spectacular kind of thought. But at the \nsame time, for many Americans who have mutated genes, we need \nto make sure that they have a full life and are not \ndiscriminated against because of anything that medicine finds.\n    Mr. Sessions. What is interesting to me, since we are on \nthe subject--and I know you need to go--I struggle and I have \nstruggled in dealing with my child. Many people, in dealing \nwith all sorts of gene and genetic problems, as Down's Syndrome \nis one of those, I am of a firm belief that God gave us baby \nAlex the way he is, and we are simply trying to take him as far \nas we can; and a lot of changes, I would not want to make to \nhim. We are trying to take him as far as he can go as he was \ngiven to us.\n    And a lot of people do things with exercise or their facial \nmuscles so that the disability that this child has is not \nrecognizable. And so my wife and I have taken the perspective \nin dealing with this that we want to massage him, we want to do \nthose things that help his facial muscles, that help him to be \nable to speak and help him to do those things, but he should \nnot become unrecognizable for what he is to this world. He \ncould, at some point, be 25 years old on a street corner, be \nlost, and a person would look at him and maybe not know what \nthey are looking at.\n    So I have found that I like baby Alex the way he is, and he \nwas a gift to us; and I would not go back and alter one single \nthing, even if I knew he were Down's from the very beginning. \nSo there are a lot of things that come to us that may not be \nexactly the way you and I think are perfect, but is in reality \na wonderful creation.\n    Mr. Stearns. Well, that is an inspiring attitude toward it, \nand I think all of us should have that attitude on many things. \nSo I commend you for that attitude, and I think that is an \ninspiration for many of us.\n    Mr. Sessions. Thank you.\n    Mr. Horn. I agree with the gentleman. When you mentioned \nallergies, the thought crossed my mind that no one on Capitol \nHill would be able to get insurance. As I walk down the hall, \neverybody seems to have allergies. And when our class arrived \nin the fall of 1992, somebody said, you know, ``Why we all have \nallergies?'' We apparently have one of every tree in America on \nCapitol Hill. I don't know if it is true, but it is an \ninteresting source for what the problem is around here.\n    Would the gentlewoman from New York care to ask any \nquestions?\n    Mrs. Maloney. I would like to have my opening comments put \ninto the record as read.\n    Mr. Horn. That has automatically been done already.\n    [The prepared statement of Hon. Carolyn B. Maloney \nfollows:] \n[GRAPHIC] [TIFF OMITTED] 45252.015\n\n[GRAPHIC] [TIFF OMITTED] 45252.016\n\n[GRAPHIC] [TIFF OMITTED] 45252.017\n\n[GRAPHIC] [TIFF OMITTED] 45252.018\n\n    Mrs. Maloney. I am sorry Mr. Condit has already left. We \nwouldn't be as far along as we are on this issue if it had not \nbeen for the work he did in the 103d Congress.\n    I wanted to ask him, but maybe Mr. Stearns can answer, in \none of his bills, he had exempted mental health, and yet now he \ndropped from his bill the exception for mental health \ntreatment, and I wanted to ask him why. Are you working with \nhim on his bill?\n    Mr. Stearns. No, I am not and it would not be fair for me \nto comment on his bill. Gary is very knowledgeable.\n    Mrs. Maloney. Do you think the provisions in Congresswoman \nSlaughter's bill are adequate or would you add to them?\n    Mr. Stearns. Well, this is a bill that we dropped pretty \nmuch like we dropped last year. Senator Mack and Senator \nHatfield dropped it on the Senate side.\n    The bill we are going to drop this year is going to be a \nlittle different, and we think that our bill is going to be \nmore specific and tailored. And we are seeking the \nadministration's help, because we think the administration has \nsome concern about certain things; and since we are trying to \nget something passed, we are trying to work with them.\n    She has also been very active, and I admire her for her \nleadership and her activities on this, and welcome the work \nthat she has done and working with her.\n    Mrs. Maloney. OK. Thank you very much.\n    Mr. Horn. Thank you for coming. We appreciate you having \nshared your knowledge on the subject. When will that task force \nof yours report, basically?\n    Mr. Stearns. Mr. Chairman, Gene Green of Texas represents \nHouston. We are hoping to have some hearings at some of the \nuniversities. University of Florida has a lot of research on \nthis and we are hoping to have a hearing in July, in which we \ntry to define where in this enormous panoramic subject that we \ncould go and get the most bang for the buck. We would seek your \nadvice and the members of this committee too.\n    Mr. Horn. Well, we thank you for the hard work you have \ndedicated to this issue. It is very important.\n    We will now call forth the second panel, and that will be \nMs. Goldman, Mr. Palmisano, and Ms. Johns.\n    If you stand and raise your right hands, we have a \ntradition that witnesses other than Members of Congress take \nthe oath.\n    [Witnesses sworn.]\n    Mr. Horn. All three witnesses affirmed, and we will start \nwith Ms. Goldman.\n\n  STATEMENTS OF JANLORI GOLDMAN, VISITING SCHOLAR, GEORGETOWN \n   UNIVERSITY LAW CENTER, AND AFFILIATED WITH THE CENTER FOR \n  DEMOCRACY AND TECHNOLOGY; DR. DONALD J. PALMISANO, MEMBER, \nBOARD OF TRUSTEES, AMERICAN MEDICAL ASSOCIATION; AND MERIDA L. \nJOHNS, Ph.D., PRESIDENT, AMERICAN HEALTH INFORMATION MANAGEMENT \n                          ASSOCIATION\n\n    Ms. Goldman. Good morning, and thank you very much for \ninviting me to testify today. I not only appreciate your \ninvitation, I appreciate this subcommittee's continued \ncommitment to this issue. I think this might be the third or \nfourth hearing on this subject you have held in the last few \nyears, and I think it has advanced the policy discussions quite \na bit.\n    What I would like to do, since this has been an issue that \nhas been very well discussed and documented--there is quite a \nrecord that this subcommittee alone has created--is just talk a \nlittle bit about what has changed since the last hearing, which \nwas almost a year ago today. Congress passed the Health \nInformation Portability Act, the Kassebaum-Kennedy bill that \nnow--really what Congress did, in place of passing mandatory \nprivacy rules, was give itself a time limit and say, we must \nact to pass legislation in the next few years on privacy of \nhealth records, or else the Secretary of HHS will promulgate \nregulations. So one way or another we are going to have a law \non enforceable regulations in the next few years.\n    It was, I think, a serious failing in the Kassebaum-Kennedy \nlaw that the administrative simplification provisions did pass, \nwhich require standard uniform format of health information, \nessentially a computerized patient record in the next few \nyears, without saying at the outset what the privacy rules \nshould be.\n    What it means is that as the Secretary and as the computer \nindustry and the health information industry is moving to \ncomputerize and standardize personal medical records, they are \ndoing so without knowing what privacy and security rules to put \nin place. So when Congress does act or the Secretary acts, they \nare going to have to go back and retrofit those systems.\n    It is expensive. I think it is a problem. I would urge the \nCongress not to wait until the time limit it has been given, \nbut to act more swiftly so that people who are in those \noffices, in those industries, that are working with health \ninformation, know what to do at the outset.\n    In that law though that did pass, instead of passing the \nrules, what Congress did do was say, we need to address the \nprivacy issues. A committee was created, the National Committee \non Vital and Health Statistics. It has held hearings on the \nissue and created an even more extensive public record about \nthe need for health privacy legislation. The Secretary is going \nto issue a report this summer.\n    In addition, since last year, the National Research Council \nissued a report for the record, very detailed report about the \nneed for security in computerized health information systems. \nThey went around the country, they did case studies and they \nfound that even with the best of intentions, there was a lack \nof strong privacy and security safeguards in place. And again \nwe have horror stories about people who acted with malice and \nused information without permission, sold it to the press. We \nhave information about carelessness, we have horror stories, \nbut I think for the vast majority of people in this country who \nwant to do the right thing, they don't know where to start and \nthey are seeking Congress' guidance.\n    As well, the National Action Plan on Breast Cancer and the \nHuman Genome Project, which we have talked a little bit about, \nis holding a series of workshops on privacy and genetic \ninformation, because they are wrestling with the need to push \nforward in genetic research. But the fear that so many \nindividuals who are participants in these studies are going to \nhave, is fear that they will be discriminated against in \ninsurance, even in employment. Even though the ADA should \nprotect them against that, they do not trust the research and \npublic health community to protect their confidentiality.\n    I don't think it is an overstatement to say we are rapidly, \nand have been for years, approaching a crisis in health care \nbecause of the lack of privacy rules. Fundamental critical \nhealth care services are at risk of being undermined.\n    This is not a case of privacy practices being a barrier to \nresearch and to public health and to managed care; that is \noften how the issue is formulated in the press and by some in \nthe industry who say, ``privacy will be a barrier to us, if we \nhave to protect privacy, we are not going to get the \ninformation we need because people won't consent to these \nuses.''\n    I would actually say we have quite the opposite scenario. \nWe will have substantial barriers to treatment, research, and \npublic health if people do not believe that their privacy is \nprotected and that they don't have the following principles \nguaranteed.\n    One is, they must have access to their own records. Half \nthe States in this country give people the right to see their \nown medical records. It is a sham.\n    The other thing people must have is control over their own \nrecords. When they go to a doctor, they should be able to \ndetermine who else gets to see the record and under what \ncircumstances. Right now people sign blanket waivers, and even \nwhere doctors want to maintain confidentiality and want to have \nkind of the old-fashioned doctor-patient relationship, they are \nunable to do so because of requirements on the part of payers, \ninsurance companies, sometimes researchers with whom they have \nrelationships, to disclose that information.\n    The other thing people must have are strong enforceable \nremedies, individual remedies where they can pursue a lawsuit \nagainst someone who has harmed them. There should be civil \npenalties and criminal penalties. Most of the legislation that \nhas been introduced in both the House and the Senate has very \nstrong penalties.\n    Very quickly, on some of the issues raised, my view--and, I \nthink, the view of a number of people in the research community \nat NIH in the Human Genome Project--is that we should treat \ngenetic information as health information and not treat it \nseparately and not isolate it as a separate, special \ncircumstance. In fact, H.R. 52, Congressman Condit's bill, does \nincorporate genetic information now under the definition of \npersonal health information. It talks about past, present, or \nfuture information, as do a number of the Senate proposals. \nThat is genetic information. It refers to information about \nothers who are not necessarily the record subject. That is also \ngenetic information.\n    As well, I think that the law enforcement provisions, which \nI know and, Mr. Chairman, you raised in your questions, I \nreally believe that the law enforcement sections in a health \nprivacy law must be consistent with other law enforcement \nprovisions and privacy laws that we currently have at the \nFederal level.\n    The Video Privacy Protection Act, better known as the Bork \nbill by some, the Right to Financial Privacy Act, the Education \nPrivacy Act, all have law enforcement provisions that require a \nwarrant before access; and I think that we should have at least \nthe same level of protection for medical records that we have \nfor video rental records.\n    In addition, the pre-emption section which is in H.R. 52 is \ndifferent than some of the provisions on the Senate side, but I \nthink also needs some looking. Right now, we can't do any worse \nthan we currently have since there is no Federal standard.\n    Again let's look at the very serious consequences. Without \nprivacy protections, people are going to withhold information \nfrom their doctors because they are going to be afraid the \ndoctor will have to convey it to somebody else, and they know \nthe protections aren't in place. They will withhold information \nor they may lie to their doctors; they may give inaccurate \ninformation, which will undermine the ability of the doctor to \ngive an accurate diagnosis. The other problem is that doctors \nmay actually lie in submitting the claim forms, and I don't \nmean to suggest doctors are doing ill here, but they are trying \nto protect their patients, so they often put inaccurate \ndiagnoses on the claim forms.\n    Or I think the more horrible consequence is that people \nwill not seek health care. They will stay away from health care \naltogether because of fear, and we see it in the HIV area and \nreproductive health; people are afraid of going to the doctor \nat all in terms of discrimination and employment and insurance, \nthat their families may find out, reporters, marketers. The \npersonal consequences are very real, but I think the societal \nconsequences are even more startling and one that we tend to \noverlook, which is that public health will be undermined if we \ndon't have accurate information; and research will be \nundermined if we don't have accurate and reliable information.\n    So while the public health people and researchers often say \nwe are worried about how privacy rules will affect our work in \nimproving health care, we really need to look at the cost of \nnot protecting privacy. Privacy, I believe, is a necessary, \nvital partner in other health care goals. It is not a barrier, \nit is not an impediment, but it is a partner in achieving other \nhealth care goals.\n    I appreciate your holding this hearing. Thank you.\n    Mr. Horn. We thank you for the most helpful statement.\n    [Note.--A copy of the report entitled, ``Privacy and Health \nInformation Systems: A Guide to Protecting Patient \nConfidentiality,'' can be found in subcommittee files, and may \nbe obtained by calling (206) 682-2811.]\n    Mr. Horn. Dr. Palmisano, member of the Board of Trustees of \nthe American Medical Association.\n    Dr. Palmisano. Thank you Mr. Chairman and members of the \ncommittee. My name is Donald Palmisano, and I am here \nrepresenting the American Medical Association and some 300,000 \nphysicians and medical student members. I also bring to the \ndiscussion today my 26 years' experience as a surgeon \npracticing in New Orleans. We appreciate the time and energy \nthe subcommittee is devoting to this important issue.\n    Let me begin by stating medicine's underlying premise in \nall of the discussions of patient confidentiality. The patient-\nphysician relationship is first built on trust. Confidentiality \nof communications within this relationship is the cornerstone \nof good medical practice and good medical care. Patients must \nfeel safe in disclosing to their physicians personal and \nsometimes embarrassing facts and information that they do not \nwant others to know. We, as physicians, need this information \nto provide the best and most appropriate medical care. Without \nsuch assurances, patients may not provide the information \nnecessary for proper diagnosis and treatment. The cost of \nmedical care can increase when physicians do not have such \ninformation.\n    Our professional and ethical responsibility is outlined in \nour AMA Code of Medical Ethics and it is to keep our patients' \nconfidences, and it is no different because the medical records \nare stored electronically rather than on paper. But the \nevolution of electronic medical data has intensified our \nexisting concerns about access to and, now, even commerce in \npatients' confidential medical information.\n    The growing number of third parties demanding information \nhas eroded our patients' confidence that information that they \nshare with their doctor is going to help in their individual \ncare. Any number of parties will give you arguments for a vast \narray of supposedly compelling health and public safety reasons \nas to why they need to know such private information.\n    But a need is not a right, and I would like to emphasize \nthat, a need is not a right. And because it may be happening \nnow, doesn't make it right.\n    AMA policy clearly states that conflicts between a \npatient's right to privacy and a third party's need to know \nshould be resolved in favor of the patient except where that \nwould result in serious health hazard or harm to the patient, \nor others; and we would suggest that all bills studied in the \nCongress use that guideline so that the patient is the primary \nprotector of his or her own medical information, and not \nsomeone else's right, desire, or belief in their right to get \nthat information.\n    We believe that patients have a basic right of privacy of \ntheir medical information and records. We believe that the \npatient's privacy should be honored, unless the patient waives \nit in a meaningful way or in rare instances of strongly \ncountervailing public interests. And by ``meaningful,'' we mean \ninformed and not coerced.\n    We believe that you should limit the information disclosed \nto that part of the medical record or abstract necessary to \nfulfill the immediate and specific purpose--that is, no fishing \nexpeditions.\n    While you have our written statement, which goes into more \ndetail, I would like to highlight a few points. First, we \ncannot forget that the primary purpose of the medical record is \nto provide a reliable tool and to provide clinical diagnosis \nand treatment for patients. Patients should generally have \naccess to information from their medical record. There are few \nexceptions to protect the mental or physical safety of the \npatient, but the physical record is the property of the \nphysician or provider, and this is where control of most \ndisclosures should emanate.\n    Second, on the issue of consent, a patient's first consent, \ngenerally for treatment or payment, should not automatically \napply to subsequent disclosures unless the patient specifically \nand freely waives defined rights. Insurers, of course, need \nbasic information to pay claims and have legitimate need for \ninformation to conduct utilization review and quality assurance \nand to monitor for fraud and abuse. The AMA cautions against \ncategorizing these activities as payment for treatment purposes \nwhen they do not go directly to paying for a specific \nindividual's treatment.