[House Hearing, 105 Congress]
[From the U.S. Government Publishing Office]




 
                        PATIENT CONFIDENTIALITY

=======================================================================

                                HEARING

                               before the

                         SUBCOMMITTEE ON HEALTH

                                 of the

                      COMMITTEE ON WAYS AND MEANS
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED FIFTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 24, 1998

                               __________

                             Serial 105-23

                               __________

         Printed for the use of the Committee on Ways and Means



                    U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 1998




                      COMMITTEE ON WAYS AND MEANS

                      BILL ARCHER, Texas, Chairman

PHILIP M. CRANE, Illinois            CHARLES B. RANGEL, New York
BILL THOMAS, California              FORTNEY PETE STARK, California
E. CLAY SHAW, Jr., Florida           ROBERT T. MATSUI, California
NANCY L. JOHNSON, Connecticut        BARBARA B. KENNELLY, Connecticut
JIM BUNNING, Kentucky                WILLIAM J. COYNE, Pennsylvania
AMO HOUGHTON, New York               SANDER M. LEVIN, Michigan
WALLY HERGER, California             BENJAMIN L. CARDIN, Maryland
JIM McCRERY, Louisiana               JIM McDERMOTT, Washington
DAVE CAMP, Michigan                  GERALD D. KLECZKA, Wisconsin
JIM RAMSTAD, Minnesota               JOHN LEWIS, Georgia
JIM NUSSLE, Iowa                     RICHARD E. NEAL, Massachusetts
SAM JOHNSON, Texas                   MICHAEL R. McNULTY, New York
JENNIFER DUNN, Washington            WILLIAM J. JEFFERSON, Louisiana
MAC COLLINS, Georgia                 JOHN S. TANNER, Tennessee
ROB PORTMAN, Ohio                    XAVIER BECERRA, California
PHILIP S. ENGLISH, Pennsylvania      KAREN L. THURMAN, Florida
JOHN ENSIGN, Nevada
JON CHRISTENSEN, Nebraska
WES WATKINS, Oklahoma
J.D. HAYWORTH, Arizona
JERRY WELLER, Illinois
KENNY HULSHOF, Missouri

                     A.L. Singleton, Chief of Staff

                  Janice Mays, Minority Chief Counsel

                                 ______

                         Subcommittee on Health

                   BILL THOMAS, California, Chairman

NANCY L. JOHNSON, Connecticut        FORTNEY PETE STARK, California
JIM McCRERY, Louisiana               BENJAMIN L. CARDIN, Maryland
JOHN ENSIGN, Nevada                  GERALD D. KLECZKA, Wisconsin
JON CHRISTENSEN, Nebraska            JOHN LEWIS, Georgia
PHILIP M. CRANE, Illinois            XAVIER BECERRA, California
AMO HOUGHTON, New York
SAM JOHNSON, Texas


Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Ways and Means are also published 
in electronic form. The printed hearing record remains the official 
version. Because electronic submissions are used to prepare both 
printed and electronic versions of the hearing record, the process of 
converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.


                            C O N T E N T S

                               __________

                                                                   Page

Advisory of March 17, 1998, announcing the hearing...............     2

                               WITNESSES

American Medical Management, Jim Sloane..........................    45
Borowitz, Stephen M., M.D., University of Virginia Health 
  Sciences Center................................................    28
Goldman, Janlori, Georgetown University..........................    34
MacGregor Medical Association, James Birge, M.D., and Jim Sloane, 
  American Medical Management....................................    45
Mayo Clinic, Sherine E. Gabriel, M.D.............................    59
Merck Research Laboratories, and Merck & Co., Inc., Harry A. 
  Guess, M.D.....................................................    64
U.S. National Committee on Vital and Health Statistics, Don E. 
  Detmer, M.D....................................................     6

                       SUBMISSIONS FOR THE RECORD

American Association of Health Plans, statement..................    77
American Association of Occupational Health Nurses, statement....    84
American College of Occupational and Environmental Medicine, 
  Arlington Heights, IL, statement...............................    90
American Hospital Association, statement.........................    91
Avorn, Jerome L., M.D., and Elizabeth Andrews, International 
  Society for Pharmacoepidemiology, letter and attachments.......    97
Frantz, Rita, National Pressure Ulcer Advisory Panel, Alexandria, 
  VA, statement..................................................   103
Healthcare Leadership Council, statement.........................    94
International Society for Pharmacoepidemiology, Jerome L. Avorn, 
  M.D., and Elizabeth Andrews, letter and attachments............    97
Medical Group Management Association, statement..................    99
National Breast Cancer Coalition, statement......................   101
National Pressure Ulcer Advisory Panel, Alexandria, VA, Rita 
  Frantz, statement..............................................   103
Shays, Hon. Christopher, a Representative in Congress from the 
  State of Connecticut, statement................................   106


                        PATIENT CONFIDENTIALITY

                              ----------                              


                        TUESDAY, MARCH 24, 1998

                  House of Representatives,
                       Committee on Ways and Means,
                                    Subcommittee on Health,
                                                    Washington, DC.
    The Subcommittee met, pursuant to call, at 10 a.m., in room 
1100, Longworth House Office Building, Hon. Bill Thomas 
(Chairman of the Subcommittee) presiding.
    [The advisory announcing the hearing follows:]

ADVISORY

FROM THE 
COMMITTEE
 ON WAYS 
AND 
MEANS

                         SUBCOMMITTEE ON HEALTH

                                                CONTACT: (202) 225-3943
FOR IMMEDIATE RELEASE

March 17, 1998

No. HL-20

                      Thomas Announces Hearing on

                        Patient Confidentiality

    Congressman Bill Thomas (R-CA), Chairman, Subcommittee on Health of 
the Committee on Ways and Means, today announced that the Subcommittee 
will hold a hearing on patient confidentiality. The hearing will take 
place on Tuesday, March 24, 1998, in the main Committee hearing room, 
1100 Longworth House Office Building, beginning at 10:00 a.m.
      
    In view of the limited time available to hear witnesses, oral 
testimony at this hearing will be from invited witnesses only. However, 
any individual or organization not scheduled for an oral appearance may 
submit a written statement for consideration by the Committee and for 
inclusion in the printed record of the hearing.
      

BACKGROUND:

      
    The Health Insurance Portability and Accountability Act of 1996 
(HIPAA) required the Secretary of Health and Human Services to submit 
to the Congress ``detailed recommendations with respect to the privacy 
of individually identifiable health information.'' In developing her 
recommendations, the Secretary was required to consult with the 
National Committee on Vital and Health Statistics and the Attorney 
General. The Secretary released her report on September 11, 1997, and 
Congress has until August 1999 to pass legislation to protect 
individual patient confidentiality. If the Congress does not enact 
legislation, HIPAA directs the Secretary to issue her own final 
enforceable regulations by February 2000.
      
    Health care information is used for a variety of purposes including 
research, disease prevention, quality assurance, and outcomes 
measurements. In recent years, health care information has moved away 
from paper records to electronic records. This innovation provides 
tremendous opportunities for medical advances as well as new challenges 
for maintaining patient confidentiality. The Administration's recent 
announcement of a delay in the implementation of the HIPAA 
administrative simplification provisions underscores the complexity of 
maintaining confidentiality in an information age.
      
    In announcing the hearing, Chairman Thomas stated: ``Our nation has 
a great history of leadership in medical advances and health care 
innovation. I have seen, first hand, examples of health care data being 
used to help in the discovery of new medical techniques and 
technologies. In addition, outcomes studies and consumer information 
based on up-to-date health care data can make our nation's health care 
system better, services more readily available, and care more 
affordable. However, it is essential that patient confidentiality 
concerns are addressed while maintaining access to data to promote 
better health.''
      

FOCUS OF THE HEARING:

      
    The hearing will focus on patient confidentiality from the 
perspective of the health care consumers, physicians, providers, and 
researchers.
      

DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:

      
    Any person or organization wishing to submit a written statement 
for the printed record of the hearing should submit at least six (6) 
single-space legal-size copies of their statement, along with an IBM 
compatible 3.5-inch diskette in ASCII DOS Text or WordPerfect 5.1 
format only, with their name, address, and hearing date noted on a 
label, by the close of business, Tuesday, April 7, 1998 , to A.L. 
Singleton, Chief of Staff, Committee on Ways and Means, U.S. House of 
Representatives, 1102 Longworth House Office Building, Washington, D.C. 
20515. If those filing written statements wish to have their statements 
distributed to the press and interested public at the hearing, they may 
deliver 200 additional copies for this purpose to the Subcommittee on 
Health office, room 1136 Longworth House Office Building, at least one 
hour before the hearing begins.
      

FORMATTING REQUIREMENTS:

      
    Each statement presented for printing to the Committee by a 
witness, any written statement or exhibit submitted for the printed 
record or any written comments in response to a request for written 
comments must conform to the guidelines listed below. Any statement or 
exhibit not in compliance with these guidelines will not be printed, 
but will be maintained in the Committee files for review and use by the 
Committee.
      
    1. All statements and any accompanying exhibits for printing must 
be typed in single space on legal-size paper and may not exceed a total 
of 10 pages including attachments. At the same time written statements 
are submitted to the Committee, witnesses are now requested to submit 
their statements on an IBM compatible 3.5-inch diskette in ASCII DOS 
Text or WordPerfect 5.1 format. Witnesses are advised that the 
Committee will rely on electronic submissions for printing the official 
hearing record.
      
    2. Copies of whole documents submitted as exhibit material will not 
be accepted for printing. Instead, exhibit material should be 
referenced and quoted or paraphrased. All exhibit material not meeting 
these specifications will be maintained in the Committee files for 
review and use by the Committee.
      
    3. A witness appearing at a public hearing, or submitting a 
statement for the record of a public hearing, or submitting written 
comments in response to a published request for comments by the 
Committee, must include on his statement or submission a list of all 
clients, persons, or organizations on whose behalf the witness appears.
      
    4. A supplemental sheet must accompany each statement listing the 
name, full address, a telephone number where the witness or the 
designated representative may be reached and a topical outline or 
summary of the comments and recommendations in the full statement. This 
supplemental sheet will not be included in the printed record.
      
    The above restrictions and limitations apply only to material being 
submitted for printing. Statements and exhibits or supplementary 
material submitted solely for distribution to the Members, the press 
and the public during the course of a public hearing may be submitted 
in other forms.
      

    Note: All Committee advisories and news releases are available on 
the World Wide Web at `HTTP://WWW.HOUSE.GOV/WAYS__MEANS/'.
      