\n    Patients generally believe that their signature releases \npersonal information for their direct and specific benefit, \noverly broad and legislative definitions should not exploit \npatients' lack of knowledge regarding complex information \nsystems. For consent to be truly voluntary, it must be knowing \nand that includes a patient knowing for what purpose their \nrecords are being sought. Patients should not be coerced into \ndivulging any and all medical records, either their own or \ntheir families by way of a nonspecific consent signed upon \nenrolling in a plan as a condition of insurance payment, nor \nshould physicians have to sign agreements with insurers to \nproduce records without that patient's consent.\n    Third, exceptions to the requirement for patient consent to \ndisclosure should be minimally and narrowly drawn.\n    Last, whenever possible, medical information used for \nresearch purposes should have all identifying information \nremoved, unless the patient specifically consents to the use of \nhis or her personally identifiable information.\n    In conclusion, the fact that we have vastly improved \ntechnology to collect, sort and analyze patients' medical data \ndoes not diminish our ethical obligation to protect our \npatients' privacy. We all hear seemingly compelling arguments \nfor efficiency and technological potential, but we cannot allow \nthe vigorous standards of confidentiality required by the \nmedical profession's ethical code to be subverted once the \nrecord gets into others' hands. We have to work to fit the goal \nof efficiency within the larger framework of patient privacy, \nnot the other way around.\n    Thank you again for inviting the American Medical \nAssociation to testify. I am happy to discuss our testimony in \nmore detail, and the AMA is happy to work with the subcommittee \nto address concerns. Thank you very much, sir.\n    Mr. Horn. We thank you. That is a very well developed \nstatement, as I read it earlier.\n    [The prepared statement of Dr. Palmisano follows:] \n    [GRAPHIC] [TIFF OMITTED] 45252.019\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.020\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.021\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.022\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.023\n    \n    Mr. Horn. Dr. Johns is President of the American Health \nInformation Management Association, a rather large \norganization. Give us a little bit about its history. I know \nyou mentioned the numbers in your second paragraph, but I think \nyou could educate most of us about the extent of your \nmembership.\n    Ms. Johns. I will be happy to, Mr. Chairman.\n    Thank you, Mr. Chairman and members of the subcommittee. \nAHIMA appreciates the opportunity to appear before the \nsubcommittee today in support of the Fair Health Information \nPractices Act. AHIMA is an organization that was established 69 \nyears ago and a professional organization that represents \n37,000 credentialed health information managers. We have over \n200 educational programs throughout the country, in colleges \nand universities which prepare accredited record technicians \nand record administrators.\n    Our organization, a professional organization, was \noriginally established for the purpose of managing, storing, \nand protecting health information, and we have a long tradition \nwith the issues regarding confidentiality and privacy, and a \nprincipal goal in the mission of our organization, since 1929, \nfor protection of health information. So certainly, we are not \nnew to the issues that are being posed today.\n    We are the credentialed specialists who manage and protect \npatient health information. We work in a variety of health care \ninstitutions and health-related organizations, and we are the \nprofessionals that are responsible for handling requests for \ninformation from third-party payers, from employers, from \nresearchers, attorneys, other health care providers, local, \nState, and Federal agencies. Our members ensure that \ninformation is disclosed pursuant to valid authorizations and \npursuant to statutes, regulations, and court orders. Our \nefforts, however, to protect health information have been \ncomplicated by a lack of Federal pre-emptive confidentiality \nlegislation.\n    Assuring confidentiality is important because it makes \npatients feel comfortable enough to communicate openly with \ntheir health care providers. Assuring confidentiality is also \nimportant because it makes patients feel comfortable that the \ninformation they are providing health care providers is going \nto be protected. Unfortunately, current regulations and the \nphysician-patient privilege do not offer patients real \nprotection. Therefore, AHIMA believes H.R. 52 is a solution to \nthis dilemma, first, because the bill establishes a code of \nfair information practices, and, second, because it provides a \nuniform national health standard for the use and the disclosure \nof individually identifiable health information.\n    It is true that some States have enacted confidentiality \nlegislation, but there is little uniformity with their \napproaches. Most statutes do not even address the issue of \nredisclosure of health information, and penalties for its \nmisuse are lacking. Protections also vary according to the \nholder of the information, and for different types of \ninformation.\n    For instance, several States have recently enacted genetic \nprivacy legislation. Segregating and creating special \nprotections for specific types of information, such as mental \nhealth or genetic information could result in inadvertent \nbreaches of confidentiality. For that reason, AHIMA recommends \nthat comprehensive confidentiality legislation cover all types \nof health information.\n    One of the greatest threats to patient privacy is the \nincreasing and growing demand for data, and while there are \nFederal regulations that offer strong protections, they are \nlimited in their applicability. For example, the Federal \nPrivacy Act of 1974 was designed to provide citizens some \ncontrol over the information collected on them by the Federal \nGovernment. However, this law does not apply to the private \nsector. There are also Federal regulations in regard to alcohol \nand substance abuse, but these only apply to Federal or \nfederally funded facilities that offer treatment for alcohol or \nsubstance abuse.\n    As a result of the ongoing public policy debate, during the \npast several years, Congress and the general public have come \nto a consensus there is a need for Federal confidentiality \nlegislation. Reports of the Institutes of Medicine and from the \nOffice of Technology Assessment and, most recently, the \nNational Research Council have all underscored the need for \nFederal action.\n    In order to address the need for Federal legislation, AHIMA \nin 1993 drafted model legislative language that outlined a code \nof fair health information practices. This language was \npublished in the Office of Technology Assessment report, \nprotecting privacy in computerized medical information as a \nmodel code, and was used in drafting the Fair Health \nInformation Practices Act.\n    There are a number of key provisions in the model language \nthat are essential to any legislation governing the collection, \nuse and disclosure of health information. These include, first, \na patient's right to know and access his or her own health \ninformation; the provision--providing provisions for \nrestrictions on information used and provisions for criminal \nand civil penalties to protect the misuse of information. We \nare pleased to note that H.R. 52 covers all of these key \nprovisions.\n    We are also pleased to note that H.R. 52, in sections 101 \nand 102, provides individuals with the right to access and copy \nthe personal health information and also to amend errors as \nwell. Currently, only 28 States allow patients access to their \nhealth information, and even within these particular statutes, \nthey are not uniform.\n    We note, however, one principal concern with sections 101 \nand 102. These require health information trustees such as \nhealth benefit plan sponsors, health care providers, health \noversight agencies and public health authorities to permit \npatients to inspect and copy their records. They also require \nthat these trustees correct or amend protected health \ninformation upon request, or take certain actions if they \nrefuse to make such changes.\n    Because medical records are the physician's or health care \nfacility's legal record, they are an important element of \npatient care, and we urge that the language be amended that \nonly providers be permitted to correct health information. In \nother words, information should be corrected at its source.\n    AHIMA believes that the passage of pre-emptive \nconfidentiality legislation is imperative, and we thank the \nsubcommittee for holding this very important hearing. We \nsincerely hope that our testimony will prove helpful. In \naddition to the points we have made here today, we would be \nmore than willing to offer our technical comments to you, as \nyou continue to discuss the provisions of the Fair Health \nInformation Practices Act.\n    [The prepared statement of Ms. Johns follows:] \n    [GRAPHIC] [TIFF OMITTED] 45252.024\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.025\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.026\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.027\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.028\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.029\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.030\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.031\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.032\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.033\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.034\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.035\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.036\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.037\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.038\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.039\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.040\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.041\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.042\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.043\n    \n    Mr. Horn. Well, we appreciate that very thorough statement, \nand we will take you and others up on that because this is a \ncontinuing dialog. We don't claim to know it all up here. That \nis why we have hearings, and in hearings we try to bring out \nwhat are the similarities and differences.\n    Let's start with you, Ms. Goldman. From what you heard from \ntwo of your colleagues, where do you differ from them?\n    Ms. Goldman. Well, I wouldn't want to pass up the \nopportunity to find differences with my colleagues, but in \ntruth, I am extremely heartened by how much agreement we all \nhave. It has been the true history of this issue that all of us \nat this table, representing the various organizations, have \nworked closely together and believe that we must have health \nprivacy legislation. On the broad principles, it seems to me \nthat we have very strong agreement and we have worked together \nover the years to try to fashion some kind of a consensus. I am \nnot sure there is vast disagreement or even significant \ndisagreement at this time.\n    Mr. Horn. So you are OK on the principles, but it is the \nnitty-gritty that sometimes brings the Congress to a halt. Does \nany of the nitty-gritty bother you?\n    Ms. Goldman. There are probably some vast differences among \nfolks who are not at this table, but I think if it were left to \nthe three of us we could probably come up with something----\n    Mr. Horn. The next panel is going to join us, and we asked \nyou all to stay here to get a dialog between the six of you; \nbut I thought we would do some of it first so we could have a \nfew things that are strictly in your testimony.\n    Ms. Goldman. I think what is remarkable about this issue \nis, you have organizations such as the American Medical \nAssociation and the American Civil Liberties Union and the \nCenter for Democracy and Technology. You have such a broad \nrange of groups who are involved in various aspects of the \nhealth care system who realize, from a very first-hand \nknowledge, how important it is to have enforceable rules.\n    Mr. Horn. Dr. Palmisano, how about the AMA? Where do you \nagree and where do you disagree about what you have heard by \nthe fine witnesses on either side of you?\n    Dr. Palmisano. Well, I would second what we just heard. I \nthink we are in basic agreement.\n    What I would like to emphasize is, I think the patient \nrights need to be superior to the Government's need to know or \nsome other third parties need to know and we should follow \nestablished procedure. Certainly nothing less than probable \ncause to get into the medical record, and we must always \nprotect that right; and we think very strongly the code of \nmedical ethics is something that we rely on very heavily and it \nstates very clearly that the patients' rights are primary. I \nbelieve our society is a society that has decided we go to the \npatient first. It is a philosophical base where the patient has \nthe right to make a decision, even if it is the wrong decision, \nas opposed to teleological society, where we do what we think \nis right for the patient and the patients' desires become \nsecondary. So I think we are all in sync on these issues.\n    We are concerned about some aspects in the bill. We are \nconcerned about the definition of ``health oversight agency'' \nseems overly broad. We understand there may be some agencies \nthat look at this with proper credentials, but maybe there are \nagencies like XYZ that is a for-profit corporation that gets a \nhold of this information.\n    We are very concerned about anything that would allow \npeople who don't have the knowledge and the ethical base to \nprotect the patients' rights having control of these records. \nWe are concerned about anything that would link to Social \nSecurity numbers, where someone could get in. We are concerned \nabout crackers or perhaps hackers getting in this information, \nif it is a clearinghouse. We see the Central Intelligence \nAgency, recently in the news, reports where some hacker--\ncracker, I am not sure what the right term is.\n    Mr. Horn. You can use both, if you want.\n    Dr. Palmisano. The evil people that get in without our \npermission--and they said the Central Stupidity Agency; and we \nthink that is one of our most secure and secret agencies, if \npeople can get through their fire walls, that is what bothers \nus. And once people know this information is available in \nelectronic form on a central data base, we think there will be \ngreat incentives. Right now they are just people doing it to \nshow they can, quote, ``beat the system,'' perhaps, but there \nwill be people selling this information.\n    So we are very concerned. We appreciate the opportunity, \nand I will be happy to deal with any specific questions. Thank \nyou.\n    Mr. Horn. Dr. Johns, what is your feeling based on the \ntestimony your two colleagues have given? Any agreement, any \ndisagreement?\n    Ms. Johns. Very much agreement, Mr. Chairman, and I think \nas a result of the ongoing policy debate, which occurred over \nthe past several years, we have come as a group to a consensus \nabout the need for this type of Federal confidentiality \nlegislation.\n    Mr. Horn. Let me ask a few questions before we go to the \nnext panel.\n    Ms. Goldman, some patients may be willing to volunteer \ninformation about themselves or even waive their right of \nrecord confidentiality if the waiver is incorporated into an \noffer from a health care marketer to provide free samples or \ncoupons that might fit the patients' needs. Is a purpose of \nH.R. 52 to discourage that activity, and should it or shouldn't \nit?\n    Ms. Goldman. I think you raise one of the critical issues \nin privacy legislation, which is consent. It's usually the \ncornerstone of any piece of privacy legislation, as you may not \nuse the information in an unrelated way, without the \nindividual's consent.\n    And as we heard from other testimony, consent is a big \nterm, but it doesn't mean anything if it is not voluntary, if \nit is not informed. It is not meaningful if it doesn't have \nthose qualities to it. And I think the way to ensure consent is \nmeaningful and informed and voluntary is to make sure that \nobtaining that consent is not a condition of receiving certain \nbenefits and services.\n    I should be able to go to a doctor and say, I do not want \nyou to release this information to a researcher, or I don't \nwant this information to be released to another doctor without \nmy knowledge; and I should still be able to receive treatment \neven if, as Dr. Palmisano said, it may not be in the patient's \nbest medical interest. That is a decision he or she should be \nable to make without suffering the consequence of not getting \ncare.\n    Most people who sign the broad waivers, when they go to get \nhealth care, the broad waivers that say this information may be \nreleased for any purpose to anybody under any circumstances--\nand I have signed many of them recently since I had surgery on \nmy foot a few months ago, and you sign them because you know \nthat it is not a choice. These are not real choices people are \nmaking; and what we should do is build in a way of removing the \nauthorization process or consent process from the receiving of \ncertain benefits and services, and then I think we will see.\n    In fact, the Video Privacy Act, which I keep raising as an \nexample of what we can do when there is consensus in the \nCongress, says you may not disclose without permission and you \nmay not request that authorization as a condition of giving \nsomeone a video, so can't we do the same thing here?\n    Mr. Horn. Any comments either of you have on that question?\n    Dr. Palmisano. Mr. Chairman, I would just agree with that. \nIn my personal practice over the years, it is not uncommon to \nget a request about treatment I have given to a patient that \nmay be unrelated to the treatment I just gave, and they make a \nphotocopy of this blanket consent. It is our policy and has \nbeen ever since I started medical practice 26 or 27 years ago \nto always call the patient, and if the patient is not \nimmediately available, I have my staff continue to try and say \nthis information they want is really not related.\n    I want you to know what is in your medical record. If you \nhave questions, you are welcome to come by and look at it, but \nyou did confide to me some information that has a bearing on \nwhy you might have this ulcer, because of the stress, the \nfamily problems at home, and I don't believe that is anybody's \nbusiness, unless you want it to be somebody's business.