    The Committee seeks to make its facilities accessible to persons 
with disabilities. If you are in need of special accommodations, please 
call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four 
business days notice is requested). Questions with regard to special 
accommodation needs in general (including availability of Committee 
materials in alternative formats) may be directed to the Committee as 
noted above.
      

                                

    Chairman Thomas. The Subcommittee will come to order.
    Each day, millions of Americans receive medical treatment. 
Increasingly, patients receive their care from a multifaceted 
system of health care entities and professionals. As our health 
care system has evolved from a solo practitioner to complex 
integrated health systems and everything in between, so has the 
challenge of ensuring that patients' private information is not 
improperly disclosed and used for inappropriate purposes.
    National attention regarding the confidentiality of patient 
information was heightened with the passage of the Health 
Insurance Portability and Accountability Act of 1996. This act 
required the Secretary of Health and Human Services to consult 
with the National Committee on Vital and Health Statistics and 
the Attorney General and to report to the Congress her 
``detailed recommendations with respect to the privacy of 
individually identifiable health information.'' The Secretary 
released a report on September 11, 1997. Congress now has until 
August 1999 to pass legislation to protect that individual 
patient confidentiality. Without legislation, the law says the 
Secretary will write her own regulations.
    Today this Subcommittee begins its exploration of this 
important topic. We will hear from experts representing various 
parts of the health care system who will share with us their 
views regarding the confidentiality of patient information. In 
reading their testimony, it was clear to me we are dealing with 
a very important but very delicate issue. If the Congress errs 
on the side of overprotection, we could stifle medical 
innovation and research which would adversely impact public 
health. Likewise, if we fail to provide the American public 
with adequate reassurance that their individually identifiable 
information is protected, some may avoid, delay, or carry out 
protective behavioral patterns dealing with necessary 
treatments.
    Time is critical, not just because the Secretary will issue 
her own regulations in August 1999 if Congress does not act, 
but as we will hear on one of our panels today, if Congress 
does not act, States are already acting. And we run the chance, 
if we do not provide at least guidance if not some uniformity, 
of a crazy quilt pattern confronting us in which no one's 
wishes are granted, and that is a very real possibility.
    [The opening statement follows:]

Opening Statement of Chairman Bill Thomas

    Each day, millions of Americans receive medical treatment. 
Increasingly, patients receive their care from a multi-faceted 
system of health care entities and professionals. As our health 
care system has evolved--from the solo practitioner to complex 
integrated health systems--so has the challenge of ensuring 
that patients' private information is not improperly disclosed 
and used for inappropriate purposes.
    National attention regarding the confidentiality of patient 
information was heightened with the passage of the Health 
Insurance Portability and Accountability Act of 1996. This Act 
required the Secretary of Health and Human Services to consult 
with the National Committee on Vital and Health Statistics and 
the Attorney General and to report to the Congress her 
``detailed recommendations with respect to the privacy of 
individually identifiable health information.'' The Secretary 
released her report on September 11, 1997. The Congress now has 
until August 1999 to pass legislation to protect individual 
patient confidentiality. Without legislation, the Secretary 
will write her own regulations.
    Today, this Subcommittee begins its exploration of this 
important topic. We will hear from several experts, 
representing various parts of the health care system, who will 
share with us their views regarding the confidentiality of 
patient information. In reading their testimony, it was clear 
to me that we are dealing with a very delicate issue. If the 
Congress errs on the side of over-protection, we could stifle 
medical innovation and research which would adversely impact 
public health. Likewise, if we fail to provide the American 
public with adequate reassurance that their individually 
identifiable information is protected, some may avoid or delay 
necessary treatments.
    I look forward to hearing from our first witness, Dr. Don 
Detmer, Chair of the National Committee on Vital and Health 
Statistics.
      

                                

    Chairman Thomas. I look forward to hearing from all of our 
witnesses, but our first witness, Dr. Don Detmer, is the chair 
of the National Committee on Vital and Health Statistics. And 
Dr. Detmer, before I recognize you, I would ask my colleague 
from Wisconsin if he has any opening statement. Or if he has a 
written statement from the Ranking Member, I would make that a 
part of the record. But I would recognize the gentleman from 
Wisconsin.
    Mr. Kleczka. Mr. Chairman, I do not know if Mr. Stark has 
an opening statement, but if he does, I would ask that that be 
included. I would also like to introduce into the record a 
statement from myself on this timely issue.
    I want to acknowledge the Chairman's interest in the 
subject matter, although when he talks about overprotection, I 
don't think we are anywhere near that problem when it comes to 
a patient's records. In fact, just a short time ago in the 
local papers, I think two or three local drugstores were 
involved in selling their patient lists to drug companies. In 
response to that, consumers received mailings from drug 
companies.
    I think privacy concerns are something we should be taking 
more seriously in this Congress, not only as it deals with the 
Internet and Social Security numbers, but now we have seen in 
the most recent past a series of drugstores selling their 
patient lists. I think Congress should not sit idly by while 
all this continues to happen. I think we should be proactive 
and err on the side of the consumer.
    Thank you, Mr. Chairman.
    [The opening statement follows:]

Opening Statement of Congressman Jerry Kleczka

    I am pleased Chairwoman Thomas has called this hearing on 
medical privacy today. This public debate will draw attention 
to one of the most important issues facing the subcommittee and 
American public: guaranteeing the privacy of all Americans' 
personal and medical information. This guarantee is 
particularly important given the rapid technological advances 
and awe-inspiring medical discoveries being made every day.
    I was appalled, as I am sure many of my colleagues were, to 
read in recent Washington Post articles about drugstores 
selling confidential patientprescription information to outside 
companies for marketing purposes. While the companies in 
question quickly changed their practices when consumers 
expressed outrage at these revelations, the practice of selling 
prescription information to third parties continues to go on 
throughout the nation.
    Imagine simply going to the local drug store to fill a 
prescription, and, without your permission, the pharmacist 
behind the counter transmits your medical and prescription 
information to a direct marketing firm. Certainly, innocent 
consumers filling prescriptions should have at the very least 
an expectation of privacy. Sending confidential prescription 
information to a marketing company that has absolutely no 
medical expertise or purpose for receiving that information 
other than to profit from it raises serious ethical questions. 
I believe legitimate checks can and should be placed on this 
type of practice.
    Too many Americans operate under the assumption that their 
private medical records are just that, private. However, in 
today's computer age where personal information can be 
transmitted across the country quite literally at a push of a 
button, threats to the privacy of individuals' medical records 
have never been greater. While this technological innovation 
has provided opportunities for and lead to important medical 
advances, it has come with price--the price of sacrificing 
one's personal privacy and security.
    There are, of course, appropriate uses for electronically 
transmitting medical information. For example, managed care 
networks, insurers, medical researchers, or benefits managers 
arguably have legitimate needs for quick and easy access to 
medical records. However, the idea that potentially thousands 
of individuals could gain access to this electronic data--
something so sacred and private as a diagnosis of mental 
illness or terminal illness, for example--gives me pause. I 
find it even more troubling that this private information can 
and is electronically transmitted for absolutely no legitimate 
medical purpose. Transmitting this information to a third-party 
solely to improve the profit margins of a pharmaceutical 
company is simply unconscionable.
    The Health Insurance Portability and Accountability Act of 
1996 required the Secretary of Health and Human Services to 
submit detailed recommendations with respect to the privacy of 
individual's health information. The Secretary released her 
report this past September and we in Congress have until August 
1999 to pass legislation protecting patient confidentiality. My 
hope is that as we prepare this legislation Congress will not 
only reflect back on the testimony heard today, but also on the 
missteps and breaches of confidentiality that have occurred in 
the past and place strong protections for the future.
      

                                

    Chairman Thomas. I thank the gentleman. Our goal is not to 
err on either side but to pass informed legislation. Our goal 
is not to legislate by anecdote but be informed legislators. 
That is the purpose of this hearing.
    And with that, I recognize Dr. Detmer and tell him that the 
written statement he has will be made a part of the written 
record, without objection, and you can address us in any way 
you see fit in the time you have available.
    Dr. Detmer. Thank you very much, Mr. Chairman. Good 
morning.
    Chairman Thomas. I will tell you in advance these 
microphones are unidirectional and you have to speak directly 
into them and relatively close.