\n    So patients feel rather intimidated. They are afraid they \nare going to lose their insurance, and now in this era of \nmanaged care, they could really have additional pressure put on \nthem. They feel rather intimidated, so I think what we have \nadvocated today and what you all are very wisely looking into \nis in the patients' best interest.\n    Thank you.\n    Mr. Horn. Dr. Johns, any comments?\n    Ms. Johns. We fully agree with the statements that have \nbeen previously stated.\n    Mr. Horn. OK. Let's move to the disclosure to spouses. I \nunderstand physicians are often faced with difficult choices in \nsharing that information about the condition and care of a \npatient with spouses and family members. Assuming a patient had \nnot previously authorized disclosure nor prohibited it, how \nwould H.R. 52 affect the ability of a health care provider, \nsuch as physician, to share information with a spouse, and what \nis your feeling on that, any one of the three of you?\n    Ms. Goldman. Spouses are not necessarily treated \ndifferently from others who are requesting information. The one \narea where there may be slightly different treatment is called \nthe next-of-kin provision, which allows a doctor to disclose to \nthe next-of-kin, which could be a spouse, it could be a cousin, \nit could be someone with whom the individual has a significant \nrelationship. It allows the physician to disclose to that \nperson, for instance, after surgery, unless the individual has \nobjected and said, I don't want you to talk to my spouse about \nmy condition or about the results of my surgery, and so the \nspouse still has that option.\n    I assume you would be able to talk with more knowledge \nabout how it works in the real world, but there is usually a \nmore comfortable relationship there unless the individuals \nsuggest they don't want that shared. I think H.R. 52 deals with \nthat pretty well.\n    Dr. Palmisano. Well, I think this is a balancing act and \nsomething we face all the time. If I am examining a patient--\nlet's say, a woman and she requires an operation--and she says, \n``please allow my husband to come into the room during this \ndiscussion,'' then I know that she wants her husband to know \neverything and would want him to know everything in the \nimmediate postoperative period, perhaps, and so on, so there is \nno problem.\n    But if someone comes to me, man or woman, and I treat the \nindividual, and someone calls up from another State and says, \n``Hi, I am the spouse,'' or whatever, I don't give that \ninformation out. There has to be identification, and I have to \nfind out from the patient, ``Do you want me to release this \ninformation?'' Sometimes we find people are judicially \nseparated, for instance; we don't really know they are \njudicially separated, and they are in the midst of a battle \nthat would affect the division of their assets and so on, so I \nalways go back to the patient.\n    Basically, our reading of the next-of-kin provision on page \n35 is that they would be basically granted the right to give \nthat information, unless the patient objected to that; and that \nis a balancing act that needs to be decided. So I don't know \nwhat is the correct answer to that.\n    We always go back to the patient, and if the patient is \nunconscious, comes in from an automobile accident, for \ninstance, in our State in Louisiana, there are provisions that \nstate you can release the information to a next-of-kin. If \nsomeone is in a terminal, irreversible coma and hasn't made out \na living will, we have a provision in many of the State laws \nthat says the next-of-kin, if not judicially separated, is the \nindividual that can make the decision whether or not to \ncontinue life-sustaining treatments if imminent death is there.\n    Mr. Horn. Suppose it is a transmittable disease that could \nlead to death; does the spouse have a right to know?\n    Dr. Palmisano. Well, of course that is under State law. In \nalmost every State there is a reporting requirement. Some \nStates require you name the individual; other States, they say \nyou give the information immediately to the health officer, and \nif it looks like it could be something that could affect, for \ninstance, someone with tuberculosis, with a productive cough \nthat has the actual bacteria that causes tuberculosis, if that \nis being spread around, they need to know the name of the \nindividual and so on. Our medical ethics say that you release \nthe information if someone could do grievous harm to someone \nelse.\n    So you have to then make a decision. You advise the \nindividual that it is best for you to disclose this, if you are \ntalking about a sexually transmitted disease, such as AIDS, \nwhich usually is considered fatal, but now we have some drugs \nthat may change our perspective on that. Then if the individual \nsays, ``no, I am going to continue to do this,'' I think the \nphysician has an ethical obligation to take the next step and \ndecide whether or not you will transmit the information.\n    First of all, you have to do it to the health officer, \nusually, in your State and call the individual. It is one of \nthose ethical dilemmas that the physician needs to make sure \nthat he or she really has all the facts. If someone had a \nplague that was transmittable by just exhaling and so on, we \nwould need to isolate that individual; and if the individual \nsays, I am out of here, it would be the physician's obligation \nto notify not only the next-of-kin, but the health authorities, \nso we wouldn't have a plague throughout the Nation.\n    Mr. Horn. Dr. Johns, any comments?\n    Ms. Johns. No, basically the comments and the sections \nwithin H.R. 52 that have been already been elaborated on, we \nfeel comfortable with.\n    Mr. Horn. Let me move to another area then on correcting \npatient records. Dr. Palmisano, H.R. 52, subtitle (a) permits \npatients to inspect their health care records to make \ncorrections. With what frequency do patients currently ask you, \nor other doctors, to see their records and attempt to make \ncorrections? And to what degree does that even occur?\n    Dr. Palmisano. Mr. Chairman, that is a rarity. It is not \nunusual for people to request a copy of the records because \nthey may be moving to another State, but it is a rarity for \nsomeone to come in and say--in fact, in 26 years of private \npractice, I have never had anybody come in and say they wanted \nto change the record. They see me do the record for the office \nvisit right in the office, because after I do the history and \nphysical examination, I usually start writing in front of the \npatient and ask if they have additional questions, and I tell \nthem of their lab reports and so on, and offer a copy to them.\n    So I have had people ask for copies of the records, and we \ngive them that information. And in the field I am in, in \nsurgery, it would be rare for me to have something in there \nthat might affect the health of the individual, their mental \nhealth, such as psychiatrists might have. There might be \ninformation that if the patient got that information \nimmediately--and Dr. Hoge can address that better--but the \npatient may get even more depressed and commit suicide. So it \nis a rarity in actual practice, but there is no hesitation on \nour part for the patient to get a copy of the record.\n    We believe that the record is the record of the physician, \nand certainly we wouldn't want to give the original record and \nhave them start changing, and mark out things and so on. But if \nthey want to give me additional information--it is not \nuncommon, they would say, Doctor, I would like this medicine \nlisted that I have here put in my record; I would say, \ncertainly, and we will photocopy it and give them a copy back, \nand we will keep the copy, the original or the copy, whatever \nthey prefer, in the record.\n    It is a rarity that someone would want to take my records \nand change what is in my record.\n    Mr. Horn. What State do you practice in?\n    Dr. Palmisano. I am in the State of Louisiana.\n    Mr. Horn. Does Louisiana have a law that relates to this \ntype of situation, or do you follow an AMA protocol, or how do \ndoctors sort of make up their minds how to handle the \nquestions, rare though the question might be?\n    Dr. Palmisano. Specifically, we follow the AMA ethical \nguidelines throughout the Nation, the people who are members of \nthe AMA and many physicians who are not members also follow, \nwhether or not they have sent their dues in. This seems to be \nthe bible of what is the right thing to do.\n    In Louisiana, on that specific issue--I don't recall if \nthere is any--well, I take that back. We have a statute, in \nfact, patients have the right to get their record at any time. \nThey can come in and ask for the record, and the record would \nbe given to the patient. If an attorney sends a subpoena in \nLouisiana--and this law changes every year, but now it will \nchange every other year, because Louisiana now will have a \nfiscal session 1 year and everything else the other year. But \nbetween the medical association, the trial lawyers and \neverybody else, there is a battle on how to get the record. \nWhat we have is a very rigid way of getting the medical record. \nA patient can come, request the record, sign for the record and \nget a copy of the record.\n    If an attorney wants the record through subpoena, that \nattorney is obligated to send a notification to the patient, if \nit is an adverse attorney, to the patient or the patient's \nattorney; and after 10 days to 15 days--it changes from year to \nyear--if there is no protest at the court level, then the \nphysician is allowed to give the record out. But you cannot \ngive the record out until that number of days have passed and \nyou also have this notification; it is an affidavit that the \nattorney must submit.\n    So we are very cautious about who can get the record.\n    Mr. Horn. Do you, in your own practice, or do doctors you \nknow, have they ever refused to grant a patient's request to \naccess to the record; and if so, what is the policy of the AMA \non that?\n    Dr. Palmisano. No, I don't personally know anyone who has \nrefused to grant access of the patients to the record. I have \nseen situations where a patient said, don't give that record; \nand a subpoena came for the record, and the doctor says, what \nam I supposed to do; and they will usually call the legal \ncounsel or the medical society or their professional liability \ncarrier, and they all get together and try to work something \nout. They usually end up going to the judge and trying to \nexplain the situation.\n    But there is no problem in giving that information, and it \nis the policy of the AMA that the patient has a right to \ninspect his or her records, unless there is some overriding \nreason that might, as I said, in a psychiatric situation--my \ncounsel here just pointed out that the patient has access \nunless in the professional judgment of the medical doctor it \nwould harm the patient--then it goes to some designee, for \ninstance. And this usually occurs in a psychiatric situation, \nand it is not only in our policy, but it is also in our code of \nmedical ethics book and the patient has a right to that \ninformation.\n    We deal with informed consent, Mr. Chairman, all the time, \nand it is a very strict law of informed consent that has \nevolved throughout the Nation and especially in Louisiana.\n    Mr. Horn. If we use an analogy to an audit report of an \norganization, often when an auditor makes a statement--let's \nsay it is a Government auditor--the agency would be given the \nright to respond to that statement; but both items would remain \nin the record, in other words, the audit initiation and the \nagency response.\n    Now, in terms of using medical information--and we talk \nabout the patient's right to correct the record--would that \nmean we simply add, as you suggested earlier, another sheet of \npaper to the record, that this is the patient's view of this \nrecord, or would there have to be integration in what is \npresumably your record on the patient?\n    Dr. Palmisano. Well, the original record is never changed \nunless there is an error in the record. For instance, if the \nphysician wrote down the patient was on XYZ medication and, in \nreality, the physician did not hear that correctly and the \npatient says, gee, I looked at my record and I am not on that \nmedication, then we don't want to go back and alter the record \nincorrectly. We want to do it in the approved methodology and \nmake a new note, put an asterisk or some note saying, this is \nan error up above, put a line through it, date it, initial it; \nand then go down to the next area for writing and say, this \narea was corrected, the patient brought it to my attention, the \npatient is on this medication and not what we wrote. You would \nthen, just move on and that would be the way to correct it.\n    Now, on the other hand, if what the physician found was \nabsolutely correct, such as the physician did an abdominal \npalpation and found a pulsating mass or suspected it to be an \nabdominal aneurysm, that was the physician's impression, based \non the history and the physical examination at that time, the \nsymptoms in the physical examination. So if the patient came in \nand said, ``I want that changed, I don't want that on my record \nbecause I am going to such and such--I am applying for new \ninsurance,'' the physician could not ethically or medically or \nlegally do that. That would be wrong.\n    And if the patient wanted to insert that in there, I \npersonally would have no objection; I don't think it would be \nin the patient's best interest, but I would put it in the \nrecord and say, I will make an attachment page. If the patient \ncame in and wanted the record changed, I don't believe that is \nthe appropriate thing to do.\n    Here is the patient's statement and put it in there.\n    Mr. Horn. Any comments on this aspect of record changing, \ncorrection or revision?\n    Ms. Johns. The general practice, just as Dr. Palmisano has \nstated, where there is an error in the record, it is corrected \nby putting a line through the error, indicating that there is \nan error, and writing a correct entry for that; and the issue \nof the amendment to the record is common practice. Good \ninformation practice is to include the amendment to the record, \nif the patient and the health care provider are in \ndisagreement.\n    Mr. Horn. Is that practice sort of the basic code of your \norganization, and is that actually carried out in most State \nlaws with which you are familiar?\n    Ms. Johns. It is a practice. Our best practice--our \nassociation puts out practice briefs, and that procedure that I \nhave just stated is included as best practice. Whether or not \nit is carried out in each State would be another issue, but as \nfar as our credentialed, certified people, this is what we \nwould expect.\n    Mr. Horn. Did you have a comment on that?\n    Ms. Goldman. Just a small comment.\n    While I appreciate what the code of ethics is and how, in \nparticular, Dr. Palmisano operates in his practice, my recent \nexperience has been a little disconcerting.\n    I was in a surgeon's office recently where the patient in \nfront of me requested a copy of her medical record and she \nsaid, ``May I get a copy of my medical records, please?'' And \nthe person behind the desk said, ``To whom should we send the \nrecord?'' And she said, ``I would like a copy for myself.'' And \nshe said, ``I can't release the record to you, but if you would \nlike to tell us who you would like us to send them to, we will \nmake sure the doctor gets the record.''\n    She went through a huge struggle, and I then couldn't help \nmyself and suggested there was a law in the District of \nColumbia that required that she get a copy of her record. And \nthe nurse was furious and said, ``That is not our policy in \nthis office, we don't release records to the patients;'' and my \nunderstanding, in talking to the nurse later on and the \ndoctor--who, by the way, I chose for his surgical ability and \nnot his adherence to privacy principles--I was really surprised \nto find that at least in the District, there is something that \nis considered to be common practice which is not to give the \nrecord directly to the individual, even though there is a law \nthat requires it.\n    So I think that, at least in my little experience, there \nmay be a real disjuncture between what the code of ethics is \nand how people practice.\n    Mr. Horn. On, quote, the record, unquote, what about a \nxerox of the record? Are they worried about the complete loss \nof the record? That is a legitimate worry for a doctor.\n    Ms. Goldman. I assume so.\n    Mr. Horn. I assume they would make a xerox to send it even \nto another doctor, rather than lose that record. I would never \nrelease a record like that.\n    Ms. Goldman. The issue, at least in the circumstances I am \ngiving, is not so much whether it was xeroxed or not xeroxed, \nbut that the practice, the policy of that office was not to \nrelease directly to the patient.\n    Mr. Horn. I understand that; and I think the law is right \nand the doctor's office was wrong, that the patient ought to \nhave a right to know, even if they can't translate the doctor's \nhandwriting and even if they don't know what some of the words \nmean.\n    Let me ask you, Dr. Johns, about audit tracing. Many \ninformation technology systems can incorporate these records, \nhandling audit trails that maintain a log of each instance--\nwhen each individual is looking at an electronic file. We have \nthat argument in Government as to who had access to these \nfiles. This makes it possible to generate a list of each time \nand each individual who has looked at a patient's electronic \nrecord.\n    How prevalent are such tracing procedures in existing \nhealth care information systems? Do they have that type of \nsituation?\n    Ms. Johns. With electronic information systems, there are \nusually provisions or functions for audit trails, and audit \ntrails are used in various ways. It is not that they are \nincluded with the patient's medical record, but they are used \nas one mechanism in a total security policy; and I think that \nis important, to recognize that audit trails or tracings are \none avenue by which you can protect or identify breaches of \nconfidentiality or at least identify breaches of access into \nthe record.\n    A total security policy should include good policies, good \nprocedures, very good employee education and training, in \naddition to being able to select various types of technical \ntypes of mechanisms that can protect information in an \nelectronic environment.\n    Mr. Horn. I think one thing that worries a lot of us--and I \nremember the testimony very clearly when Mr. Condit chaired the \nsubcommittee under the Democratic Congress, one of our \ncolleagues from New York had had her records stolen, and \nentered into her political campaign. In other words, her \nrecords were used against her.\n    That was a very serious situation, and I think all of us \nworry about the person who has access to those records in a \ndoctor's office, in a hospital, in an insurance company, \nwhatever the case may be. You could have a disgruntled employee \nwho decides to take copies of the records of the mayor of the \ncity and the biggest developer in town. They would be subjected \nto blackmail are subjected to revelation of an embarrassing \nsituation by sending the information to the local newspaper.