   STATEMENT OF DON E. DETMER, M.D., CHAIRMAN, U.S. NATIONAL 
            COMMITTEE ON VITAL AND HEALTH STATISTICS

    Dr. Detmer. I appreciate the opportunity to appear before 
the Subcommittee on this extraordinarily important legislative 
issue. Privacy, confidentiality, and security of individual 
health information touches the lives of all Americans in a very 
personal way, and your actions will influence the future course 
of health care and the future of medicine itself.
    I am a university professor and senior vice president at 
the University of Virginia and a practicing surgeon. I am here 
today in my role as chair of the National Committee on Vital 
and Health Statistics. As you are aware, the committee is a 
nearly 50-year-old statutory public advisory body to the 
Secretary of Health and Human Services on health data privacy 
and health information policy. Its 18 members include four 
practicing physicians.
    Through the mandates of the 1996 Health Insurance 
Portability and Accountability Act, the committee's 
responsibilities were broadened to encompass health statistics, 
privacy, and computer-based clinical records for both the 
public and private sector. Last June the committee provided its 
initial recommendations to the Secretary and she, in turn, 
submitted her detailed recommendations to Congress last 
September.
    All in all, the committee held over 20 days, full days, of 
public hearings and heard from more than 200 witnesses who 
discussed data standards, privacy, and security issues. The 
hearings included representatives from across the entire 
spectrum of the health community. This extensive public 
consultation was immensely helpful to us as we formulated our 
recommendations to Secretary Shalala, and we continue to hold 
hearings to further refine our advice.
    Our hearings showed strong and widespread support for 
Federal health privacy legislation. At the same time, it is 
clear our society has not yet reached a consensus about the 
definition and boundaries of privacy in an information age. The 
committee has concluded that our Nation faces a privacy crisis 
today, and legislation is urgently needed to address two policy 
deficiencies.
    First, we lack solid Federal legislation on fair 
information practices for personal health information. Second, 
we lack sufficient antidiscrimination statutes to keep personal 
health information from being used against citizens in areas 
such as employment and insurability. With the fast pace of 
progress in medicine and technology, this further complicates 
an already complex situation.
    With the exception of one abstention, all the 
recommendations from the Committee were unanimous. What does 
the committee wish to see in this legislation?
    We want a law that requires creators and users of 
identifiable health information to ensure a full range of fair 
information practices, including the patient's right of access 
to his or her records, the right to seek amendment of records, 
and the right to be informed about users and uses of health 
information.
    We seek reasonable restrictions and conditions on access to 
and use of personally identifiable health information that 
maintains protections for the information as it passes into the 
hands of secondary and tertiary users, so that there are no 
loopholes that allow information to escape appropriate 
controls.
    We seek adequate security for health data, no matter what 
media are used to create, transmit, or store data. That is, we 
wish the protections to apply to the data itself and not to 
whatever medium or technology is used.
    We want those who create and use personally specific health 
information to accept accountability for actions that affect 
privacy interests of patients. We support sanctions when 
restrictions are violated.
    We wish to promote the use of nonidentifiable, coded, or 
encrypted information when a function can be fully and 
substantially accomplished without more specific identifiers.
    The committee strongly supports the use of health records 
for all forms of legitimate health research without a case-by-
case patient consent for access to such data, subject to 
independent review of research protocols and other procedural 
protections for patients.
    The committee also strongly supports the use of health 
records for public health purposes, subject to substantive and 
procedural barriers commensurate with the importance of public 
health function.
    The committee believes patients need strong substantive and 
procedural protections if their records are to be disclosed to 
law enforcement officials.
    The committee strongly supports limiting use and disclosure 
of identifiable information to the minimum amount necessary to 
accomplish the purpose. The committee also strongly believes 
when identifiable health information is made available for 
nonhealth uses, patients deserve a strong assurance that the 
data will not be used to harm them.
    We urge the Congress to pass such legislation during this 
session, since we do not believe the HIPAA privacy regulatory 
authority is an adequate alternative to legislation.
    Clearly, with the continued development of computer-based 
patient health records, it would be best to integrate the 
appropriate security and policy procedures into the emerging 
architecture of such systems, and this will require action now 
rather than later since these systems are being built as I 
speak to you. Action now should allow us to avoid a variant of 
the ``year 2000'' problem in this age of computers.
    The committee recognizes drafting and passage of the health 
privacy law will not be easy. Health privacy legislation 
presents hard choices and difficult tradeoffs. Health records 
are primarily used for the treatment of patients, to improve 
the quality of care, reduce the cost of health care, expand the 
availability of health care, protect the public health, and 
assure public accountability of the health care system. Privacy 
competes with all of these objectives, and it will not be easy 
to strike a widely accepted balance between privacy and these 
other worthy goals. The new legislation must reflect the 
current structure and legislative framework for health care and 
allow for continued progress in health care.
    In summary, two sets of legislation are needed. The first 
involves the relationship between privacy as defined by 
principles of fair information practices; and the second 
relates to concerns about discrimination based on health status 
or conditions. The antidiscrimination provisions of HIPAA need 
to be expanded to cover all aspects.
    Whether or not general privacy concerns and discrimination 
concerns should be addressed together in the same piece of 
legislation, you can best decide. An already complex health 
privacy accountability bill may not be the best place to sort 
out responses to the important discrimination problems.
    The National Committee on Vital and Health Statistics calls 
on everyone to work together in good faith. Everyone should 
benefit from a well-crafted set of fair information practices 
for health information. Patients will have new rights and 
greater protections for sensitive information. Critically 
important, trust in the provider-patient relationship will be 
preserved. Providers and insurers will have clearer rules and 
responsibilities. Secondary users will know when they can and 
cannot have information and what their obligations and 
penalties are if these obligations are ignored.
    The committee is pleased to provide a public forum for 
continued advice on these issues, and we look forward to 
working with you and others to achieve a comprehensive and 
balanced public privacy health information law.
    Thank you, Mr. Chairman. I would be happy to answer 
questions.
    [The prepared statement follows:]

Statement of Don E. Detmer, M.D., Chairman, U.S. National Committee on 
Vital and Health Statistics

                              Introduction

    Thank you, Mr. Chairman. It is a pleasure to appear before 
the Committee today to discuss health information privacy, 
confidentiality, and security issues. I am currently University 
Professor and Senior Vice President at the University of 
Virginia and a practicing surgeon. I appear before you today in 
my role as chair of the National Committee on Vital and Health 
Statistics (NCVHS). The NCVHS is the statutory public advisory 
body to the Secretary of Health and Human Services on health 
data, privacy and national health information policy.
    The NCVHS has a distinguished, nearly fifty year history of 
providing the government with broad based advice on health data 
issues, including data needed to assure the quality of care, 
meet public health needs as well as data needs for other 
purposes. In 1996, the Health Insurance Portability and 
Accountability Act (HIPAA) assigned the committee new 
responsibilities for health information policy development on 
data standards, privacy, and computer-based clinical records 
for both the public and private sectors.
    The Committee is made up of 18 members, sixteen appointed 
by the HHS Secretary, one appointed by the Speaker of the House 
and one appointed by the President pro tempore of the Senate. 
Members are appointed from among individuals who have 
distinguished themselves in a variety of fields ranging from 
privacy and security of health information to the provision of 
health services and population-based public health. Four of the 
current members are practicing physicians.
    As a result of the passage of HIPAA, the nation has the 
potential to achieve major improvements in the quality and 
effectiveness of health care and the efficiency of the health 
sector through improved information technology. And the law 
provides this opportunity in a national framework that protects 
the privacy and security of health information. The primary 
focus of the law is on private health insurance reform. 
However, the provisions on Administrative Simplification 
outline a new national framework for health data standards, 
security and health information privacy in the U.S.
    Today, I will focus on the health information privacy 
provisions of HIPAA, and especially on the NCVHS's 
recommendations to HHS relating to health information privacy. 
HIPAA required that the Secretary of Health and Human Services 
submit ``detailed recommendations'' to the Congress ``with 
respect to the privacy of individually identifiable health 
information.'' In preparing her recommendations, the Secretary 
was directed to consult with the National Committee on Vital 
and Health Statistics. Last June, the NCVHS provided our 
initial recommendations on privacy, confidentiality, and 
security to Secretary Shalala. She, in turn, submitted her 
detailed recommendations to Congress last September.
    Our full report is available on the NCVHS website: http://
aspe.os.dhhs.gov/ncvhs, and the Secretary's privacy 
recommendations are available on the HHS administrative 
simplification website: http://aspe.os.dhhs.gov.admnsimp.

            NCVHS Health Information Privacy Recommendations

    As a basis for our privacy recommendations, the NCVHS held 
six full days of public hearings last year during which we 
heard from over 40 witnesses. All in all, we held over 20 full 
days of public hearings and heard from more than 200 witnesses 
who discussed data standards, privacy and security issues. The 
hearings included representatives from across the entire 
spectrum of the health community, including the privacy 
community, research, public health, quality assurance, 
insurance, managed care, law enforcement and oversight, 
providers, claims processors, the drug industry, federal 
agencies and consumer interest groups. This public consultation 
was immensely helpful to us as we formulated our 
recommendations to Secretary Shalala.
    First of all, our hearings showed strong and widespread 
support for federal health privacy legislation. And with the 
exception of one abstention, all recommendations of the 
committee were unanimous. The committee had difficulty with the 
definition of privacy as it relates to the confidentiality and 
security of person-specific health information. It chose to use 
the word ``privacy'' in its report mainly since the word has 
been the major term used in public discussion of this topic. 
The culture has yet to reach a consensus on what privacy should 
mean in contemporary society.
    Be that as it may, the committee concluded that the United 
States is in the midst of a health privacy crisis. The 
protection of health records has eroded significantly in the 
last two decades. Major contributing factors are ongoing 
institutional changes in the structure of the health care 
system and the lack of modern privacy legislation. Without a 
federal health privacy law, patient protections will continue 
to deteriorate in the future.
    We also concluded that the importance of trust in the 
provider-patient relationship must be preserved. Patients must 
feel comfortable in communicating sensitive personal 
information. Delays in passing privacy legislation will allow 
additional and uncontrolled uses of health information to 
develop. Failure to address health data privacy concerns can 
undermine public confidence in the health care system, expose 
patients to continuing invasions of privacy, subject record 
keepers to potentially significant legal liability, and 
interfere with the ability of health care providers and others 
to operate the health care delivery and payment system in an 
effective and efficient manner.
    The greater the delay in imposing meaningful controls on 
inappropriate use and disclosure of identifiable health 
information, the more difficult it may be to generate 
enthusiasm for instituting necessary restrictions on use and 
disclosure, or change the way that information is acquired, 
maintained, and used. Clearly, with the continued development 
of computer-based patient record systems, it would be best to 
integrate the appropriate security and policy procedures into 
the emerging architecture of such systems.
    The NCVHS recommended that the Secretary and the 
Administration assign the highest priority to the development 
of a strong position on health privacy that provides the 
highest possible level of protection for the privacy rights of 
patients. Any realistic proposal must properly balance the 
important and well-established interests of patients in the 
protection of their health information and the legitimate needs 
of the health care system to provide and pay for health care in 
an efficient, effective and fair manner while supporting the 
responsible use of health records for public health and health 
research, and other legitimate social purposes.
    The Health Insurance Portability and Accountability Act 
provides that if the Congress does not pass privacy legislation 
by August 1999, then the Secretary of HHS is authorized to 
issue regulations containing standards for the privacy of 
electronic administrative and financial transactions. However, 
the Committee found a clear and strong preference for a 
comprehensive legislative solution, rather than addressing 
health privacy through the regulatory process alone.
    It is difficult to address health privacy requirements in a 
piecemeal fashion. Rules that only cover electronic health care 
transactions but not paper-based transactions or other types of 
health records could prove very difficult to develop or 
administer. Further, the committee firmly believes that policy 
on data confidentiality and security should not be contingent 
upon the form, medium, or technology used to record or work 
with health data, e.g., paper, fax, or an electronic medium.
    Consequently, the NCVHS strongly recommends that the 
Congress enact a health privacy law before it adjourns this 
fall. Leaders in both House and Senate should publicly endorse 
the need for strong and effective privacy legislation that 
provides meaningful protections to patients. Congressional 
leaders should ask relevant legislative committees to agree to 
a timetable for action. The Congress should not treat the 
existence of the regulatory authority as an adequate 
alternative to legislation.
    The Committee calls for a law that requires creators and 
users of identifiable health information to----
     ensure a full range of fair information practices, 
including a patient's right of access to records, right to seek 
amendment of records, and right to be informed about uses of 
health information;
     accept reasonable restrictions and conditions on 
access to and use of identifiable health information;
     maintain protections for health information as it 
passes into the hands of secondary and tertiary users so that 
there are no loopholes that allow health information to escape 
from privacy controls;
     provide adequate security for health data no 
matter what media are used to create, transmit, or store data;
     accept accountability for actions that affect the 
privacy interests of patients;
     promote the use of non-identifiable, coded, or 
encrypted information when a function can be fully or 
substantially accomplished without more specific identifiers.
    The law must also impose restrictions on disclosure and use 
of the information and impose sanctions for violations.
    The Committee strongly supports the use of health records 
for health research without a case by case patient consent for 
access to such data, subject to independent review of research 
protocols and other procedural protections for patients.
    The Committee also strongly supports the use of health 
records for public health purposes, subject to substantive and 
procedural barriers commensurate with the importance of the 
public health functions.
    The Committee believes that patients need strong 
substantive and procedural protections if their health records 
are to be disclosed to law enforcement officials.
    The Committee strongly supports limiting use and disclosure 
of identifiable information to the minimum amount necessary to 
accomplish the purpose. The Committee also strongly believes 
that when identifiable health information is made available for 
non-health uses, patients deserve a strong assurance that the 
data will not be used to harm them.
    The Committee recognizes that the drafting and passage of a 
health privacy law will not be easy. Health privacy legislation 
presents hard choices and difficult tradeoffs. Health records 
are primarily used for the treatment of patients and to improve 
the quality of health care, reduce the costs of health care, 
expand the availability of health care, protect the public 
health, and assure public accountability of the health care 
system. Privacy competes with all of these objectives, and it 
will not be easy to strike a widely accepted balance between 
privacy and these other worthy goals. As mentioned earlier, the 
task is not made any easier by the lack of agreement about what 
privacy even means in contemporary American society.
    In our hearings, users of health information uniformly 
expressed strong support for privacy legislation. However, most 
users also asked that no--or at most few--new restrictions be 
placed on their ability to collect, use, and disclose health 
information. The Committee believes that it is unfair and 
unreasonable for any health data user to expect that health 
privacy legislation will not require some change in policy and 
practice. Everyone--patients and record keepers alike--will 
benefit from health privacy legislation, and everyone is likely 
to pay some price for the legislation.
    At the same time, the Committee recognizes that privacy 
legislation must take into account the complexity and the needs 
of the current health care delivery and payment system. New 
legislation must reflect the current structure and legislative 
framework for health care. Changes can and must be made, but no 
one can expect that the health care system will be restructured 
solely in the interests of privacy and without regard to cost. 
Indeed, achieving cost savings from administrative 
simplification was a key driver behind the Health Insurance 
Portability and Accountability Act of 1996. The Committee has 
no doubt that a privacy bill can be passed that balances the 
interests of patients with the needs of the health care system.
    The Committee also recognizes that passing legislation will 
not end either the debate or the struggle to accomplish desired 
improvements. Once a law passes, record keepers will have to 
change to accommodate the new rules, federal and state agencies 
will have to oversee implementation of the new law, and the 
Congress may be called upon to refine the law in the future. 
International data protection standards are being developed, 
and the United States needs to be a full partner in this 
effort.