\n    Now, what kind of audit system do we have in one's office \nto say, who has access to these files? As I go into offices, \nwhat I see are rows and rows of paper folders. And often when I \ngo in, there is nobody behind the desk; if it is the noon hour \nor whatever, somebody could walk through and say, that is an \ninteresting folder, I think I heard her on TV the other night. \nSo what do we do about that?\n    Ms. Johns. In relationship to access to paper records, \nnormal practice is that when records are released, there is a \nlog that is kept as to who has requested that information and \nfor what purpose. This would be occurring in hospital medical \nrecords departments.\n    In regards to the instance that you were giving, as far as \nlike an employee who might want to access records, if they felt \nthey were going to be terminated, another good practice is that \nindividuals who are going to be terminated, their access \nrights, in addition to audit trails, need to be terminated \nprior to them being informed of their termination, or at the \nsame time, so that you have dual types of counterbalances, as \nfar as protecting that information.\n    Audit trails, too, can have intelligence built into them so \nthat flags are set as to identifying potentially suspicious \ntypes of activity. For instance, if an employee of the health \ncare facility was being treated in the hospital, any accesses \nto that record would be monitored and flagged, if it would be a \nhealth care provider that would be looking at the record who \ndidn't have the direct patient contact relationship, or if it \nwould be an employee within the institution someplace, where \nthey should not have access.\n    So I think an important consideration with audit trails, as \nwell, or tracings, is that there is some mechanism by which \npotentially suspicious activities can be identified.\n    Mr. Horn. Should hospitals, insurers, doctors, and other \nhealth care providers be required to incorporate such tracking \nprocedures in all the information systems?\n    Ms. Johns. I think that is an issue you have to look at in \ncontext, and again, as I mentioned, audit trails are only one \ntechnical aspect of a security program. You have other aspects, \nsuch as passwords, access levels, audit trails, certainly, and \npolicies and procedures, as well as employee education and \ntraining.\n    So, I think you really need to look at the specific \napplication--how large the institution is, for instance--in a \nsmaller physician's office practice, the need for audit trails \nwhen you have three people working in an office may really not \nmake much sense, as opposed to an institution where you have \n5,000 individuals working and more people who have access, and \nclearly all of them would not be involved with the direct \npatient care.\n    So I think it needs to be done, all of the guidelines need \nto be presented, and then a mechanism of procedure for a whole \nsecurity program needs to be developed. I think that is going \nto be varied from institution to institution.\n    Mr. Horn. One last question before we move to the next \npanel concerns administrative simplification.\n    One of the objectives of the Kassebaum-Kennedy bill, which \nwas enacted into law, as I mentioned in my opening statement, \nwas to foster administrative simplification. This includes \ncreating common definitions for data elements and coding \npractices.\n    Three weeks ago, this subcommittee heard testimony on the \nmedical transaction system of the Medicare operation, and the \nDepartment of Health and Human Services and their efforts to \ndevelop a common provider identification number. Are we making \nprogress toward streamlining health care administration \npractices and what barriers continue to exist? What do you see \nhappening in that area, Dr. Johns?\n    Ms. Johns. As far as barriers in electronic patient \nrecords?\n    Mr. Horn. Yes, and just how far are we from it.\n    Are we getting into standardization based on software of a \nparticular vendor, or is that software related to the best \npractices of your organization, the AMA and others?\n    Ms. Johns. I think one very large barrier--and it has been \ncited by other reports--the Institutes of Medicine and their \ncomputer-based patient record report even back in 1991 cited \none of the biggest barriers is lack of standard, and a barrier \nwe certainly are experiencing is the barrier in regards to \nconfidentiality and having Federal legislation in regards to a \nstandard, uniform practice. And so, without some standard, \nuniform practice, it makes it very difficult to either transfer \ninformation--we have problems with standards in vocabularies \nwhich, of course, agencies or groups like the National Library \nof Medicine are certainly working on, other groups like HL-7 \nand ASTM standard organizations are working on. I think that, \nbecause HIPA requires the Secretary of Health and Human \nServices to adopt standards for national providers, \nidentification, payers, and patients by February 1998.\n    We feel that this is a very good first step in helping us \nget the standards that we need to build a national information \ninfrastructure, and I believe the NCVHS is currently holding \nhearings on these issues, and additional information will be \navailable later this year, which certainly we will comment on \nat that time.\n    Mr. Horn. Well, we thank you for your comments on this \nseries of questions.\n    We are now going to ask panel III to come forward and sit \nwith you. You can relax for a while and then we have some \ncomments, questions for both panels II and III. So if Dr. \nGabriel, Drs. Andrews and Hoge will come forward, we will \nappreciate it. If the new witnesses will stand and raise their \nright hands.\n    [Witnesses sworn.].\n    Mr. Horn. All three witnesses have affirmed.\n    Let's just go down the line, the way the agenda is.\n    Dr. Sherine Gabriel, Department of Health Services \nResearch, Mayo Clinic, representing the Healthcare Leadership \nCouncil, is first.\n\n    STATEMENTS OF DR. SHERINE GABRIEL, DEPARTMENT OF HEALTH \n  SERVICES RESEARCH, MAYO CLINIC, REPRESENTING THE HEALTHCARE \nLEADERSHIP COUNCIL; DR. ELIZABETH ANDREWS, GLAXO WELLCOME INC., \n  REPRESENTING THE PHARMACEUTICAL RESEARCH AND MANUFACTURERS \n   ASSOCIATION; AND DR. STEVEN KENNY HOGE, CHAIR, COUNCIL ON \n   PSYCHIATRY AND LAW OF THE AMERICAN PSYCHIATRIC ASSOCIATION\n\n    Dr. Gabriel. Mr. Chairman, members of the committee, I am \nDr. Sherine Gabriel, a physician and researcher at the Mayo \nClinic. Thank you for the opportunity to testify before you \ntoday regarding the issue of medical records confidentiality.\n    I am here this morning, as you just heard, on behalf of the \nHealthcare Leadership Council. My testimony, however, will \nreflect my own perspectives as a health care researcher. I will \naddress two fundamental questions: What is the importance of \nmedical records-based research to the public, and what is the \nimpact of legislation restricting access to medical records on \nsuch research?\n    I am privileged to work at a world-renowned medical \ninstitution. Mayo Clinic's international reputation is a center \nof excellence in medicine, which grew out of the commitment of \nour founders, Drs. Will and Charlie Mayo, to integrate medical \nresearch and education with clinical practice.\n    The Mayo brothers perceived a duty to use the information \nfrom medical records to answer important public health \nquestions, and in 1907, pioneered the concept of the unit \nmedical record, where medical data on each patient is stored in \none self-contained packet and kept in perpetuity. This led to \nthe formation of the Rochester Epidemiology Project, the unique \nnational research resource which has been funded by the \nNational Institutes of Health for over three decades. It has \nresulted in approximately 1,000 scientific publications, \nanalyzing thousands of diseases and medical conditions, and was \nranked in the top 1 percent of all NIH proposals when it was \nlast reviewed in 1995. The central element of the REP is access \nto the complete medical records of all residents within a \ngeographically defined population.\n    Medical records research is vital to maintaining and \nimproving the health of the American public. Virtually every \nhealth hazard we know of today and countless medical advances \nhave been identified using information from medical records. \nFor example, if researchers had not been allowed to study the \nmedical records of patients with unusual immune deficiency \nproblems in the late 1970's, the characterization of the AIDS \nepidemic would have been delayed at a huge cost to the public's \nhealth. Similarly, characterization of Lyme disease required \ncollation of information from the medical records of the \nchildren who presented with this condition in Lyme, CT.\n    Other examples include examining the benefits and risks of \nestrogen treatment, the health risks of smoking, of dietary \nfats, obesity, certain occupations, studies leading to the \ndevelopment of vaccines for polio and measles, and studies \nshowing the benefits of breast cancer screening. Without \nmedical records research, problems such as the Thalidomide \ntragedy and the role of prostate specific antigens, the \ncontroversial tests for prostate cancer, could not have been \nresolved to the extent they are.\n    You may have read in the newspapers last year that an \noutbreak of flesh-eating strep was identified at Mayo in 1995. \nWithout access to the medical records of patients with these \nunusual infections, characterization of this syndrome and \nisolation of this deadly bacterial strain would have been \ndelayed and over 100 school children, which our research showed \nwere the unwitting carriers of this deadly germ in their \nthroats, would have gone untreated.\n    Let's now turn to the second question: What is the impact \nof legislation which restricts access to medical records? Such \nlegislation, in my opinion, threatens the very existence of \nthis entire category of medical research. This is because \npeople who do not consent are systematically different in \nimportant ways from people who do.\n    For example, people who don't consent may have had worse \noutcomes, or they may be less satisfied with their care. \nStudies which exclude these people would be biased; they would \nsimply give the wrong answer.\n    Moreover, while research is clear on the point that people \nwho do not consent are systematically different from those who \ndo, the direction and magnitude of those differences are \ncompletely unpredictable from study to study. So not only will \nsuch research result in the wrong answers, but it will be \nimpossible to determine how wrong they are or in what \ndirection. Thus, the reliability and validity of the findings \nfrom such research will be weakened.\n    Inclusion of all qualifying individuals is the only way to \nensure that accurate conclusions are drawn in public health \nmedical records-based research. Of course, such research--and \nwe recognize this--must be done while taking appropriate \nmeasures for maintaining patient confidentiality, including \ncareful review and oversight by institutional review boards and \nstrict adherence to procedures restricting access to patients' \nspecific medical information.\n    In closing, I want to comment briefly on what I believe is \nan important driving force behind all of this, which is the \ndesire to keep personal medical information between the patient \nand his or her physician, the old Hippocratic idea. As a \nphysician, a patient and a mother, I understand why this idea \nis so appealing; however, in a complex health care environment, \nit is an unattainable ideal.\n    For example, in an average medical visit, the following \nindividuals and groups must have access to the patient's \nmedical record in order to best serve the patient: the \nappointment office; the registration desk; all physicians, \nphysician assistants and nurses who provide care for the \npatients, as well as receptionists and secretaries; medical, \nnursing and other students and their mentors; all laboratory, \nEKG, x-ray technicians who perform the necessary tests; \ninfection control officers who regularly survey medical records \nfor reportable diseases; continuous improvements staff who \nstrive to improve our health care processes; members of the \nmarketing department who seek to ensure patient satisfaction; \nthe business office for billing, the legal department, \ninsurers, and third-party payers.\n    After all of this is taken care of, a qualified nurse \nresearcher, bound by the rules of the IRB and strict patient \nconfidentiality regulations could be abstracting clinical data \nfrom the medical record which, after being stripped of patient \nidentifiers, will be combined with similar data from hundreds \nof other patients to answer a specific public health question. \nThe type of legislation we currently have in Minnesota \ninfluences only that nurse's access to the medical record and \nhas no impact on any of the other points of access.\n    Mr. Chairman, legislation must be carefully crafted, such \nthat it ensures privacy of medical information, a very \nimportant goal, and does not hinder medical scientific \nresearch, as such interference will put the public's health and \nwell-being at risk for serious harm.\n    Thank you for your attention.\n    Mr. Horn. Well, thank you. You have raised some very \ninteresting questions that we are all going to have to grapple \nwith.\n    [The prepared statement of Dr. Gabriel follows:] \n    [GRAPHIC] [TIFF OMITTED] 45252.044\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.045\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.046\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.047\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.048\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.049\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.050\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.051\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.052\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.053\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.054\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.055\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.056\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.057\n    \n    Mr. Horn. Our next witness is Dr. Elizabeth Andrews--I hope \nI am pronouncing this right--Glaxo Wellcome Inc., representing \nthe Pharmaceutical Research and Manufacturers Association.\n    Dr. Andrews. Thank you, Mr. Chairman, and thank you for the \nopportunity to present our information. My name is Elizabeth \nAndrews and I am director of Worldwide Epidemiology at Glaxo \nWellcome. I appear before the committee on behalf of the \nPharmaceutical Research and Manufacturers of America, or PhRMA, \nto discuss our industry's views on data privacy in general and \nH.R. 52 in particular. I will summarize our full statement, \nwhich will be provided for the record.\n    It is clear that patients deserve to have medical \ninformation kept in strictest confidence by those to whom they \nentrust it. PhRMA companies honor that trust. Patients also \ndeserve answers to their unmet medical needs.\n    This past year, the research conducted by our companies \nyielded 53 new FDA-approved medicines, new weapons in the war \nagainst 40 diseases, including AIDS, cancer, heart ailments, \nand mental illness. Our continued progress depends on \naggressive, multifaceted research, including basic science that \nallows us to understand disease processes, practical research \nand development that enables us to discover and develop drugs \nto treat disease. Clinical trials that demonstrate project \nsafety and efficacy, epidemiologic research that helps us to \nknow how drugs perform in the real world, identifying and \ncharacterizing rare side effects or unsuspected benefits and \nhealth services research that leads toward improvements and the \nquality and cost-effectiveness of patient care. Federal policy \nmust accomplish twin objectives, protecting the privacy of \nindividual patients, while also protecting the continued \nviability of research that promotes improved health care for \nall persons.\n    We believe these objectives can best be met by establishing \nuniform national requirements for the handling of medical \ninformation, defined to include genetic information. PhRMA has \nthree primary suggestions that should be included in Federal \nrequirements, but need specifically to be addressed in H.R. 52.\n    First, the bill should recognize the process already in \nplace under regulations adopted by FDA and 16 other Federal \nagencies to protect patient identifiable information used in \nbiomedical research. Second, any new legislation or regulations \nshould preserve researchers' access to the full range of \npotentially useful information about the incidence, prevalence, \nand outcomes of illness, as long as individual privacy is \nproperly safeguarded. Only those data sources that directly \nidentify individuals need to be kept confidential.\n    Third, uniform national requirements should provide \neffective Federal pre-emption of State statutes. One of the \ncompelling reasons for establishing Federal requirements is to \nprovide a uniform set of rules that can be applied consistently \nfrom State to State for research. With respect to clinical \ntrials, the current controls regulating FDA-monitored trials \nare quite strict.\n    Through standard operating procedures, companies ensure, \nunder Federal Rules, that personally identifiable information \nremains secure in the offices of individual health care \npractitioners who serve as the study investigators. The \nsponsoring company has access only to the information that \nneeds to report to FDA, to verify results and to protect \npatient safety. We are concerned that H.R. 52 does not \nrecognize the existing safeguards, the regulatory processes and \noversight mechanisms that exist. The National Institutes of \nHealth and the President's National Bioethics Advisory \nCommission are already charged with examining the IRB process \nand will develop recommendations for any improvements that are \ndeemed necessary.\n    PhRMA is also concerned that H.R. 52 would restrict access \nto certain data bases if they could be linked by codes to data \nsources that identify individuals. These data bases contain \ncrypted identifiers and only through the use of a secure and \nconfidential key can specific patients be identified. In some \nstudies, it is necessary to use this key to link to other \nsources of information about the patients to create a richer \nmore scientifically informed set of data. These type of studies \nneed special precautions to ensure confidentiality of patient \ninformation, but these studies are not concerned with the \nidentity of the patient, only with the scientific content, that \na patient's information can contribute to a study.