                             Special Issues

    Let me now turn to several additional issues that we heard 
about in our hearings.

Need for Anti-Discrimination Law

    One issue that arose from time to time during the hearings 
was the relationship between privacy (as defined by principles 
of fair information practices) and discrimination. Clearly some 
motivation for protecting health information is to prevent the 
discriminatory use of the information both inside and outside 
the health care setting. Patients receiving care for some 
health conditions or who have been the subject of genetic 
testing have been and continue to be the subject of 
discrimination in employment, insurance, and elsewhere. Several 
current bills address the possible discriminatory use of 
genetic information.
    Discrimination based on health status and condition remains 
a major and important concern, and it deserves a legislative 
solution. Whether or not general privacy concerns and 
discrimination concerns should be addressed together in the 
same piece of legislation, you can best decide. However, an 
already complex health privacy and confidentiality bill may not 
the best place to sort out responses to equally complex 
discrimination problems. The Committee suggests that privacy 
and discrimination issues both deserve explicit legislative 
treatment. The Committee urges the Congress to consider 
legislation expanding the anti-discrimination provisions of 
HIPAA to cover all aspects of discrimination based on health 
status and condition.

Preemption

    Perhaps the most difficult conflict identified during our 
hearings is over preemption of state laws. Among large segments 
of the health industry, a major benefit to federal legislation 
is a high degree of regulatory uniformity throughout the 
country. The interstate nature of health care treatment and 
payment activities is readily apparent. By one estimate, 
approximately half of the U.S. population lives near the border 
of another state. To have a patient work in the District of 
Columbia, reside in Maryland, and receive care in Virginia 
creates a nightmare for the health care system to track unless 
substantial uniformity of policies and procedures exists. It 
will be difficult for many involved in electronic transfers of 
health data to accept any proposal that does not offer 
significant relief from the prospect of 50 different state laws 
establishing separate rules.
    On the other hand, it would be difficult for many patient 
groups, privacy advocates and perhaps some provider groups to 
accept any proposal that does not allow states to adopt 
stronger privacy protections as specified in the HIPAA. People 
disagree whether existing state laws offer greater protection 
than most of the current federal proposals. There is strong 
support in some communities for a solid federal confidentiality 
standard that allows states to erect stronger privacy barriers. 
This was the approach that Secretary Shalala recommended last 
September.
    The Committee suggests, however, that this issue need not 
be treated as a single problem with a single solution. The 
conflicts need to be broken down into components, and each 
component analyzed separately. In some areas, the case for 
federal preemption may be strong. For example, it may be 
unnecessarily complex to support 50 different patient access 
procedures. On the other hand, the need to recognize the 
diversity of state public health laws is already clearly 
reflected in most proposals. No one has suggested or is likely 
to support a uniform federal public health law. A narrower and 
careful analysis of preemption may help to minimize the 
admittedly strong conflicts here and may point to more 
effective resolutions. However, if sufficient national 
conformity is not achieved, both national and international 
objectives cannot be met.
    The Committee stands willing to respond to such remaining 
issues in new legislation if and as the Congress desires.

Unique Health Identifier for Individuals

    Because of privacy concerns, the NCVHS has recommended that 
HHS not adopt a standard for unique identifier for individuals 
as called for in HIPAA until privacy legislation is enacted. 
The NCVHS stated that ``...it would be unwise and premature to 
proceed to select and implement such an identifier in the 
absence of legislation to assure the confidentiality of 
individually identifiable health information and to preserve an 
individual's right to privacy.''
    The NCVHS outlined three sets of concerns. First, we noted 
that the selection of a unique health identifier for 
individuals will become the focus of tremendous public 
attention and interest, far beyond that afforded to other 
health privacy decisions. No choice, the Committee concluded, 
should be made without more public notice, hearings and 
comment.
    Second, we concluded that, until a new federal law 
adequately protects the confidentiality of the health record, 
it is not possible to make a sufficiently informed choice about 
an identification number or procedure. The degree of formal 
legal protection in such a law will have a major influence on 
both the decision itself and the public acceptance of that 
decision. Indeed, we would hope that passage of a comprehensive 
health privacy law would make the choice of an identifier 
easier, e.g., less threatening.
    Finally, the NCVHS stated that a unique health identifier 
could not be protected from misuses under current law, 
notwithstanding the criminal penalties for wrongful disclosure 
enacted in HIPAA.
    At the same time, the Committee feels an obligation to 
address the law and provide advice on this controversial 
matter. Accordingly, we are planning to hold several public 
hearings around the country to gather information and explore 
the issue further. This will be done in conjunction with the 
planned publication by HHS of a Notice of Intent to gather 
descriptive and evaluative information on unique identifiers 
for use in the health system on a systematic basis, including 
current practices, before developing any further 
recommendations. Lack of unanimity from the committee on this 
topic may occur, reflecting the difficult nature of the 
problem.

Computer Technology

    Testimony received by the Committee showed that computers 
are perceived differently by different individuals and groups. 
Some view them as major threats to patient privacy and others 
as tools for offering far greater protection of personal health 
data than is achievable with paper records. In terms of 
limiting release to selected information, computer-based data 
offers the greatest potential to avoid revealing patient 
identifiers. Others see computerized repositories of health 
data as magnets for hackers and other abusers and presume huge 
health data repositories are forthcoming. Testimony suggested 
that the real threats to computerized information--as with 
paper records--come from insiders and not from hackers. 
Unfortunately, this debate is hampered by a lack of sufficient, 
good health services research on the frequency and seriousness 
of problems in this area. Anecdotal information abounds with 
legitimate questions remaining as to its validity and 
representativeness.
    Some have suggested that the patient authorization process 
should be expanded and that patients should be asked or 
permitted to make decisions about whether their information may 
or may not be computerized. The Committee is not sympathetic to 
the notion that patients should have a choice in the technology 
used to create, store and transmit health information. This is 
not a choice that record subjects for records maintained by 
other third party record keepers such as banks and employers. 
Requiring health record keepers--who are spending vast sums on 
computerization--to retain parallel paper systems is 
impractical and costly. It would deny the benefits and savings 
that the Congress has already determined will result from 
increased use of modern information technology.
    Computers are an inevitable part of modern health care and 
indeed are intrinsic to the actual delivery of hospital care 
today. In addition, computer technology can provide 
strengthened confidentiality protections for personal health 
information. We should move on to debate the proper protections 
for records in a computerized environment. One response would 
be increased criminal and civil penalties for misuse of 
computerized health records. These penalties should apply to 
both inside and outside abusers of health data.

Law Enforcement

    Testimony revealed sharp differences over the standards and 
procedures that should govern law enforcement access to health 
records. The law enforcement community contends that its track 
record accessing health records is a good one and that its 
access authority is not abused. Some health care providers and 
privacy advocates, however, seek to establish higher standards 
that would require law enforcement requests for records to 
obtain court orders, to provide patient notice, and to 
expressly justify each access to records.
    Several privacy proposals would prevent use of health 
records against the record subject if an investigation of a 
provider brought to light criminal activity by the patient 
other than health care fraud.
    This is the one major one area where the NCVHS respectfully 
differs from Secretary Shalala's recommendations. She 
recommended no changes to existing laws relating to law 
enforcement access to personal health information. Striking a 
balance between the needs of law enforcement and the privacy 
interests of patients is difficult but a crucial piece of this 
entire puzzle.
    The Committee believes that patients need strong 
substantive and procedural protections if their health records 
are to be disclosed to law enforcement officials. Investigators 
should be required to justify the need for patient identifiers 
and to remove identifiers at the earliest possible opportunity. 
Other HIPAA provisions restrict the use of health information 
against the subject of the record unless the investigation 
arises out of and is directly related to health care fraud. If 
law enforcement wants to use the record in another way, it must 
first obtain a court order. That is one procedural barrier that 
is also included in several current privacy legislative 
proposals. Other proposals go further by requiring notice to 
the patient in some cases.

                               Conclusion

    The NCVHS calls on everyone to work together in good faith. 
It is crucial that the Congress pass a balanced law as quickly 
as possible. Each year, health information becomes available 
for new uses, often without any legal, administrative, or 
policy barriers. Unless legislation passes soon, the risks to 
both patients and record keepers grow.
    Everyone should benefit from a well-crafted set of fair 
information practices for health information. Patients will 
have new rights and greater protections for sensitive 
information. Providers and insurers will have clearer 
responsibilities and rules. Secondary users will know when they 
can have health information, when they cannot, what their 
obligations are, and what penalties will result if these 
obligations are ignored. None of these benefits will be 
achieved unless everyone approaches the legislative process 
with a spirit of compromise.
    The NCVHS is pleased to provide a public forum for 
deliberation and advice on these issues, and we look forward to 
working with HHS, the Executive Branch and the Congress on a 
comprehensive and balanced health information privacy law.
    Thank you, Mr Chairman. I would be happy to answer any 
questions.
      

                                

    Chairman Thomas. Thank you very much, Doctor. I guess the 
easiest way to start would be to indicate that in your 
testimony you said that Congress should not treat the existence 
of the regulatory authority as an adequate alternative to 
legislation.
    Would you expand on that? Do you have any particular 
concerns about the Department of Health and Human Service's 
ability to promulgate such regulations? Or is it just too 
important to leave up to an agency, and Congress' 
responsibility ought to be to grapple with this question? What 
is it that worries you about letting the process go the way the 
legislation is structured?
    Dr. Detmer. The key limitation of the process is that the 
law, as written, covers electronic and computer-based 
information and not paper and other forms, and that is the 
principal concern. So, essentially, the legislation really has 
a more limited scope.
    The committee also feels the legislation dealing with this 
more broadly can generally craft a better response.
    Chairman Thomas. I have been impressed with the learning 
curve of a number of individuals who have been almost 
outspoken, I guess, advocates for privacy, and their 
understanding of that. Electronic data can, if done properly, 
be even better protected than paper records.
    Do you believe there is any role currently or in the near 
future for a rather directed movement toward electronic rather 
than the keeping of paper records; either carrots or sticks of 
some sort to move more rapidly into electronic recordkeeping?
    Dr. Detmer. Yes. First, I would echo your initial comment, 
but very strong differences of opinion exist about this issue. 
Those of us who have actually worked in both the paper era as 
well as, or have a professional interest in the electronic 
approach, feel that actually there are a number of advantages 
to computer-based records. You can encrypt it, you can extract 
solely the information you are interested in and move it along, 
otherwise keeping the rest of the record behind. You also have 
audit trails that can be helpful.
    The point is that with the complexity of health care moving 
the way it is in terms of the technology, the care itself, the 
medical information and such, I think the only way we will have 
high quality, cost-effective care is with computer-based record 
systems. And, as a country, we have not done what we could do 
to move this technology forward.
    A key requirement for progress in this technology relates 
to what we are here today for--privacy legislation is an 
absolutely essential foundation brick needed if we are to see 
the real benefits of this technology develop.
    [The following was subsequently received:]
    In its administrative simplification requirements, the 
Health Insurance Portability and Accountability Act of 1996 
(HIPAA)(Public Law 104-191, Aug. 21, 1996) calls for uniform 
standards for electronic transactions in health administration 
precisely because separate standards developed at other than 
the national level are not workable.
    The Recommendations of the Secretary of Health and Human 
Services, pursuant to section 264 of the Health Insurance 
Portability and Accountability Act of 1996 (September 11, 
1997), noted that
    [t]here is continuing movement toward a computer-based 
patient medical record, with national standards for content and 
format, and the possibility of ready interstate transmission as 
needed for patient care. A major impetus toward adopting this 
type of record was a report of the Institute of Medicine in 
1991 that recommended adoption of the computer-based patient 
record as the standard for all patient care records. Likewise, 
increasing use of telemedicine means that patient information 
will often cross State lines, sometimes in real-time delivery 
of care. This promising development is an important facet of 
the National Information Infrastructure because of its 
potential to provide greater access to quality health care for 
all Americans, especially those living in rural and remote 
areas.
    The National Committee on Vital and Health Statistics 
(NCVHS) last year held six days of hearings involving witnesses 
from the full spectrum of public and private constituencies 
concerned with privacy, consumer interests, and operation of 
the health care system. Testimony received at these hearings 
showed that ``computers are perceived both as threats to 
patient privacy and as tools for protecting personal health 
data. Some see computerized information as the best way to 
support greater use of data without revealing patient 
identifiers. With traditional paper records, for example, the 
difficulties of creating non-identifiable data are typically 
significant. It may be impractical and very time-consuming to 
make a complete copy of a paper record with all identifying 
data removed. With a computer record, the administrative burden 
of creating anonymized records may be insignificant. Others see 
computerized repositories of health data as magnets for hackers 
and other abusers.'' Further testimony suggested that
    [T]he real threats to computerized information--as with 
paper records--come from insiders and not from hackers.
    Nevertheless, because of the important and increasing role 
of computers in health care, it is important to be sensitive to 
both public perceptions and to the possibility that abuses of 
computerized health records will increase in the future. One 
response would be increased criminal and civil penalties for 
misuse of computerized health records. These penalties should 
apply to both inside and outside abusers of health data.
    The Committee noted that it is often overlooked that 
computers contribute directly to improved patient care in many 
ways, and that debates on the proper role of computers and 
electronic records often focus only on the threats to privacy 
and not the benefits for patients. The committee concluded that 
a more balanced discussion about the value and the risks of 
computers is essential, and
    that we need to do more to develop and implement 
technological protections for health records. Technology offers 
the possibility that we can use records for socially beneficial 
purposes while fully protecting privacy at the same time. 
Greater use of nonidentifiable, coded, or encrypted records can 
make everyone better off at little or no cost. Technology will 
not cure all problems related to the use of identifiable 
information, but it can diminish the intensity and scope of the 
problems. This may be the most promising area for additional 
development.
    The NCVHS has not addressed incentives or disincentives for 
the keeping of electronic records. A new NCVHS workgroup on 
Computer-based Patient Records may address this issue in the 
future.
      

                                

    Chairman Thomas. Let me ask the question a slightly 
different way. Are our efforts enhanced, do we make the job 
easier or more difficult based upon the way we approach how we 
are going to legislate; that is, try to deal with the very 
sensitive question of privacy for both individually 
identifiable records and encrypted records, whether they be 
electronic or paper; or if we put a serious emphasis on trying 
to create a timeline in which we move to the electronic era and 
then deal with the same concerns about individually identified 
records? I am wondering which, in your opinion, would get us 
there in the most efficacious way.
    Dr. Detmer. I think if we acted on this issue--if you acted 
on this issue in this session----
    Chairman Thomas. I assure you it is going to be ``we.''
    Dr. Detmer. Well, I would hope so. In any event, if this is 
acted upon in this session, I honestly think the field is 
moving forward, but there are also things that would be in the 
public's interest that the Congress could also do to facilitate 
the development of computer-based health records.
    We have in this country fairly well-developed hospital 
information systems compared to those for primary care and 
smaller care units. If you look at the United Kingdom or the 
Netherlands, for example, they have put in some tax benefits as 
well as equipment writeoffs that really have moved that 
technology forward.
    And, incidentally, they have privacy legislation in place, 
and the populations in both of those countries feel quite good 
actually in that sense about this issue. I am not saying to 
every last person, but as a development I think it is seen as a 
positive thing.
    Chairman Thomas. The difficulty, of course, is that Great 
Britain is a unitary country and we are a Federal system, and 
States have proper roles to play in a number of areas. Dealing 
directly with individuals, for example, with regard to health 
and welfare, is one of the roles the States have to play which 
makes our job more difficult to bridge those differences.
    In looking at the information, one of the concerns I think 
is warranted by the individuals who do not want to err, who are 
concerned on the side of the right to privacy, is the access to 
those identifiable patient records. Does it seem reasonable 
that if we, for example, move toward a system which would allow 
for a determination of who accessed the records, to make that 
accessing of the records available to individuals?
    I know you can place extreme punishment on people misusing 
that information. But I think the most chilling effect often on 
people misusing that information is to make it easily known as 
to who it is that is accessing those records. That is the first 
part of the question.
    The second part, since that involves enforcement in a very 
direct way, it is too simplistic to view the role of the 
Federal Government and the State legislators as perhaps 
dividing it along that line; that where there are identifiable 
personal records, that could be a very proper and appropriate 
role for the States to deal with how you deal with that 
information; and the encrypted records, primarily for research, 
far more often travel across State lines, are collected for 
purposes that should have a set of protocols properly approved 
by an appropriate agency? Is that too simplistic a view?
    Dr. Detmer. The difficulty, unfortunately, is we have been 
getting testimony in some of our recent hearings in particular 
that the ability to assure the data are securely encrypted, 
clearly identifiable, or are clearly not identifiable is not 
likely to be that airtight.
    The fact of the matter is, almost all of these things can 
be open to manipulation, if you will. The most likely assurance 
you will be getting encrypted or nonidentifiable data, which 
involves a lot of the information, will simply be from the fact 
that you have strong sanctions in place. People will clearly 
want to just use nonidentifiable data as much as possible to 
avoid, obviously, the exposure to sanctions for misuse.
    It would be tough to get back directly to your question, to 
craft language in that kind of a dichotomous approach.
    Chairman Thomas. But would you respond directly to the 
point of having the ability to have a clear trail from the 
identifiable electronic data and providing it to, for example, 
the individual, as to who it is that has been looking at the 
records?
    Dr. Detmer. Yes, I think certainly the trail, the idea of 
audit trails is a protection. It is also true, of course, 
depending on how much information you keep relating to all the 
trails and who is involved, that that also then becomes, if it 
is overdone, yet another set of information that could then be 
abused and hence invade privacy. So all of these things have a 
balance that has to be struck.
    [The following was subsequently received:]

    The NCVHS provided its recommendations on adoption of 
security standards in a letter to the Secretary, HHS, dated 
September 9, 1997. In providing a series of principles and 
recommendations for the Secretary's consideration, the 
Committee stated that in order for health information systems 
to be secure, there must be monitoring of access. Specifically, 
``[o]rganizations should develop audit trails and mechanisms to 
review access to information systems to identify authorized 
users who misuse their privileges and perform unauthorized 
actions and detect attempts by intruders to access systems.''
      