\n    A wide range of health-related data could be affected by \nthe provisions of H.R. 52, from Medicare, Medicaid and private \ninsurance claims data, to State-collected vital and health \nstatistics. Access to these data is important to generate \nanswers to many of today's pressing health issues that cannot \nbe answered through other mechanisms. Analyses of such data \nhave contributed to demonstrating the higher risk of hip \nfracture in the elderly among those taking psychotropic drugs, \nquantifying the risks and benefits of hormone replacement \ntherapy, documenting the underuse of beta blockers following \nheart attacks and the resulting increase in mortality and \nmorbidity.\n    Under H.R. 52, access to these data bases could be \nconstrued to require for each reanalysis of the data, either \nspecific consent of each of the subjects whose medical \ninformation is contained in the data base or the approval of a \ncertified IRB. Current regulations exempt such data from IRB \nreview and informed consent requirements. Such requirements are \nunnecessary and do nothing to protect human research subjects, \nwhose identity is not revealed in such data bases. Instead, we \ncan protect patients' privacy without impeding research, \nthrough careful encryption of data, effective security for the \nkey to encrypted data, tight security safeguards whenever \nconfidential information is accessed directly, and guarantees \nof confidentiality by each individual who obtains confidential \ninformation.\n    In conclusion, the research-based pharmaceutical industry \nrespects the privacy of patients and the confidentiality of \ninformation about them. We could not conduct our research if we \ndid not do so. We urge that any changes in Federal \nconfidentiality requirements be drafted with great care to \nensure that medical research can continue to yield new remedies \nand better ways of caring for patients. Thank you.\n    [The prepared statement of Dr. Andrews follows:] \n    [GRAPHIC] [TIFF OMITTED] 45252.058\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.059\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.060\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.061\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.062\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.063\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.064\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.065\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.066\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.067\n    \n    Mr. Horn. Well, thank you very much. We appreciate that \ntestimony. We now have Dr. Steven Kenny Hoge, the chair of the \nCouncil on Psychiatry and Law of the American Psychiatric \nAssociation.\n    Dr. Hoge. Thank you. Mr. Chairman, I am Dr. Ken Hoge. I am \ntestifying on behalf of the American Psychiatric Association, a \nmedical specialty society representing more than 40,000 \npsychiatric physicians nationwide. We are pleased to have the \nopportunity to discuss with you privacy protections for medical \nrecords.\n    Patients come to physicians and entrust them with \nsensitive, private, personal, and sometimes embarrassing \ninformation because they believe that it will be used to help \nthem. Physicians acting in the interests of their patients have \ncontrolled access to this information. As the guardian of \nconfidential medical record information, physicians have \nprotected patients' privacy. When third parties inappropriately \ndemand access to medical records, physicians refuse. When the \nthird party's right to access is uncertain, physicians have \nacted as sentinels, alerting patients that others are trying to \nseek the records.\n    Physicians may take steps to protect records even in the \nface of legal pressures. Physicians have guided patients so \nthat even voluntary disclosures of medical information minimize \nprivacy intrusions. The physician's role as guardian of the \nmedical record has been recognized in professional standards, \nimpressed upon physicians in their training and acknowledged as \nlegitimate by the courts.\n    Recently, the traditional role of the physician as guardian \nof patient privacy has come under serious attack. Medical \ninformation has increasingly been put to uses that are not \nintended to serve patient interests. Third party demands for \naccess have increased with attended risks to patient privacy. \nElectronic storage of medical information raises serious \nprivacy concerns, since these systems, by design, facilitate \naccess, transmission, and duplication of medical records.\n    In our written statement, we have submitted several \nprinciples that are important to maintaining the privacy of \nmedical records. Let me emphasize the following now. Medical \ndata is generated for the care and treatment of patients and \nshould be used to serve their interests. This can only be done \nif physicians continue to play an active role as guardians of \nthe medical record.\n    New information technologies should not be employed to \nstretch the limits of appropriate access that have been \nestablished in professional custom and law. Third, legal and \nethical sanctions for violations of patient privacy should keep \npace with developments in technology. Existing legal sanctions, \nsuch as breach of fiduciary duties, malpractice, breach of \nimplied contract, all help to protect confidentiality and \nprovider patient relationships. These protections, which have \nbeen established in professional standards, statutes and case \nlaw, should not be undermined.\n    Appropriate legal sanctions need to be developed to cover \ninsurers, managed-care entities, and medical record data banks \nthat handle and store sensitive medical information but do not \nhave the\ntradition of the physician/patient relationship. Throughout \nyour deliberations, please remember that patient privacy is \nfragile, and that once it is lost, it cannot be regained and \nits loss cannot be truly compensated. I will be happy to answer \nyour questions.\n    [The prepared statement of Dr. Hoge follows:] \n    [GRAPHIC] [TIFF OMITTED] 45252.068\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.069\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.070\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.071\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.072\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.073\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.074\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.075\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.076\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.077\n    \n    Mr. Horn. We thank you very much for that statement and I \nam going to put in the record the comments of the Health \nInsurance Association of America. They were invited to testify, \nbut they were not able to make it, so their statement, without \nobjection, will go in the record at this particular point. They \nraise some interesting questions, which we might get into \nduring the question period here.\n    Let me just ask all of you here, what type of penalties are \nappropriate for individual medical privacy rights and if \nsomeone violates them, what do you suggest? Let's just go right \ndown the line.\n    Ms. Goldman.\n    Ms. Goldman. Thank you. Well, I certainly believe----\n    Mr. Horn. You did the right thing. You pulled the \nmicrophone toward you. All those microphones need to be pulled \ntoward you. This was built in the 1960's, but they use the \n1890's sound system, so we have a problem.\n    Ms. Goldman. I certainly believe that any Federal law \nshould incorporate a variety of remedies. One remedy is not \ngoing to be sufficient. There should be a private right of \naction that gives an individual the ability to come in and \nbring a lawsuit against someone who has harmed them. Also, I \nthink that an appropriate Federal agency, such as HHS, should \nbe able to assess a civil penalty, so if the individual can't \nafford a lawyer, the Government can come in and say you have \ndone wrong. And I also think, under very egregious \ncircumstances, there should be criminal penalties as well.\n    Mr. Horn. Well, if there is a criminal penalty, what should \nit be? I mean, is it a misdemeanor or is it a felony, let us \nstart there.\n    Ms. Goldman. Well, I think that by the time you reach the \nlevel at which you would be liable for criminal penalty, I \nthink you should be looking at a felony. A criminal penalty, \nparticularly under a number of the proposals that are out \nthere, would be where there has been intentional, malicious \ndisclosure of personal information, where there is a course of \nconduct over a period of time, the person----\n    Mr. Horn. Pattern and practice.\n    Ms. Goldman. Pattern and practice, flagrant violator, \nshould certainly be a felony.\n    Mr. Horn. What is your feeling, Dr. Palmisano?\n    Dr. Palmisano. Thank you, Mr. Chairman. The American \nMedical Association believes penalties and sanctions for \nunintentional disclosures of identifiable patient information, \nwhere the disclosure does not result in demonstrable harm to \nthe subject of the disclosure should be commensurate with the \nviolation. Repeated such unintentional disclosure should \nreceive stronger penalties if they indicate a negligent \nbusiness practice.\n    Penalties and sanctions related to improper disclosure for \ncommercial purposes, profit malicious purposes or where there \nis significant patient harm should be more stringent. In \naddition to monetary sanctions, legislation could include the \nloss by a data base company, for example, of its privilege to \nhold or transmit protected medical information, thus reducing \nthe potential for companies to accept the monetary penalties \nfor improper, intentional disclosures, as a cost of doing \nbusiness.\n    In other words, we don't want them to say, well, gee, there \nis this little penalty. We will just pay it because we are \nmaking so much money here, but they would lose the right to \nfunction in that capacity in the future.\n    Mr. Horn. Has your association considered the thought of \ncompulsory arbitration, rather than going through the court \nsystem? Some associations do this. I mean, the patient would \nsign either mediation, which is not compulsory or a compulsory \narbitration agreement. Rather than going into court on some of \nthese, they would sign that if something happens to the record, \nlet's say, you would have compulsory arbitration, and that \nwould be, perhaps, an arbitrator picked by the patient, one \npicked by whoever, the doctor or hospital, whatever the \nviolation source is, and the two usually pick a third.\n    Dr. Palmisano. The American Medical Association for years \nhas been in favor of alternative resolution mechanisms to the \ncurrent court system. We believe it is expensive and very \ninefficient and that does not serve both sides very well, in \nour opinion. In this situation, I guess there would be two \nissues. The first issue would be how would you resolve the \nissue and we certainly have been in favor, as an association, \nof voluntary binding arbitration?\n    For instance, in Louisiana, we have that as an alternative \nto the court system, if both sides agree prior to the event \noccurring, and there is a period of time, a cooling off period \nwhere you can change your mind, but after that, it is a binding \narbitration. So in general, we are in favor of that. The next \nissue goes to the penalty phase of it. Would the arbitrator \nhave available to him or her certain penalties that would be \nmandated to follow, based on how egregious the act was and so \non?\n    Mr. Horn. That would be the civil side of it, certainly. \nObviously, they wouldn't be getting into the criminal side. But \nyou also have the sort of rent-a-judge approach in many \njurisdictions where X judges regularly decide very difficult \ndisputes and both parties agree and it gets it out of waiting 1 \nor 2 or 3 years to come up in some court systems.\n    Dr. Palmisano. In general, the AMA has been in favor of \nsuch methods, where we could have alternative ways to resolve \nthat. We just want to make sure there is fairness, due process \nand so on.\n    Mr. Horn. Dr. Johns, any feelings on this?\n    Ms. Johns. Mr. Chairman, part of our model legislative \nlanguage and key provisions for national regulations in regard \nto this included civil and criminal penalties. Now, as far as \ndistinguishing felony and when that should occur and so forth, \nI don't believe that we had gotten into that particular detail. \nI do feel comfortable in testifying, however, that the \nprovisions, as they are stated in H.R. 52, is something that \nour association supports.\n    Mr. Horn. Dr. Gabriel, do you have any thoughts on that?\n    Dr. Gabriel. Not really. I would agree with what has been \nsaid before. I think it really depends a lot on the type of \nabuse, the motivation for it, whether the abuse is for \ncommercial reasons, whether there has been patient harm, and I \ncan tell you that in our own institution and I know in many \nothers, even the mildest level of abuse results in termination \nof employment. So I think there has to be that and that the IRB \nhas an important role in monitoring it and making sure those \nabuses do not occur.\n    Mr. Horn. Dr. Andrews.\n    Dr. Andrews. Well, first tight controls over data within \nthe research setting are effective in preventing these types of \nviolations. However, we do also concur that there should be \npenalties and that those penalties should be commensurate with \nthe disclosures. PhRMA has developed no specific \nrecommendations about penalties.\n    Mr. Horn. Dr. Hoge.\n    Dr. Hoge. I think the only thing I would add, I think it is \nimportant for all of us to keep in mind confidentiality is sort \nof a tricky thing to regulate, that once privacy has been \nbreached, suing someone doesn't do you much good. The fact they \nare punished may not do you much good. Internally, in a \nhospital, terminating an employee, I think obviously makes a \nlot of sense, but what we see over and over again is that the \nresult of bringing a lawsuit or seeking some kind of legal \nredress would be wider dissemination of the information that \nthe person wanted to keep confidential in the first place. So \nthere is a little difficulty here.\n    At the APA, we have seen criminal penalties wax and wane in \nvarious versions of the bills. No penalty is too severe if the \ntransgression is severe, assuming the underlying rules are set \nappropriately.\n    I do want to add one other comment. You asked the earlier \npanelists if they had any disagreements. I think the biggest \nfault line I perceive in this issue over the last 3\\1/2\\ years \npertains to the pre-emption issue. I think it is--my view is it \nis beyond a doubt, the APA has spent countless, hundreds of \nthousands, if not millions of dollars over the last generation, \ndeveloping case law, statutes in States all over the country.\n    We were instrumental in the Jaffey v. Rudman case. It is \ncited prominently in your draft bill. I think it is not correct \nto say that privacy is not protected in this country or that \nthe States aren't doing an adequate job. Many States and many \ncourts are doing a very adequate job. So I think the pre-\nemption issue is an issue, and I think to put the whole moose \non the table, that the people who are interested in pre-emption \nare interested in the efficiencies that pre-emption would \nprovide, not in privacy protection.\n    I think it is clear if a State wants to come along and \nraise the bar from any Federal law that might be passed, that \nthat can only help patient privacy. I don't see any logical way \nof getting around that conclusion. So I think we need to \nunderstand now we are talking about privacy versus efficiency, \nand obviously the APA is going to come down on the side of \npatient privacy.\n    Mr. Horn. I note in the Health Insurance Association of \nAmerica testimony, this is the last time I will cite it, but it \nis relevant to this question. They say under Subtitle E, \nenforcement of the Condit bill: ``We find it troublesome that \nthe act creates a private right of action and the right to \nobtain punitive damages. Such provisions raise the potential \nfor a large increase in frivolous litigation. Regulating health \ninformation does not require creating a new cause of action. We \nsuggest that broad exceptions should exist for inadvertent \ndisclosures and those made in good faith and plaintiffs should \nbe required to show specific harm.''\n    Are there any reactions, anybody, to that? It is a little \ndifferent than some of your testimony, so I thought I would \nthrow that in for the record.\n    Dr. Palmisano. Mr. Chairman, just one comment about \nfrivolous actions. The American Medical Association is on \nrecord repeatedly that we are in favor of anything that \ndiscourages frivolous actions and certainly in the Health Care \nQuality Improvement Act, which created certain protections for \npeer review and also created the National Practitioner Data \nBank.\n    There is a provision in there that if someone files a claim \nwithout merit, and so on, that the individual can be \nsanctioned. And certainly I think in any legislation that we \nneed to look at situations for people who don't really have a \nbasis for it, and do this just to harass. So we would be in \nfavor of something of that nature.\n    Mr. Horn. That is a serious problem, without question, in \nsome types of litigation. I think I said a year ago, when we \nwere able to override the President's veto, when he was sort of \ndefending that, 1 or 2 years ago, I guess it was, the fact is \nthe American Bar Association, if it wants to be a professional \norganization, ought to be dealing with these matters. That is \nwhat professions are supposed to do, regulate their members. We \nhaven't seen it yet. Maybe some day they will decide they are a \nprofession and do something about it. It is despicable, some of \nthe filings, absolute blackmail. And that is what has Congress \nupset in this area.\n    For those where you have a true pattern and practice, that \nis something else. However, where you simply have somebody \nfishing around, trying to, in essence--and I went through this \nas a university executive and president. They filed suits and \nthey figure you will buy them off at $10,000 a month or \nsomething, and if you got 50 suits filed, that is a pretty good \nincome. So that is serious, how we deal with this and try to \nget the people that are really violating the law, versus the \nsort of snooping expeditions or whatever we call it, where we \njust have that kind of conduct by a small handful, less than 1 \npercent or one-tenth of 1 percent, but enough to be annoying. \nSo let us see here.\n    All the panel has really taken a look at this one. Under \nH.R. 52, Secretary of Health and Human Services would be \nrequired to develop standards for maintaining the \nconfidentiality of patient health records. Health care is \nprovided in a wide diversity of settings in the country and \nthey are pretty well represented here. We could have had \nanother panel there 50 feet long and health care is provided in \nthese settings, ranging from single practitioners in rural \nareas who provide care at multiple locations to large \ncentralized hospitals. Can we expect a single records \nmaintenance standard to be appropriate in all these different \nsettings? If not, how should we take the differences into \naccount?\n    Any feelings on that? Let's start with Dr. Hoge.\n    Dr. Hoge. Are you asking me about my feelings because I am \na psychiatrist?