                                

    Chairman Thomas. And then finally, I know it was in your 
testimony but I want to underscore it, the administration in 
making its initial proposals placed a privileged category for 
law enforcement agencies, and you voiced some concern about 
that.
    My assumption is we all understand the importance of that, 
but that in your opinion they probably carved out too big an 
island, too exclusive an approach for law enforcement?
    Dr. Detmer. Yes. With all respect, this was the only area 
of significant difference between the committee's 
recommendations and the Secretary's recommendations. We urged 
substantive procedural protections. We felt law enforcement 
should justify their need for personal identifiers, remove 
those identifiers at the earliest possible moment, unless 
needed for fraud investigation, and a court order seemed 
appropriate for access.
    There was a huge array of issues we had to look at. We did 
not spend a detailed amount of time on this, and probably will 
deserve to spend more, but clearly we did differ from the 
Secretary in that and we urged more protections.
    Chairman Thomas. Thank you very much, Doctor. Obviously, we 
will rely on you in your ongoing examination. My belief is this 
is an area that could change relatively quickly in terms of 
techniques that are being developed, especially when we are 
looking at an August 1999 deadline. At least, I certainly hope 
so.
    Thank you very much for your input.
    Does the gentleman from Wisconsin wish to inquire?
    Mr. Kleczka. With respect to research currently being done 
by managed care companies, is that being done with the informed 
consent of the individuals?
    Dr. Detmer. Right now we have very much a patchwork of 
incomplete and inadequate protections generally. I think most 
managed care companies do in fact--and health care 
organizations--do in fact try to protect the data of patients. 
Obviously, we do not have full information. In fact, one of the 
problems of this whole field is a relative lack of the kind of 
research base that would be very useful to us as a committee, 
as well as to you in your roles.
    In general, if you have health professionals involved in 
the work, whether it is the quality work or cost effectiveness 
or whatever, utilization work, health professionals have a 
genuine concern for confidentiality. And I am not sure it is 
always done ideally by health professionals, but it has been 
part of their upbringing from the time they got into the health 
professions. There is a bit perhaps less dedication and concern 
for privacy as you get beyond the health professionals 
themselves.
    [The following was subsequently received:]

    We do not know. The Committee does not have information on 
this area.
      

                                

    Mr. Kleczka. Later this year the European Union is 
scheduled to come down with a directive relative to 
transferring of data to a third country, and that directive 
indicates that they want to ensure the level of protection. 
Currently, does this country meet the criteria that is set 
forth in that directive?
    Dr. Detmer. It is not precisely clear to me that it does. 
If you really look at it pretty literally, I would say it does 
not. This is not a formal committee view, that is my own 
assessment of this. The committee has not formally assessed the 
matter.
    But I do think it is important for us, and it does speak to 
the issue of States' preemption. If we do not have a Federal 
law that is sufficiently recognizable as a national standard, 
we certainly could be open to the clear interpretation that we 
would not be meeting the EU guidelines, and it would prevent us 
from being able to share information for purposes of research 
and other social benefit.
    [The following was subsequently received:]

    The EU directive is a very comprehensive privacy law 
covering all personal data and designates an official with 
power to regulate private sector use of personal data. The U.S. 
does not have a comprehensive legal scheme of data protection, 
nor an official who has privacy protection as a sole 
responsibility on a nationwide, or government-wide basis. 
Rather, it has a number of separate State and Federal laws, but 
no privacy law generally applicable to all data.
      

                                

    Mr. Kleczka. What would be the impact on this country in 
terms of trade and research should we not meet the criteria and 
so forth in the directive?
    Dr. Detmer. I have not seen specific estimates, but in 
terms of looking certainly at drug development and other 
activities that are in the public's interest, I think it would 
have an adverse impact on what would otherwise be a desirable 
thing.
    [The following was subsequently received:]

    The impact is not yet clear. It is our understanding that 
the Commerce Department and the State Department have been 
involved in discussions with EU staff. Within the Department of 
Health and Human Services, the HHS Data Council is surveying 
its staff and operational divisions to determine the extent to 
which individually identifiable personal data moves from the EU 
to the U.S.
      

                                

    Mr. Kleczka. It is your view, at this point at least, we do 
not currently meet the specifics of that directive?
    Dr. Detmer. That is my own personal interpretation, yes.
    [The following was subsequently received:]

    We believe that the U.S. may not currently meet all of the 
criteria of the EU directive.
      

                                

    Mr. Kleczka. What is the timing of that? It is supposed to 
come down later this year?
    Dr. Detmer. I do not know the specific time. I could get 
back to you on that, but it is coming along, though, that is 
for sure. But exactly specifically----
    Mr. Kleczka. I have information the effective date is 
October of this year.
    Dr. Detmer. You sound like you have the information.
    Mr. Kleczka. Thank you very much.
    Chairman Thomas. Does the gentleman from Louisiana wish to 
inquire?
    Mr. McCrery. Just a couple of questions, Mr. Chairman.
    Dr. Detmer, I want you to expound a little bit on the 
question of preemption of State laws. I am a little concerned 
about what I perceive to be the Secretary's recommendation that 
we have a national law, a national standard, but that we allow 
the States to enact stricter standards.
    How is that going to solve the problem of uniformity? It 
seems to me to be contradictory. Can you expound upon that?
    Dr. Detmer. Well, this is a very complex issue. The 
committee, to the extent it has spoken to this, feels like it 
is worth splitting out this issue and not looking at it in a 
totally either all Federal, no State, or wide open and a weak 
Federal floor, if you will.
    There may be areas where it might be very wise to in fact 
allow State standards. For example, the area of public health 
law. The States have very well-developed public health laws 
that have been developed in very good collaboration with the 
Federal Government. So I think our general attitude would be 
you should look at preemption piece by piece.
    Speaking personally, you are going to be hearing from a 
witness from Minnesota. If you do see, as the Chairman said, 
States doing too much experimentation, 50 points of light in my 
view is not necessarily going to give us enough clarity on 
this. If you have a sufficiently high standard, the States will 
not seek to do more. In some areas, like public health law, it 
is probably the best approach to acknowledge that body of law.
    [The following was subsequently received:]

    Preemption of state laws was the most difficult conflict 
identified at the hearings we held, and did not yield a clear 
answer. The NCVHS addressed preemption specifically in its 
recommendations to the Secretary (June 27, 1997), as follows:
    Among large segments of the health industry, a major 
benefit to federal legislation is a high degree of regulatory 
uniformity throughout the country. The interstate nature of 
health care treatment and payment activities is readily 
apparent. It will be difficult for many involved in electronic 
transfers of health data to accept any proposal that does not 
offer significant relief from the prospect of 50 different 
state laws establishing separate rules.
    On the other hand, it would be difficult for many patient 
groups, privacy advocates and perhaps some provider groups to 
accept any proposal that does not allow states to adopt 
stronger privacy protections as specified in the HIPAA. People 
disagree whether existing state laws offer greater protection 
than most of the current federal proposals, but a proposal is 
not a law so judgments in this area are premature. There is 
strong support in some communities for a minimum federal 
confidentiality standard that allows states to erect stronger 
privacy barriers. HIPAA already reflects a policy that stronger 
state laws should be allowed to prevail.
    Existing proposals differ on preemption. Most preserve 
existing state mental health and public health laws, but the 
scope of this language is unclear. H.R. 52 adds a new idea to 
the mix by allowing states to pass additional restrictions on 
access to health records by state officials.
    The Committee suggests, however, that this issue need not 
be treated as a single problem with a single solution. The 
conflicts need to be broken down into components, and each 
component analyzed separately. In some areas, the case for 
federal preemption may be stronger. For example, it may be 
unnecessarily complex to support 50 different patient access 
procedures. On the other hand, the need to recognize the 
diversity of state public health laws is already clearly 
reflected in most proposals. No one has suggested or is likely 
to support a uniform federal public health law. A narrower and 
careful analysis of preemption may help to minimize the 
admittedly strong conflicts here and may point to more 
effective resolutions. However, if sufficient national 
conformity is not achieved, both national and international 
objectives cannot be met.
      

                                

    Mr. McCrery. Can you briefly, if you feel comfortable doing 
this, either on the part of the commission or on your own part, 
outline for us the reasons for having a national standard?
    Dr. Detmer. Well, I think clearly the most critical one in 
my view, speaking as a practicing physician and looking at the 
fact that much of the population in this country lives near 
State borders, if we have stiff penalties in place, let us say 
a patient works in the District, lives in Virginia, and gets 
their care in Maryland. You will have different States which 
will have different standards, with still very stiff Federal 
penalties. Trying to keep that straight, both as a patient and 
as the provider, it strikes me as really making it very 
difficult, and we do want to have an effective law.
    If I were just to speak to one thing, that is, in my mind, 
one of the most compelling arguments to be made for strict 
Federal preemption. But, again, I would be happy to try to get 
back to you with more specific direction on this very important 
issue. Without question, it is one of the more controversial 
areas of this legislation.
    [The following was subsequently received:]

    The existing legal structure does not effectively control 
information about individuals' health. Federal legislation, 
establishing a basic national standard of confidentiality, is 
necessary to provide rights for patients and define 
responsibilities for record keepers. The Committee's position 
on this is reflected in its recommendations to the Secretary 
(June 27, 1997) wherein it made a number of principal findings:
    The United States is in the midst of a health privacy 
crisis. The protection of health records has eroded 
significantly in the last two decades. Major contributing 
factors are ongoing institutional changes in the structure of 
the health care system and the lack of modern privacy 
legislation. Without a federal health privacy law, patient 
protections will continue to deteriorate in the future.
    The importance of trust in the provider-patient 
relationship must be preserved. Patients must feel comfortable 
in communicating sensitive personal information.
    Delays in passing privacy legislation will allow additional 
and uncontrolled uses of health information to develop. Failure 
to address health privacy will also undermine public confidence 
in the health care system, expose patients to continuing 
invasions of privacy, subject record keepers to potentially 
significant legal liability, and interfere with the ability of 
health care providers and others to operate the health care 
delivery and payment system in an effective and efficient 
manner. The greater the delay in imposing meaningful controls 
on inappropriate use and disclosure of identifiable individual 
information, the more difficult it will be to overcome 
institutional resistance to restrictions on use and disclosure 
or changing the way that information is acquired and used. On 
the other hand, the confidentiality of the provider-patient 
relationship and the confidentiality of health records had been 
the foundation by which the health care system helps ensure the 
best possible health care. It is not easy to strike a fair 
balance between these some times competing concerns.
      

                                

    Mr. McCrery. Thank you. That would be helpful, because 
looking over your testimony, it is not real clear to me, 
anyway, what your recommendation is.
    Dr. Detmer. OK.
    Mr. McCrery. If you could be more specific, that would be 
very helpful.
    Second question. You talk about needing to guard against 
discrimination in a number of areas, including insurance. Most 
people, when they apply for insurance, are they not asked to 
reveal any health conditions that would have an impact? So what 
is the problem on discrimination in insurance?
    If you see that as a problem, perhaps we should move to 
some sort of community rating. That would resolve that. Do you 
want to comment on that?
    Dr. Detmer. We have not talked about the issue of community 
rating as an issue per se. I do think that the very concept of 
health insurance, though, is it is to be something that is 
there for people when they are sick. And if indeed you reveal 
you have illnesses and then you cannot get any coverage, or it 
is so extravagant or expensive you cannot afford it, then the 
very concept of insurance is not there.
    At some level this is a very important question and is 
obviously a question that goes beyond the privacy legislation, 
certainly, but I think it is a very critical question: Do 
people get coverage for effective services or not? That is a 
community rating kind of issue.
    [The following was subsequently received:]

    To the extent that the NCVHS has addressed this matter, its 
discussions have included the following points. The 
relationship between privacy (as defined by principles of fair 
information practices) and discrimination is an issue that was 
raised a number of times during the NCVHS hearings last year. 
Some motivation for protecting health information is to prevent 
the discriminatory use of the information both inside and 
outside the health care setting. Patients receiving care for 
some health conditions or who have been the subject of genetic 
testing have been and continue to be the subject of 
discrimination in employment, insurance, and elsewhere. Several 
current Congressional bills address the possible discriminatory 
use of genetic information.
    Discrimination based on health status and condition remains 
a major and important concern. While the Committee has not 
focused its full attention on discrimination, legislative 
responses are appropriate. It is not clear, however, that 
general privacy concerns and discrimination concerns must be or 
should be addressed together in the same piece of legislation. 
An already complex health privacy bill is not the best place to 
sort out responses to equally complex discrimination problems. 
The Committee suggested in its recommendations to the Secretary 
(June 27, 1997) that privacy and discrimination issues deserve 
separate legislative treatment. The problems of discrimination 
are important, but not enough work has been done to explore the 
content of anti-discrimination legislation. The Committee urged 
the Secretary to propose legislation expanding the anti-
discrimination provisions of HIPAA to cover all aspects of 
discrimination based on health status and condition.
      

                                

    Mr. McCrery. Thank you.
    Chairman Thomas. Does the gentleman from California wish to 
inquire?
    Mr. Becerra. Let me ask a question, and this may be 
somewhat premature, since we are trying to figure out what we 
believe confidentiality or privacy to be and how we address it, 
but certainly some of what we want to protect will have to be 
done through statute.
    The preemption issue, for example, makes it clearly Federal 
versus State. We will have that dispute. But some areas are 
probably best protected by regulation because they may need to 
change periodically and statutes would be too difficult to have 
constantly amended. Do you have any sense right now, Dr. 
Detmer, what areas are clearly best left to regulation versus 
statute? What should we not do?
    Dr. Detmer. That is a very tough question and it is one, 
obviously, I think all the Members of the Subcommittee grappled 
with. I do not question at all the validity of your basic 
comment. It is true that if you put too much in a statute, you 
do not have the flexibility that can come with regulation.
    Clearly, I think we do need a set of basic health 
information practice protections, and those, I think, can be a 
matter of statute. Exactly how those play out over time are 
appropriately left to regulation. And certainly as the chair of 
the national committee that has with a nearly 50-year history 
of advising government, I think that the NCVHS committee review 
process is a wonderful mechanism by which regulation can became 
more attuned to the times and the needs.
    Here is a group of private citizens serving and giving 
expertise to the Government, having an opportunity to hold 
hearings for wide varieties of folks and then making 
recommendations. The HIPAA legislation in that regard is a very 
nice model, because it did lay out a general picture, but then 
it also mandated that regulations would follow based on 
explicit hearings and the advice of this Subcommittee.
    Mr. Becerra. Is there any particular area you could 
identify for us?
    Dr. Detmer. Well, I say certainly basic health information 
practices. I will be happy to get back to you. I think it is a 
very relevant and critical question actually to the 
legislation.
    Mr. Becerra. I think to the degree you can help us set the 
parameters of what we are going to do, if there is something we 
should clearly leave off the table with regard to statutes and 
limitations, it would help us quite a bit.
    Dr. Detmer. Certainly.
    [The following was subsequently received:]

    Both the NCVHS in its recommendations to the Secretary 
(June 27, 1997), and the Secretary in her recommendations to 
Congress (September 11, 1997), recognized the difficulty in 
drafting health privacy legislation and recommended a ``safety 
valve provision.'' Specifically, the Secretary's 
recommendations noted:
    We recommend that there be authority to suspend, by 
regulation, any provision of the legislation for a limited 
period in the event of an unforeseen significant threat to 
health or safety, significant threat to patient privacy, major 
economic disruption, or manifest unfairness.
    The design of precise controls on the use and disclosure of 
information is a complex task, and it is possible that the 
legislation would forbid a disclosure, or otherwise constrain 
behavior, in a way that causes unanticipated hardship.
    Authority to suspend a provision would ensure that 
situations like this could be addressed, on a temporary basis, 
pending Congressional consideration of amendments.
    Federal agencies are accustomed to the flexibility provided 
by the Privacy Act of 1974, whose routine use provision (5 
U.S.C. 552a(a)(7) and (b)(3)) permits agencies to make 
administrative choices to disclose information beyond the 
disclosures explicitly allowed in the statute. We do not 
recommend administrative authority as flexible as the routine 
use provision, which appears in a law covering all activities 
of all Federal agencies, and where a statutory catalog of all 
possible uses of information was not feasible. We recommend a 
provision to deal with extraordinary situations that may have 
not been foreseen, and then only for a limited time.
      

                                

    Mr. Becerra. With regard to the whole issue of the data we 
collect and how we keep all that information, electronic, 
paper, and so forth, what do you do with the nonprofit, the 
community-based clinic that already survives on a shoestring 
budget, if we determine that the best way to keep information 
safe is to go toward some electronic mechanism?
    How do we help those that are barely surviving to provide 
health care, to now get to the point where they will abide by 
statute or regulation requiring them to provide protection to 
private information?
    Dr. Detmer. Very good point. It came up in our hearings. In 
particular, we had a hearing out in San Francisco where Los 
Angeles County Hospital came and said, Look, our budgets are so 
low, the idea we can have a very wonderful, which we would 
like, information system with what many of you might consider 
really important and basic information is simply beyond our 
means.
    There is clearly cost involved in this issue, and certainly 
one of the main drivers of HIPAA was to in fact save money from 
administration simplification. We again lack the facts and data 
that would allow us, I think, to really know exactly how big a 
problem this will be. We know in some areas trying to do much 
of anything would probably stretch their budget. So there is a 
tension in here and there is a cost in this.
    On the other hand, there is also a general public concern 
about privacy. We need to have a law but we do need to, I 
think, look carefully at the costs that that will impose on 
people.
    [The following was subsequently received:]
    Section 1173 of the Health Insurance Portability and 
Accountability Act of 1996 (Public Law 104-191, Aug. 21, 1996) 
requires the Secretary to adopt standards for electronic data 
transactions, but does not mandate that providers exchange 
information electronically. While issues regarding costs of 
maintaining and providing information electronically have been 
raised at its hearings, the Committee has not addressed this 
issue.
      

                                

    Mr. Becerra. Thank you, Mr. Chairman.
    Chairman Thomas. In regard to that, though, the next panel 
will have some comments, and I find the argument on cost a bit 
analogous to the preventive care arguments we had, that wound 
up with us finally spending money according to the budget 
rules. Everyone involved believed that in the long run, a 
decade, a generation, that we would save money on preventive 
care. With adequate records, the investment and the ability to 
keep really accurate records, that a number of areas such as 
duplicate procedures or missed procedures, that would save 
customers in the long run, may very well be at least 
offsetting.
    That is not a comfort to someone who has to meet a budget 
on a quarterly or a yearly basis, but we need to look at all 
aspects of the decision rather than just very narrowly 
someone's quarterly accounting on the cost of changing the way 
in which we provide records both to the patient and to the 
system.
    The other point I wanted to make before I ask you a final 
question, the gentleman from Louisiana's line of questioning is 
very, very pertinent, and I have had an ongoing, mostly 
positive relationship with the insurance business trying to 
convince them that their real job is to manage risk, not 
eliminate risk.
    Dr. Detmer. Thank you.
    Chairman Thomas. Under the current rules, at the same time, 
we ought not to shoot the messenger if what they do is provide 
us, under the current rules, the cost of coverage for 
particular concerns. That then becomes an immediate problem for 
the individual, but it becomes a problem for society in 
examining the way in which the current rules operate.
    And that goes to the gentleman from Louisiana's discussion 
about community rating or getting better risk assessment tools 
available to us for making these kinds of decisions, because I 
do not want the industry to pull punches in terms of what the 
costs of these various conditions would be to insure in the 
current world. That allows us to make a realistic decision and 
not an unrealistic one.
    Then, finally, as we get into this area which all of us now 
I think are fairly sensitized to, as to its importance in 
dealing with privacy, we do not have a comprehensive privacy 
statute on the books. The string theory of physics for privacy, 
I think for a very good reason. We do have, though, a number of 
statutes on the books, and the staff has listed for me the 
Privacy Act of 1974, Americans With Disabilities Act, the 
Controlled Substances Act, and most recently, the Balanced 
Budget Act.
    Did the committee review those? And can you give us any 
lessons learned from the implementation of these earlier 
Federal statutes, in terms of their either applicability or the 
difficulty of converting? One of the things we do around here 
is take something that has worked in the past and apply it to 
something else. Do you have any cautionary words about the way 
in which we might approach this particular area of privacy vis-
a-vis what we have done in the past and what might be seen as 
somewhat similar or related areas?
    Dr. Detmer. Yes, and the committee has not explicitly dealt 
with that question, particularly the Balanced Budget Act, which 
is very current. I think the question is a good one and one 
that I will put to the committee. I think it could be useful to 
you to get back on that.
    In general, as an offhand comment, I do not think that the 
process, being the way it operates, it has been that bad. In 
fact, it has been quite good.
    I do want to respond to an earlier comment, if I might. I 
think my first time to ever testify before you was soon after I 
had chaired the Institute of Medicine study on computer-based 
patient records some years ago, and I want to underscore how 
much I agree personally with what you are saying here. On the 
basis of that study and other work, we will not get to truly 
value-based, cost-effective care, even looking at these issues 
of cost on insurability and such, until we have much finer 
grain reliable information. That is only going to come actually 
out of computer-based analysis, properly done, with the 
appropriate confidentiality protections in place.
    [The following was subsequently received:]

    The Committee has not examined the Privacy Act or the other 
laws in any depth in developing its recommendations.
      