\n    Mr. Horn. Sure, that is what I hear psychiatrists ask \nabout. My one course in psychology taught me that.\n    Dr. Hoge. I have some thoughts on that. I think it is \nextremely difficult to regulate the use of medical information \nin all the various contexts.\n    You mentioned going from research to data base to provision \nof health care, and I think that is one way in which many of \nthe draft bills have gone off course. We know a lot about how \nto regulate physicians because we have had physicians and \npatients for as long as we can remember, and we have had case \nlaw and profession--we have had professional standards and \nprofessional training now for, again, as long as we can \nremember, as long as our grandfathers can remember. So we know \na lot about that.\n    And the bills kind of take an outline from how we think \nabout doctors and try to make everyone else fit into that \noutline. I don't think it does a very good job. I think this is \na strange way to make a law. I think it would make a lot more \nsense, if we need a Federal bill concerning physicians and it \ndoesn't undermine existing State laws and case laws of \nmalpractice, so be it.\n    I think what is really needed in 1997 and in the future are \nlaws that regulate data banks, managed care companies, \ninsurers, and all of the entities now that have come to hold \nmedical information that 30 or 40 or 50 years ago no one had \neven heard of these entities. I think it is particularly \nimportant because of the march on information technology. If \nyou think up an information technology journal, you will see \nthat some people believe that the insurance record and the \nmedical record will be the same thing when we have all the \ncomputers up and running and software available. I find that a \nfrightening Orwellian future. So I think what we need is some \nsort of regulation that starts to look at these other entities.\n    I think we also need to keep in mind, like the various \npanelists earlier acknowledged, the physician should be the \nonly one to change the record. They know the patients. They \nknow what they are worried about, their privacy concerns, and \ntheir health care problems.\n    Our professional standard requires that physicians look out \nafter the best interest of patients. That is not true of any of \nthe other entities that I have mentioned. So we need to have--\njust like the physician should have certain prerogatives in \nthat setting, with regard to that question--certain \nprerogatives with regard to the use, disclosure and \ndissemination of all health care records. Data banks should be \nrelatively restricted and tightly regulated ways in which they \ncan use health care information.\n    Mr. Horn. You mentioned Orwell. Do you see physicians sort \nof using their own personal code in some of their records so if \nthey did get misused by one of their staff or any of the food \nchain along the way, so to speak, that it would be very \ndifficult to know what that number or that letter meant unless \nyou had a subpoena and you were a witness in court where you \nwere asked to translate it, something like that? But the \naverage person who wants to make trouble in the publicity sense \nwould not know what that means.\n    Dr. Hoge. Well, of course we spend 4 years in medical \nschool learning terms that no one else can understand.\n    Mr. Horn. That is the making of a profession.\n    Dr. Hoge. Right, make up your own language.\n    But the serious answer to that I think would be this: I \nhear psychiatrists increasingly tell me I have changed the way \nI write my notes now, changed the way I keep records, because I \ndon't know who is going to see it. When the insurance people \ncome in and review the charts, I don't know if the insurance \nreviewer is really a friend, a neighbor of the patient. Some of \nthat gets entered into various data banks. I don't know who is \ngoing to see that. So we have a number of things.\n    We have patients who say, I have insurance and it does \ncover some mental health care, but I don't want to use it \nbecause I know it is going to go and the records are going to \nbe reviewed by--it may make its way back to my corporation \nbecause we have our own in-house review of insurance payments. \nSo I don't want to use it. I want to pay out-of-pocket.\n    Of course, it is a sorry state of affairs in this country \nthat we don't have mental health coverage on par with many \nother countries, however even when we do, people feel they \ncan't use it. Prominent politicians, on occasion they have many \nways they can be hurt by mental health treatment records.\n    Then I have physicians telling me, psychiatrists telling me \nI don't put very much in the record now. So if I want to go \nback now and look 5 years ago, my records are very detailed. \nBut 5 years from now, if I want to look at my record, I am not \ngoing to have exactly the same kind of information. It's going \nto take more reconstruction to get to that.\n    So what we are seeing, because of this march of technology, \nthe lack of regulation of insurance companies and other people, \nI think we are seeing an erosion of the quality of medical \nrecordkeeping in this country already.\n    Mr. Horn. Let me throw another question into it, and maybe \nyou can all just go down the line and answer two of them, \nbecause it is relevant here.\n    That question is, should a Federal medical privacy law such \nas we are considering, not necessarily the one we are \nconsidering but a law, pre-empt all State laws, or should we--\nand a lot of Californians feel this way when it gets to air \npollution and control of frozen chicken and other hearings we \nhave held around here--if the State has a stricter standard, to \nlet the State standard apply if it is stricter than the Federal \nstandard?\n    And I would also like to hear from all of you some time \ntoday, is there a State law that you think is the best law in \nthis area right now? And of course States, as you know, have a \nsystem, if we have got a good law, trying to get the uniform \ncode activity of other States with that model statute across \nthe country.\n    So we face the problem of what is that relationship if we \ndo do something in Federal law and we have sort of given the \nHHS Secretary an anointment which maybe she shouldn't have, and \nmaybe Congress ought to battle these things out. Because they \ndon't have to listen to people. We do have to listen to people.\n    That is where we are on that one, and I would just like to \nknow what your feelings are in that whole jumble: What is the \nbest State law and should there be Federal pre-emption, et \ncetera?\n    Dr. Hoge. On what is the best State law, I think that is \ndifficult to sort out, because much of the law is incorporated \nin either State laws or it is instilled in professional case \nlaw and practice, and that may vary somewhat from jurisdiction \nto jurisdiction. But, increasingly, physicians are held to a \nsingle national standard. So I think finding out where the best \npractices are and the best regulation will be a very, very \ndifficult thing to sort out.\n    Regarding pre-emption, as I alluded to earlier, I think \nthat is the major fault line in this legislation. Because many \nof the bills that I have seen I think would erode existing \nprivacy protections in this country, with regard to physician/patient relationships and the systems that physician control, \nwhich are held to, I think, a fairly stringent standard under \nmalpractice law and existing case law.\n    I think we need to keep in mind that the only arguments for \npre-emption are arguments of efficiency and ease of \ntransmission of information. There is no way to justify, if you \ndo come out with a law which sets the bar at a certain level, \nif a State wants to raise the bar, that can only be protective \nof privacy. I don't see any privacy argument against a nonpre-\nemptive Federal law.\n    Mr. Horn. Dr. Andrews.\n    Dr. Andrews. Yes. First, I would like to respond to your \nearlier question about different controls in different \nsettings.\n    There are certain universal principles about data \nprotection such as the need of safeguards for personally \nidentifiable data and penalties for severe breaches as we \ndiscussed. But the specifics are very different, as you \nmentioned earlier today, and in writing the legislation, the \ndevil really will be in the detail; and we should be extremely \ncareful in those details should they be put in the legislation \nso that those details do not inadvertently create barriers to \nresearch that will ultimately benefit the public in the long \nrun.\n    Regarding specific State legislation, first of all, let's \nnot use Minnesota as an example of model legislation. I think \nthat was probably very carefully crafted legislation and yet, \nas you have already heard, the Mayo Clinic has an incredible \nrecord of some of the most distinguished, productive, and \ntightly controlled research; and we have already seen that the \nMinnesota law creates some impediments to future research using \nthat valuable resource.\n    Regarding pre-emption, one of the compelling reasons for \nFederal requirements is to provide a uniform set of rules; and \nif individual States are permitted to add additional \nrequirements, then the benefits of those uniform rules may be \nlost and researchers will again be faced with an inconsistent \npatchwork of requirements that may impede research and hurt \npatients. We need to remember that much research today does not \nknow geographic boundaries and involves multiple States and \nmultiple countries.\n    Mr. Horn. Dr. Gabriel, how about it, in terms of the single \nrecords maintenance standard appropriate in all settings? And \ndo you agree that the Minnesota law has those major problems \nyou have heard about from yourself and others?\n    Dr. Gabriel. I absolutely agree. In response to both of \nyour questions, one size does not fit all. Integrated health \ncare delivery systems like Mayo are different. A patient can \naccess the system at 100 different points, can see numerous \nproviders. There are dozens of, referrals going on all the \ntime. It is hard to even define what constitutes a point of \naccess. So I don't think the same rules can apply to an \nindividual provider as to integrated health care delivery \nsystems like Mayo.\n    There really has to be a way to facilitate the appropriate \nflow of information, because that is our strength, is that we \ncan do all of this, that the lines are going in all different \ndirections to the benefit of the patient.\n    In fact, with our recent experience with the Minnesota law, \nwe have a partner in Rochester, a much smaller center, who have \nhad far fewer problems. Because everyone comes in the same \nfront door, and their system is basically sticking a red sticky \non the chart, and if you see a red sticky, don't read the \nrecord. But we have to have a very complicated information \nmanagement system that is constantly updated, and we are always \nlooking at where the patients are going, so it is an entirely \ndifferent kettle of fish.\n    We favor pre-emption to the State law, again, for the same \nreason. Mayo operates in five different States. Our patients go \nback and forth from one State to another. Our research covers \nmore than one State. So it just makes a whole lot of sense to \nhave uniformity.\n    Mr. Horn. If Minnesota law doesn't meet the test of your \nparticular standards, are you aware of any State law that comes \ncloser than Minnesota?\n    Dr. Gabriel. I am not.\n    Mr. Horn. OK. Well, I would say to all of you when you go \nback on the plane or train or bus or whatever and have some \nthoughts in this area, please write us. We will put it in the \nrecord at this point and others. Because what we are interested \nin is the best thinking in this area that is going on. \nObviously, six people don't represent all of the best thinking \nin America, but it is a start.\n    For your professional associations and their high-paid \nstaff, we would certainly welcome actual line-by-line criticism \nof the bill. That might not be the bill, but that is a start--\nor the Slaughter bill or whatever you want. And we would like \nyour specific criticisms so we can get the total picture.\n    We don't enter into this with a lot of preset ideas, except \nmaybe on frivolous lawsuits. But we would like your thinking \nline-by-line. If you have a thought, don't be bashful.\n    So lets ask Dr. Johns. How do you feel on the diversity of \nthe setting? Do you think we can do a law that has the basic \nstandard that can cover all that diversity? And if you know of \na State law that does this well, we would like to hear about \nit. And do you think there ought to be Federal pre-emption?\n    Ms. Johns. First of all, HIMA is in favor of pre-emption. \nAnd I think when we look at the issue of confidentiality we \nalso have to separate issues of confidentiality and security \npractice.\n    In regards to the confidentiality in H.R. 52, we are \nlooking at inclusions of key provisions in regards to health \ninformation, as opposed to carving out regulations for specific \ntypes of entities.\n    New entities in the health care industry arrive on almost a \ndaily basis, so to regulate individual entities does not, in \nour minds, seem to be either feasible or reasonable. However, \nfocusing directly on the health information that can be within \nany type of entity is the important part of H.R. 52; and we \nhave key provisions such as access, such as disclosure, such as \nlimiting information in order to--for specific use to perform a \nspecific responsibility, and also provisions on redisclosure. \nSo from that aspect, looking at it from that perspective as \nopposed to separate entities we think is very, very important.\n    We also feel, as I mentioned, that we need a national \nstandard. We don't have that now. And we need to--it is so \nimperative that we begin to address this issue on a national \nstandard.\n    Also, data does cross State lines. Integrated delivery \nsystems themselves may have facilities in two, three, four, \nfive, and many more States. So the issues regarding the health \ninformation need to be standardized across the country.\n    Another point that was made by Dr. Hoge is the issue of \npatients feeling comfortable with being able to confide in \ntheir health care providers. And certainly previously I pointed \nthat out in our testimony, that one of the mainstays of \nconfidentiality is this confidence that the patient has in \nbeing able to share information.\n    The kinds of situations that we are encountering today \nwhere patients withhold information and providers are not as \nspecific with regards to their documentation result from not \nhaving general pre-emptive legislation that ensures all of us \nthat we will have confidentiality and privacy.\n    In regards to identifying a specific bill throughout the \ncountry and the State, I am not aware of that; and I am not \nprepared to provide that information at this time.\n    Mr. Horn. Well, we would certainly welcome any thoughts \nyour organization has. You have got a vast group out there. Or \ncomplaints where--please don't take this portion of law; it \ndoesn't work.\n    Ms. Johns. We would be happy to provide that.\n    Mr. Horn. Dr. Palmisano.\n    Dr. Palmisano. Thank you, Mr. Chairman.\n    Regarding pre-emption, the American Medical Association is \nof the opinion that without a showing that the proposed Federal \nstandard would be properly protective of patient privacy, any \nFederal law should provide a floor rather than a ceiling when \napplied to patient confidentiality protections. It is \nunderstood that there are many who believe that there should be \na uniform Federal standard to facilitate electronic data \ninterchange.\n    The AMA is concerned, however, that heightened standards \nwill be lost to Federal legislation. If, however, the law is \nhigh enough to secure protection of patient information in the \nFederal language, the AMA would revisit the pre-emption issue.\n    I think Dr. Hoge's comments are issues we share concerns \nabout. We think there are many concerns in States, and tomorrow \nthey may pass a new law in a State that is ideal, and it is \nperhaps quicker to go through a State if we see a problem with \nconfidentiality and raise a standard at a State level. So we \nthink at the present time it should be a floor, not a ceiling.\n    Regarding the uniform coding issue, we don't have a \nproblem--for simplification, we don't have a problem with the \nprovider identification number. For instance, the American \nMedical Association has an identification number for \nphysicians. We would like that to be considered as a number \nthat would be appropriate for physicians.\n    Regarding a patient identification number for \nsimplification, we are very much concerned about that; and we \ncontinue to study that. Our testimony in the past and continues \nto be at the present time, we are opposed to a unique patient \nidentifier because it can too easily be linked up with Social \nSecurity numbers and other mechanisms that would allow someone \nwho doesn't have the right to get there to gather a lot of \ninformation about the patient. We have a lot of concern about \nthat.\n    The other issue on uniform coding and so on, we certainly \nthink that the current procedural terminology that is in place, \nCPT coding system, it is in common use; and we hope that the \nchoice of coding system will allow for the CPT to compete \nfairly with any other system that is being considered.\n    Regarding the wide range of practices throughout the United \nStates, from clinics to small practitioner, I certainly don't \nwant us to forget the small practitioner who may be a family \npractitioner in a small town, and this individual finds the \nadministrative burdens continue to increase. Managed care has \ndrastically affected the practice of medicine throughout the \nUnited States, and any other burdens might cause that \npractitioner to say it is not any fun, I can't do for my \npatients what I need to do for my patients, and we will see \nphysicians retiring earlier, leaving communities, and that is a \nproblem.\n    So any law that would eventually be passed by Congress, we \nwould hope that it would not create burdens on individuals who \nelect not to get involved in that methodology. If they are \nworking just in their area and not transmitting the data, it \nwould be on a voluntary basis. So someone doesn't say, now I \nhave to buy a very expensive computer system; I have to bring \nin consultants. And many times, after that is over with, the \nphysicians find out after they have spent a lot of money and \nthey are not any better off. In fact, they are worse off \nbecause nobody understands the system.\n    So we want to make sure that those who elect not to be \ninvolved in transmission of data to central data bases, they \ndon't have to do that. And whatever comes out of Congress we \nare concerned about some clearinghouse in the sky where all of \nthis data is going to be there. We are concerned about someone \ngetting in and cracking into that information; and, as you have \nheard multiple times today, privacy has to take the No. 1 \nposition over efficiency.\n    Mr. Horn. Since I grew up in rural America, I am very \nsympathetic with the type of examples you have cited and \nothers.\n    Now it seems to me the AMA, as a professional association, \nmay sponsor workshops in which physicians or their office \nadministrators could be educated and trained and specialized \nsoftware. Do you develop software that can be used nationwide \nthat would solve a lot of these problems? We do not want to \ndrive that poor individual physician who was taught to do good \nin medical school out of serving rural America.\n    Dr. Palmisano. Yes, sir, we have extensive programs at the \nState level and the American Medical Association level.\n    And I know I will hear this--I am in practice before the \ncolleagues, and when I get back and sort of give them a recap \non how we are participating, our great civics lesson, in \nAmerica, the greatest land in the world, how through democracy \nwe can give our voice. And then my partner, who is my mentor in \ntraining, he just always looks at me and says, come back to the \nreal world here. Do you realize what we have to do here? Do you \nrealize the administrative burden? Why I don't leave here until \n8 at night even though I have an office manager. We have to \nhire consultants to come in.\n    He is as sophisticated as anyone I ever met with computers, \nwith the methodology to make sure everything is kept proper. \nBut he says it is a tremendous burden.\n    So I always listen sympathetically and say, ``well, I know, \nbut we just want to make it simple and make sure our voice is \nheard.''\n    And he says, ``we already know how to do it. The problem is \nthe rules keep changing.''\n    For instance, when the fraud alert two came out, I had \noccasion to be treating a very prominent member of our \ncommunity. His wife and he had some connection with the \njudicial system, and he was upset because I was an hour late. I \nsent word because there was an emergency I had to run into the \noperating room and lend a hand with a very critical patient, \nand when I got there he started to lecture me as he often does.\n    And I like him a lot, and I listened, and I said, ``Sir, if \nyou would sit down and help me understand an alert I just got \nfrom our Federal Government about fraud alert two, which had to \ndo with if you write off the balance of a patient, that is \nconsidered a crime.'' I said I don't quite understand that. It \nlooks like it says that in English. And he said that just can't \nbe so.\n    So I went and treated his wife and came back, and he says, \n``I just can't believe that.'' I said, ``That is part of the \nadministrative burden.'' We have patients that come up. I don't \nwant to do means testing on my patients when they say, \n``Doctor, can you just accept the assignment?'' Sure, I will \naccept the assignment, but now I have to do means testing.\n    Those are the many, many little things that keep coming up; \nand one little thing doesn't sound like a lot, but if you add \nanother thing and another thing and another thing, that gets to \nbe a lot.\n    I am trying to treat the sick and help people. When I can't \ncure them, I want to comfort them. But I am just getting \noverwhelmed by the burden. And no matter what comes out, \nwhatever we call it--we can call it simplification, call it \nprivacy, but we don't want to create a burden that is more \nburdensome. We don't want to create a system that allows \nsomeone--like in other countries that kick down the door in the \nmiddle of the night and say I am just here to inspect and make \nsure there is no fraud going on in this home. This is the land \nof America. So that is our plea.\n    Thank you.\n    Mr. Horn. Well, I know a lot of doctors in my urban \ncommunity that completely agree with you about the burdens that \nhave been placed on the private physician; and, as you suggest, \nsome of them are being driven out of the profession by simply \nthe water treatment harassment that they are getting. Whereas \none or two drops wouldn't bother you, but when it adds up to \nNiagara Falls coming in your direction, you worry a little bit.\n    Ms. Goldman.\n    Ms. Goldman. The position that I am taking on pre-emption \nin this Congress is slightly different than the one I took last \nCongress, and I would like to just lay out how I have arrived \nhere.\n    I have come to believe that pre-emption of State law in the \nprivacy area is not the right approach to take. First of all, \nthe States that currently have laws on the books that deal with \naccess to records and allow people to limit disclosure of their \nown records are being complied with right now by the people \nsitting at this table who say it would be unworkable to have a \nFederal law that allowed for States to pass those. Right now, \nwe have 50 different States with 50 different approaches, and \npeople are not only managing to comply with those different \nlaws, they are flourishing and doing quite well.\n    The second thing is that, with the passage of a Federal \nprivacy law, regardless of where the floor was, most States, I \nthink, would feel that the issue had been addressed. The States \nthat have been extremely active right now in passing \nlegislation are doing so because there is a vacuum, because \nthere is a serious need, either because there has been a story \nin their State or a problem in their State and they have to \naddress it.\n    And the States that have been particularly active are your \nhome State, Mr. Chairman--California--Minnesota, New York, and \nMassachusetts. Where they have active consumer groups, the \nStates' attorneys general have been active in those States; and \nwhile they may have passed laws that are imperfect from the \nperspective of the pharmaceutical industry and the health \ninformation industry, they are fulfilling a need.\n    So I would say in this area we cannot only create a floor \nwhich is a high floor so those States that are weaker or \nproblematic are, in effect, pre-empted, because the State law \nmust meet that floor, but it would discourage other States that \nwould say ``finally Congress has addressed the issue, we don't \nneed to be tinkering with it.'' And I think it would allay a \nlot of concerns that the pro-pre-emption folks have been \npressing, which is how would we comply with a few variations in \nthe Federal law, when right now they are dealing with 50 \nvariations.\n    The only other point I want to make is to pick up on \nsomething Dr. Gabriel said, that one size doesn't fit all. One \nsize probably doesn't fit all, that if we do create a Federal \nflaw--floor--excuse my New York accent----\n    Mr. Horn. It is either a Freudian or Jungian slip.\n    Ms. Goldman. No, it is my accent. If we do create a floor \nwhich is a high one, I think then only States where there have \nbeen very serious, egregious violations and States with \nparticular instances they want to address will enact \nlegislation. The context is very important as well.\n    I have worked in the privacy and civil rights area for a \ndecade, and there is no other Federal privacy law or Federal \ncivil rights law that pre-empts State law, and I think it would \nbe a dangerous precedent to set. Those laws recognize that the \nprivacy law is meant to do something good, to protect an \ninterest that is considered vital to a national interest; and \nif a State finds it is important to go above that floor, they \nshould be free to do so. I think particularly in this instance \nit would be wrong to constrain the States.\n    Mr. Horn. OK. Any other comments you have heard your \ncolleagues on that you would like to correct now that we are \ndown to number 6?\n    Dr. Hoge. No corrections.\n    I might bring to your attention Senator Leahy's draft bill \nwhich is, I think, going to be introduced in the next couple of \nweeks which I think provides a reasonable platform on many of \nthese issues.\n    Mr. Horn. We are in contact with the Senator's staff on \nthat, and we have worked with Senator Leahy on various \noccasions.\n    Let me get back to fraud detection. One criticism leveled \nat H.R. 52 by the insurance community is that it would inhibit \nantifraud activities. Insurance companies would be limited in \nthe claims investigations they would perform. Should there be a \nspecific exemption for claims investigation and antifraud \ninvestigations? Anybody have a strong view on that?\n    Dr. Hoge. Yes, I do. It is not clear to me why the \ninsurance industry would say that. There are many countries \nthat have national health care systems that don't intrude on \npatients' privacy the way they are proposing. There are many \nways of detecting fraud and abuse through billing patterns, \nnumber of billings today, without getting access to \nidentifiable, protected, sensitive health care information.\n    It is just being done throughout the world in other ways, \nincluding Canada which has a society not so different from \nours, again by looking at patterns of billing rather than \nspecific, identifiable information.\n    So I think once they have justification----\n    Mr. Horn. Let me stop you right there. Let me be sure I \nunderstand you.\n    Often what we are talking about is some software has been \ndeveloped that when a certain type of operation is performed, \nlets say, there are certain things that relate to that; and one \ncan look through the bill in a systematic way and even by \nsoftware that would say, well, gee, I wonder why this was done. \nThat isn't normal or usual with this particular operation.\n    To give you a real horrible example, a woman, not in my \ndistrict, but in a neighboring district, wrote about going to a \nhospital, having a particular type of operation she went in \nfor. In the process of being there, they also did a mastectomy, \nclaimed the bill. She thought that was strange since she had \nhad a mastectomy 10 years before.\n    So, obviously, there are some things thrown on these bills \nby unscrupulous hospitals and unscrupulous physicians and \nunscrupulous HMOs, whatever. There are a few bad apples we \nalways find somewhere, and that is sort of what we are \nconfronted with. I don't see how you deal with that operation \nwithout knowing the name of the patient.\n    Dr. Hoge. Well, I think the example you gave probably would \nbe sufficient to get a court order to get access to the records \nor maybe it is the first step to ask the hospital or doctor \nwhether there was an error or whether they wanted to correct \nthis or so on.\n    Maybe I jumped too early. Because the law enforcement, the \ninsurance company, they would love to have access--relatively \nfree, unfettered access to records and look for lots of things. \nI think the question is how much access to allow people to have \nwithout having any demonstrable cause.\n    Dr. Palmisano a minute ago talked about kicking down the \ndoors. Once you have things on-line, we are talking about the \ncomputer equivalent of kicking down doors when law enforcement \nand insurance companies have unfettered access.\n    I think the standard that is common in this country in \nalmost every State that I am familiar with is if there is \nprobable cause, a reasonable demonstration that records have to \nbe accessed and that can be proven to a judge, that you get a \ncourt order; and sometimes you have to make accommodations to \npatient privacy.\n    There are a couple of Federal cases that you should be \naware of. The Ariyoshi case----\n    Mr. Horn. Do you want to spell that for the record?\n    Dr. Hoge. I think it's A-R-I-Y-O-S-H-I. It is a Hawaii \nState--State of Hawaii or Attorney General of Hawaii v. \nAriyoshi, I believe, where the Medicare fraud investigation \nunit came in and grabbed a psychologist's records, snapped them \nall up. They were sealed by the judge. There was a court case \nthat ultimately ensued, and the resolution was the court said \nyou do have reasonable basis for looking at certain parts of \nthis information, the billing aspects and so on, but you don't \nhave a right to look at their private information, what the \npsychologist wrote about their fantasies or their fears or \ntheir personal life.\n    So judicial supervision of access to records or access to \nprivate information I think is ingrained in our society. We \ndon't allow the police, even if they think there might be a \ncrack house somewhere if the neighborhood, to go door to door \nand look in every house looking for it; and that may deter--may \nlead to some decrement in law enforcement. I am not pro-crack \nhouse, but I think we have to protect privacy, and the result \nof that is we have some decrement in law enforcement and fraud \nand abuse investigation.\n    Mr. Horn. Any comment you want to make on that, Dr. \nPalmisano?\n    Dr. Palmisano. Yes, sir. The American Medical Association \ncertainly is against fraud, but we do not want the standard for \ninvestigation lowered beyond probable cause.\n    The example you gave, if someone had a mastectomy 10 years \nago and is being billed for it now, that should be corrected. \nIf it was a clerical error, to determine if it's a clerical \nerror or knowingly and intentionally done to defraud, those \nhave to be investigated.\n    But when you have a reasonable belief and evidence to show \nthat there probably is more than likely fraud going on, you can \nget that order to go search that information; and it ought to \nbe limited to the information you need to search and not go \nthrough all the other information.\n    When individuals have the power to invade your office \nrecords or hospital records at will with a very low standard, \nnot only is it--it is unAmerican in our opinion, but also it is \nvery expensive. Because you have the finances of the Federal \nGovernment basically funding this, your taxpayers' money \nfunding this. You are paying all these different lawyers to \ncome in to advise you what to do, and it gets extremely \nexpensive.\n    Mr. Horn. Well, this example, in fact, was on the \ninformation company where the doctor is sending forth the bill, \nlets say, where the patient has given them their health care \ninformation as to what insurance company and then the insurance \ncompany's attempt to apply whatever antifraud standard is the \nusual procedure with that company, and the degree to which they \nare saying that companies would be limited in the claims \ninvestigations they could perform under H.R. 52. I don't know \nif they are right on that or not. Obviously, we are going to \nexplore it.\n    And the question was, should there be a specific exception \nfor claims investigations and antifraud investigation from the \nprivacy standard which might be very high. But the whole reason \nyou take insurance, presumably, is to get the payment. But it \nought to be the accurate, truthful payment that justifies that.\n    Dr. Palmisano. Well, we don't think there ought to be an \nexemption.\n    The American Medical Association, first, we are against \nfraud. We have helped the FBI to help root out fraud, so we are \non record for that. But we think the standard ought to be kept \nhigh so they are not fishing expeditions.\n    Also, the approach that would solve a lot of so-called \nfraud problems is the approach that the American Medical \nAssociation put forward on the Worldwide Web site called Saving \nMedicare. It has been distributed to Congress. Basically, let \nthe patient get more involved, let the patient get back in the \ndriver's seat, let the patient be a fraud investigator so the \npatient has some responsibility in looking at the bill. The \npatient will know she didn't have a mastectomy and know right \noff the bat that is an error.\n    The fact of getting rid of controlling prices, get down to \nletting the doctors set their own conversion factors and \npublicize that. Then the patients and the physicians get \ninvolved and we get back to a society with less regulations. It \nis impossible to write regulations to cover all possible \nsituations.\n    I think in terms of the heroic American effort when we were \ninvolved in the Normandy invasion after the people on the beach \nwere killed--at Omaha beach. Ninety percent of the people that \nhit the beaches that day from the 116th, from Virginia, they \nwere killed on the spot. Their ship was sunk, and they swam to \nshore and had to get up.\n    The reason we were able to get up there and knock out the \nmachine guns--the reason we were able to knock out those big \nguns is because Americans were resourceful. If they had to \nfollow some little rule book and regulation--now, if the German \nArmy does this--they would have all been killed that day. In \nfact, Colonel Rudder couldn't lead the attack. The General \nsaid, ``Colonel Rudder, don't do this attack;'' and he said, \n``I am going to have to disobey you, sir. I have got to lead \nthe men. Otherwise, it won't get done.'' And he did it.\n    That is why they say Hitler's Youth Crew lost out to the \nAmerican Boy Scouts. The Boy Scouts were very resourceful.\n    Every time we come up with more harassment on physicians \nand patients, we end with a system that really doesn't work. It \nbecomes more burdensome. So we would hope that would remain on \nthe forefront.\n    Today we are talking about privacy and confidentiality, and \nwe want to enhance that, protect that. But, on the other hand, \nwe don't want to have rules and regulations that end up \ncreating more burden and don't protect that.\n    Mr. Horn. Ms. Goldman.\n    Ms. Goldman. My only comment to add to the ones that have \nbeen made is I think it is really important that we recognize \nthat there should be fourth-amendment-type limits on Government \naccess to certainly health information. H.R. 52 and the other \nbills that have been discussed do that. We do it to varying \ndegrees, and the Justice Department has expressed concern about \nthose provisions, and I am not aware that they have signed off \non any of them.\n    I think it is a natural response on the Justice \nDepartment's part to say we now have unfettered access to \npersonal health information. Please don't make us be bound by \nthe fourth amendment. That is an understandable response, but \nit is certainly not the right one.\n    The fourth amendment is not an absolute bar to law \nenforcement access to records. What it says is, you must meet \nthe standards, probable cause or clear and convincing standard \nbefore you can get access; and it is a protection on the \nindividual. It is certainly not an absolute bar. And it is one, \nagain, we see in the privacy laws we already have at the \nFederal level and ones that should be built into this Federal \npolicy as well.\n    Mr. Horn. I must state one of the goofier implementations \nof privacy law in my field of education was when the Department \nof Education--and I happened to head a national coalition to \ncreate it, so I favored the Department--that we had strict \nrules written into that law that you could not impose curricula \non States, et cetera. But they visited Pennsylvania State \nUniversity and later California State University at Long Beach; \nand they said, oh, you can't display the thesis of a student in \nthe library without the signed exception to the Buckley Act--of \nthe privacy right.\n    Now only an idiot would make that kind of ruling. \nUnfortunately, it went up the high hierarchy. And the \nSecretary, when the complaint was given to him, stuck by that \nstupid policy.\n    Now the whole purpose of the dissertation and thesis is to \nbe examined by the outside world. So here we have the case of a \nFederal law being used where the thesis writer could have \nmassive plagiarism. The professors might have missed it. You \ncan't keep up on everything in every field. That thesis is \nsigned off, and it is normally deposited everywhere in America \nin the university library or the microfilm operation for \ndissertations in Michigan.\n    There is an example of people going haywire with a, quote, \nprivacy right, unquote. There is no privacy right, it seems to \nme; and yet they could get away with it. They could have \nplagiarized; and under the Department of Education's great \ninterpretation, they can be free because no one will ever see \nit. It is not on the library shelf. I don't know if they are \nstill doing it, but they were doing that several years ago.\n    Ms. Goldman. I would agree with you. That is an unfortunate \napplication of a privacy law.\n    My experience has been a little bit different in that what \nI tend to see is underenforcement of existing privacy laws or \nweak construction of the existing privacy laws and not \noverzealous application. But it would be interesting to see if \nthat is still the interpretation, because I agree with you that \nwhat is a public record ought to be available.\n    Mr. Horn. All right. Let us move to the next series of \nquestions, and H.R. 52 requires health researchers to receive \napproval from a certified institutional review board in order \nto review patient records. Is that acceptable to most of you or \nhow do you feel on that? Are there any problems with that \nsection, which is 152 of the bill?\n    Ms. Goldman. Well, what is interesting is that the approach \ntaken by H.R. 52 and the one taken in last year's bill \nintroduced by Senators Leahy and Bennett is one that at least \nrecognizes there are Federal regulations right now that require \nall federally funded researchers to get the informed consent of \nindividuals whose information may be the subject of research. \nSo, as Dr. Gabriel said earlier, there are already requirements \non federally funded researchers to have to get the informed \nconsent, unless the IRB agrees that a waiver is appropriate and \nthere is a standard for the waiver.\n    The Senate approach basically said, lets codify those \nregulations so that all researchers--not just federally funded \nresearchers but all researchers will have to comply with \ninformed consent. I think the pharmaceutical industry last year \nhad concerns about that, but that has a fair amount of \nunanimity that that is a pretty good start.\n    I think H.R. 52, again, tries to bring in the Institutional \nReview Board and create another level of hierarchy, which I \ndon't think is a bad idea, to say someone should be watching \nthe IRBs. Because even though there has been some studies \ncommissioned in recent months, there is no record, no factual \nbasis to know how IRBs work as a whole, how we look at the \nconsent mechanism, when and where they approve waiver \napplications. So we know little about how IRBs work. We do know \nthey adhere to privacy issues, consider them in the application \nfor research.\n    Mr. Horn. Now is there any type of research that does not \nrequire such approval?\n    Ms. Goldman. The research that does not require approval \nare ones that do not involve identifiable data. And I would \nagree, if you are not using identifiable data, you should not \nhave to get the consent of the records covered, because it is \nnot within the privacy scope. Nonidentifiable data has to be \nclearly nonidentifiable data, and there is discussion about \nwhat that means. But I would agree that nonidentifiable data is \noutside the scope of a privacy bill.\n    Dr. Andrews. I would like to make a couple of comments.\n    First, relating to IRB review and approval----\n    Mr. Horn. It is Institutional Review Boards. I just want \nthe audience to know what we are talking about.\n    Dr. Andrews [continuing]. The regulations are quite strict \non IRBs. There is currently a commission that is looking at the \nIRB process and that, I assume, will also be looking at not \nonly the protection of patients against medical risk but also \nprivacy risks. There seems to be no need for additional \nlegislation on this point which might pre-empt or prematurely \nset some legislation in place to pre-empt the outcome of that \ncommission's reports.\n    Regarding what information is considered identifiable, I \nthink that is a key point; and we feel that the language in the \ncurrent H.R. 52 is a little too broad in identifying what would \nbe considered personally identifiable data. For studies that \nuse data bases that contain a key or an encrypted code that \ncould potentially be used to link back to medical records, \nthose studies currently do not require IRB approval or patient-\ninformed consent. They generally are considered to fall below \nthe level of minimal risk that would determine the need to have \ninformed consent.\n    In addition, as you have also heard from Dr. Gabriel, \ninformed consent is frequently not feasible in these \ncircumstances in using very large data bases answering \nquestions that may arise many years after the information was \ncollected, because there is difficulty locating patients in our \nhighly mobile society, getting consent itself may introduce a \nbias, and because contacting patients may also constitute a \nviolation of patient privacy.\n    In addition, as you have also already heard, if you use \nonly the patient data from those who have been located and \nprovided consent, you may introduce a bias in the study which \nmay invalidate the study findings.\n    Mr. Horn. Dr. Hoge has a comment.\n    Dr. Hoge. Actually, yes, and maybe in the way of a \nquestion. I am a little unclear if a doctor enters in the data \nbase that you are talking about has a code, could be stripped \nof that code.\n    I guess the point I am asking, it seems it would be \nreasonable to ask IRB approval if there is going to be the \nfuture capacity to relink that code to the person's actual \nidentity, because now you have got a privacy concern that \nsomeone should be overseeing. But if you are going to take the \ninformation, strip it, it doesn't seem to be a problem, but \nmaybe I am misunderstanding.\n    Dr. Andrews. I think there is something in between that. I \nbelieve that data bases totally stripped of identifiers should \nbe excluded. Then there are data bases that have an encrypted \ncode that could be linked back, and we also feel those should \nbe exempted.\n    I think the actual relinking, which I think is what you are \nreferring to--someone is taking the code, relinking, \nidentifying patients and abstracting additional information to \nsupplement the original study; and those do need very tight \nsecurity over the relinking and may need and usually are, I \nbelieve, covered by IRB review and approval at the moment.\n    Dr. Hoge. If I might--but, again, if there is a potential \nto relink through the code, that means you either have the plan \nor some expectation of relinking it; and, therefore, there is \nsome privacy risk--I don't understand. It seems a little \ndisingenuous. If you are not planning on relinking, why don't \nyou just strip it? And if you are planning to relink it, it \nseems to me you are back at a point where you have got to get \nIRB.\n    Mr. Horn. Do you want to respond to that, Dr. Andrews?\n    Dr. Andrews. The reality is these data bases often have \nbeen so carefully developed that this encrypted code is \navailable for the researcher. The researcher cannot by \nthemselves identify the patient, and they have no interest in \ndoing so. They are interested in the aggregate data. It is the \nlocal physician or a third party that would be able to take \nthat encrypted code and link back.\n    Mr. Horn. Dr. Gabriel.\n    Dr. Gabriel. I just wanted to make the point that all of \nthe research that I mentioned in my statement is already \ncovered by the IRB. In fact, at our IRB we apply the \nregulations to everything, federally funded or not. So I would \nendorse having the IRB approval for all of these studies.\n    Mr. Horn. Dr. Palmisano.\n    Dr. Palmisano. Thank you, Mr. Chairman.\n    I just wanted to emphasize that when we put in the \nstatement--both oral statement and written statement--that \nmedical information used for research purposes should have all \nidentifying information removed unless a patient specifically \nconsents to the use of his or her personally identifiable \ninformation; and on the subject of research it can be a \ntroublesome category of exceptions to the general requirement \nfor patient consent. Although in conclusion, we are generally \nsatisfied that the IRB patient protections are adequate, we \nbelieve that a scientist should be able to pursue legitimate \nresearch without unreasonable barriers and that it is possible \nto do this while still protecting patients' privacy. What we \ndon't want to see is the term research applied to a whole \nspectrum of economic analysis that solely benefits shareholders \nrather than patients.\n    I guess I would like to pose a question back on H.R. 52. On \npage 39, it states that the project has been determined by a \ncertified Institutional Review Board to be of sufficient \nimportance to outweigh the intrusion into the privacy of the \nprotected individual who is the subject of the information that \nwill result from the disclosure. So it appears from this \nreading that privacy will be invaded, and the IRB is saying \nthat the research is of sufficient importance. So it is not \nbeing treated as an IRB study.\n    Consultation is being obtained with the IRB to decide \nwhether or not it is of sufficient merit to invade privacy, and \nwhat we say is that medical information used for research \npurposes should have all identifying information removed unless \na patient voluntarily and knowingly and willingly consents to \nthat information.\n    So it is right to go through the Institutional Review \nBoard. We think--a lot of them we hold in high regard.\n    On the other hand, we don't know that this is going to \nprotect the privacy--it goes back to the philosophical \ndiscussion, is the teleological approach to the philosophical \nbase whereby you say, well, the end justifies the means, so we \nare going to invade privacy to do this research and find out \nthese potentially good things. We think the patient's privacy \nmust be paramount.\n    Thank you.\n    Mr. Horn. Dr. Gabriel.\n    Dr. Gabriel. I wanted to respond to that a little bit.\n    As we said before, the researcher is not aware that this is \nMrs. Jones' data. The only place that privacy might be \ninvaded--there has to be a point somewhere where you collect \nthe data from the medical records, put it in a data base, strip \nthe identifiers, and that is where the analysis happens.\n    So I have a question. How do you define nonidentifiable \ndata? There has to be--so the point, at least in the way we do \nthings, we have usually a nurse administrator abstract a piece \nof information from a medical record and then that is put in a \ndata base with hundreds of other people's data and then the \ninformation or the patient identifiers are removed. So when you \nwere reading that I was thinking maybe that was what they were \nreferring to.\n    Dr. Palmisano. Mr. Chairman, it is just a question. I am \nnot sure what is being referred to. I think it is vague as \nwritten here. It may be because of my ignorance, I don't know, \nbut I would like it clarified.\n    I certainly understand how I could see a scenario. I don't \nconsider myself a computer wizard, but I would see where you \ncould send someone who understood confidentiality and taken an \noath, could go to medical records and say, all names will be \nremoved and codes will go in there and these codes don't \nnecessarily link up, but it identifies whatever you need to \nidentify without identifying the individual and that would be \ngiven to the researcher. It appears from what I have heard that \nwould satisfy the researcher.\n    So I think that could be done from a technological basis, \nand those who are much smarter than I am in computer \nmethodology could come up with an even better way than that. \nBut it appears that the information could be interpreted by a \nreasonable individual to say that we are going to allow the \nname to be kept with this record because the research is of \nsuch moment that the IRB, they agree, is really of great \nmoment. So they have this invasion of privacy without the \nindividual knowing; and the individual may say, no, I did not \nwant you to allow that. I did not want to take the risk, \nhowever small, 10th of 1 percent that it would be discovered by \nsomeone else.\n    Mr. Horn. Perhaps we should have staff talk to the National \nInstitutes of Health. Because you could have a project that \ntakes 5 to 10 years, maybe, to come to some conclusion; and the \nquestion is, if you do discover something that relates to that \nsample or you want a later subsample of that, is there a way \nyou can tie that back to the good of the patient?\n    Yes, Dr. Andrews.\n    Dr. Andrews. Let me address this question of relinkage.\n    While I may strip a data set, there are some circumstances \nwhere you would want to have the ability to go back and relink; \nfor example, if you are doing a study on the safety of a \nparticular kind of drug and you may follow patients for 6 \nmonths. If you obtain a signal that this drug may be causing \ncancer and the latency period is longer than 6 months, then you \nmight want to use that same cohort of patients, extended for a \nlonger period of time, in which case you need to take the data \nset back to its origin, relink through a very careful time-\nlimited linkage, and gather the information that would then go \ninto the data base that would no longer have the identity. It \nwould be that linkage process that would need to be carefully \nsafeguarded, rather than the whole data base. So I think we are \nall saying the same thing.\n    [The information referred to follows:] \n    [GRAPHIC] [TIFF OMITTED] 45252.078\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.079\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.080\n    \n    [GRAPHIC] [TIFF OMITTED] 45252.081\n    \n    Ms. Goldman. I have to add one thing on the research.\n    I think there is a fair amount of agreement the vast amount \nof research that is done in this country is done with the \ndeidentified data, out the personal identifiers. For that small \ngroup of research that is done with identifiers, I again say \nthat it is very important that informed consent of patients be \nobtained. Because, as a few people have testified, there is a \nconcern about there being a bias, that those that opt out would \ncreate a bias. At least it is a known bias.\n    You know, there are a small group of people who say, I am \nuncomfortable being a part of this research project because I \nam concerned with confidentiality or I am concerned about \nlosing my job or whatever it is, which are real concerns on the \npart of the individual.\n    The current situation we have, where identifiable data is \nused in research without individuals' consents, the bias in \nthose research projects involve people who give inaccurate \ninformation because they are afraid of the lack of privacy. \nPeople who lie, people who don't seek treatment, those create \nbiases; but we don't know about them. We can't quantify them. \nAt least--if they opt out and the information is asked for and \nit is withheld, at least you know who is saying I do not want \nto be a part of this research project.\n    Mr. Horn. Well, that leads to the next question. If some \npatients are willing to give general waivers at the outset of \ntheir treatment permitting future disclosures of records to \nproviders, researchers and others, should H.R. 52 prevent that \nor should each research project require informed consent of the \npatient to be sampled at that particular time?\n    Ms. Goldman. The way H.R. 52 is written is in authorization \nthere has to be an identification of who the recipients would \nbe and what the information would be used for.\n    If the authorization is written broadly enough--and, again, \ngetting that authorization does not then condition whether or \nnot you deliver benefits or services. If people want to be part \nof ongoing research and that research is specified, it is not \nmy judgment to make. I think these are individual judgments \nthat people should make.\n    The beauty of the privacy law that is crafted like this, it \nlets people make those choices. It lets doctors talk to the \npatients and say, I would like you to be involved with this; I \nthink it would benefit you. It allows researchers to come in \nand have contact with people and talk to them about the \nbenefits and risk. That is what is allowed here. It allows \npeople to make their own choices and not myself or anyone else \nin this room to say here is the standard, here is what should \napply.\n    Mr. Horn. OK. We are going to wind this up.\n    Anything any of you have on your mind that we haven't asked \nabout in this hearing record?\n    Dr. Hoge. I think you were a born therapist.\n    Mr. Horn. We don't get those wages--sorry--salary, \nwhatever, bills paid.\n    OK, I want to thank you all very much for coming. You have \nall raised some new questions, as any good hearing does; and we \nwill be following up. Just like your comments, as we go, if \nthere is a new draft bill put together, we will send them to \nyou. We would like your comments. Those of your association \nwould be very helpful.\n    With that, this hearing is adjourned.\n    Oh, let me just put the staff on the record. I want to \nthank the following people that worked on this.\n    J. Russell George, the staff director and chief counsel; \nand Mark Uncapher, who is on my left, your right, the counsel \nfor this hearing; John Hynes, professional staff member; Andrea \nMiller, clerk. David McMillen, professional staff member for \nthe minority; Ron Strohman, professional staff member for the \nminority; Jean Gosa, clerk for the minority; and Sheridan \nParker, minority research assistant.\n    We have had interns with this particular hearing: Mike \nPressicci, Grant Newman, Melissa Holder; and our court \nreporters are Katrina Wright and Tracy Petty.\n    Now we are adjourned.\n    [Whereupon, at 12:30 p.m., the subcommittee was adjourned.]\n    [Additional information submitted for the hearing record \nfollows:] \n\n[GRAPHIC] [TIFF OMITTED] 45252.082\n\n[GRAPHIC] [TIFF OMITTED] 45252.083\n\n[GRAPHIC] [TIFF OMITTED] 45252.084\n\n[GRAPHIC] [TIFF OMITTED] 45252.085\n\n[GRAPHIC] [TIFF OMITTED] 45252.086\n\n[GRAPHIC] [TIFF OMITTED] 45252.087\n\n[GRAPHIC] [TIFF OMITTED] 45252.088\n\n[GRAPHIC] [TIFF OMITTED] 45252.089\n\n[GRAPHIC] [TIFF OMITTED] 45252.090\n\n[GRAPHIC] [TIFF OMITTED] 45252.091\n\n[GRAPHIC] [TIFF OMITTED] 45252.092\n\n[GRAPHIC] [TIFF OMITTED] 45252.093\n\n[GRAPHIC] [TIFF OMITTED] 45252.094\n\n[GRAPHIC] [TIFF OMITTED] 45252.095\n\n[GRAPHIC] [TIFF OMITTED] 45252.096\n\n[GRAPHIC] [TIFF OMITTED] 45252.097\n\n[GRAPHIC] [TIFF OMITTED] 45252.098\n\n[GRAPHIC] [TIFF OMITTED] 45252.099\n\n[GRAPHIC] [TIFF OMITTED] 45252.100\n\n[GRAPHIC] [TIFF OMITTED] 45252.101\n\n[GRAPHIC] [TIFF OMITTED] 45252.102\n\n                                   - \n\x1a\n</pre></body></html>\n"