                                

    Chairman Thomas. Well, without it I do not see how we can 
create some outcomes research that providers will need, that we 
will need as smart buyers with the taxpayers' money, but, more 
importantly, providing a body of information to patients so 
that they can be smart consumers as well, which is one of the 
fundamental ways we will keep a control on health care costs.
    Dr. Detmer. Many of us are grateful for your leadership on 
that.
    Chairman Thomas. The final comment would be to tie in once 
again with the gentleman from California. While you look at 
these various particulars, the other thing I am most concerned 
about is the balance between statute and regulations. Because, 
obviously, given the changing technology, we are not going to 
be able to write a piece of legislation that is probably as 
flexible as we would like for the near term.
    If you could, create some bright lines for us that would be 
most appropriate in legislation versus areas that probably are 
going to be changing and we can review, lock up if necessary in 
legislation in the future, but perhaps might lead to 
legislation.
    My real worry about that is that as this argument for 
privacy continues, I do want to make sure the Federal statute 
encompasses the basic structure so that there will not be, for 
want of a better term, an end run around what we are trying to 
do by--particularly by States being overly zealous in 
regulating beyond what is necessary to create those clear and 
necessary personal privacy and confidentiality protections, but 
still allowing for the collection of data which will allow us 
to move forward, both for individuals and for medical science.
    [The following was subsequently received from Mr. Detmer:]

    As noted above in response to Q9., both the NCVHS 
recommendations to the Secretary (June 27, 1997) and the 
Secretary's recommendations to Congress (September 11, 1997) 
recognized the difficulty in drafting health privacy 
legislation and recommended a ``safety valve provision.'' The 
Secretary's recommendations specified that ``[w]e recommend 
that there be authority to suspend, by regulation, any 
provision of the legislation for a limited period in the event 
of an unforeseen significant threat to health or safety, 
significant threat to patient privacy, major economic 
disruption, or manifest unfairness.''
      

                                

    Any Members have any additional questions?
    The gentleman from California.
    Mr. Becerra. Really quickly, and again this may be 
premature, was there a great deal of discussion of what you do 
after privacy information has been disclosed? What about the 
person who has a mental history and those records are 
disclosed, or has the AIDS, HIV virus? What happens in that 
case, when the cat is out of the bag? Did you propose or 
discuss what should be the remedy in those cases?
    Dr. Detmer. Well, I think we do see, as I say, sanctions 
that should come into play if there are obvious cases of that 
type. You mentioned both mental health as well as HIV, for 
example. Clearly, there are some sets of health information 
that will expose people more than other general data, like a 
simple blood pressure, pulse reading, say.
    The general feeling is that if you really start taking it 
case by case and trying to look at genetic information, or HIV 
status, or mental health data, all in separate kinds of all 
special sorts of cases, that becomes something almost 
impossible to try to manage sensitively and appropriately. The 
committee's general feeling is, Let us put in a very good 
standard and let us have that standard be such that it protects 
those people, so that in fact your protection does not depend 
on what disease you unfortunately happen to get or what problem 
you happen to have.
    Mr. Becerra. If I could ask this, as you all continue, if 
you could give some close attention to giving us some strong 
and specific recommendations on sanctions, because there will 
be all sorts of special interests in this trying to fight to 
either make them very strong or very weak, and it would help if 
we had some good guidance from those who are examining the 
whole issue. Give us a sense of how strong or how weak we 
should be with regard to sanctions, if in fact we find that 
information is disclosed.
    Dr. Detmer. It is clearly a judgment call. At least I would 
advocate that you make them sanctions that really look and feel 
like sanctions, if it looks like a horse and feels like a 
horse. I really think that needs to happen.
    I think they really need to be there, but it is still a 
question of levels. And you are right, there will clearly be 
some pressures to make it higher or lower. Again, I will see if 
I can try to give you some advice on that, if I can.
    [The following was subsequently received:]

    There is clear consensus that there be strong civil and 
criminal sanctions. A federal privacy law should, as 
recommended by the Committee (June 27, 1997) and the Secretary 
(September 11, 1997), ``provide for punishment for those who 
misuse personal health information and redress for people who 
are harmed by its misuse. There should be criminal penalties 
for obtaining health information under false pretenses, and for 
knowingly disclosing or using medical information in violation 
of the Federal privacy law. Individuals whose rights under the 
law have been violated should be permitted to bring an action 
for damages and equitable relief.''
      

                                

    Mr. Becerra. Thank you, very much.
    Thank you, Mr. Chairman.
    Chairman Thomas. Looked like a horse and kicked like a 
mule.
    The key to that is where it is personally identifiable and 
it is electronic, you will know who has done it with the audit 
trail, and that you allow for relatively tough sanctions but 
the court system to resolve a number of those on the intensity.
    We obviously have access to taxpayer funds for medical 
purposes to sanction a number of people who are involved in the 
medical end of it through research or other ways, and a 
combination of those are what we are going to have to look at.
    Dr. Detmer. It is not as though we have no protections or 
things in place at this point. In fact, I think there is quite 
a bit of interest and commitment to this. It is just that we do 
not have a privacy law.
    Chairman Thomas. And to determine which ones appropriately 
match up.
    Dr. Detmer. Exactly.
    Mr. Becerra. The bottom line is, for the patient who has 
had this information exposed, there is little remedy he can do 
in terms of money or some type of civil or criminal sanction 
against that disclosure to make that person now feel whole.
    I would think we would want to construct something that 
provides swift sanctions and, as you said, it really has teeth. 
Because what you want to do, as you said before, is protect the 
information from ever being disclosed, especially information 
that is that sensitive of a nature.
    Chairman Thomas. The gentleman is pursuing a line of 
deterrence. I understand what you are saying.
    Mr. Becerra. Prevention.
    Chairman Thomas. You probably would not want to go down 
that road in other areas of discussion, but I clearly think a 
good example would be a deterrence. If you have a clear 
indication of someone violating it, a relatively swift and 
stiff punishment would occur, and we will explore those 
avenues.
    Dr. Detmer. And, in fact, unfortunately many lapses are 
essentially a person who has no business doing what they are 
doing. And that is far more the more common area than a problem 
with the technology itself or something else. It is somebody 
not respectful of these kinds of data and the personal harm 
they do to people.
    Chairman Thomas. Well, thank you very much. This is 
obviously the beginning of a process of producing legislation 
that will both protect individuals' right to privacy and 
confidentiality of records and also allow us to continue to 
access them for legitimate medical and research purposes.
    Thank you very much, Doctor.
    Dr. Detmer. Thank you.
    Chairman Thomas. We can ask our next panel to come forward.
    This will be Dr. Stephen Borowitz, who is associate 
professor of pediatrics and health evaluation sciences at the 
University of Virginia, Charlottesville; Janlori Goldman, 
director of the Health Privacy Project at Georgetown 
University; Dr. James R. Birge, I believe it is, medical 
director and chief executive officer of the MacGregor Medical 
Association in Houston, Texas.
    Dr. Borowitz, a copy of your full statement will be placed 
in the record. You may proceed in the time available in any way 
you see fit.

 STATEMENT OF STEPHEN M. BOROWITZ, M.D., ASSOCIATE PROFESSOR, 
  PEDIATRICS AND HEALTH EVALUATION SCIENCES,  UNIVERSITY  OF  
VIRGINIA  HEALTH  SCIENCES  CENTER,  CHARLOTTESVILLE,  VIRGINIA

    Dr. Borowitz. Mr. Chairman and Subcommittee Members, my 
name is Stephen Borowitz and I am associate professor of 
pediatrics at the University of Virginia. In the next several 
minutes I hope to show you how information technology can 
improve health care.
    The practice of medicine is information intensive. Forty 
percent of hospital operating costs result from patient and 
professional communications, and physicians and nurses spend as 
much as half of their time documenting. Yet 70 percent of the 
time, physicians do not have all the information they need. The 
greatest reason for this is that we continue to keep most 
medical information in a paper medical record.
    The paper record today is little different than 50 years 
ago, despite an explosion of medical knowledge and technology. 
Information is not sorted for relevance but rather by source 
and chronology, so that critical information may be deeply 
buried. Increasingly, the paper record is serving purposes it 
was not designed for. It is the source of medical billing 
documentation and the principal repository for medical-legal 
information. There is more and more information in the record, 
much of which has little or no direct clinical relevance.
    When compared to paper records, computerized records 
provide easier and faster access to clinical information. The 
data are of higher quality, always legible, and can be 
displayed in a number of different formats. Many organizations 
are already developing computer-based records.
    This is my younger daughter's record at the University of 
Virginia. This and other systems are searchable. We can search 
for all of the patient's blood counts, and the results are 
displayed quickly on a single screen and can be graphed or 
analyzed. The system also contains text.
    This is a hospital discharge summary of a little girl with 
ulcerative colitis whom I care for. Two days after her hospital 
discharge she returned late at night with intestinal bleeding. 
Because of this computerized record, the emergency room 
physician immediately knew her problem, who should be 
contacted, and what interventions were appropriate.
    Computerized records can contain images such as x rays or 
electrocardiograms. By being able to view this old 
electrocardiogram, an emergency room physician can determine 
that this man complaining of chest pain is experiencing 
heartburn not a new heart attack.
    Perhaps the greatest limitation of the paper-based medical 
record is that it actually does not exist. Every health care 
provider who has ever seen a patient has a separate paper 
record, and these records are viewed as personal notes or 
reminders rather than part of a larger whole. They are often 
perceived as owned by health care providers rather than by the 
patient.
    An excellent example of the limitations of the paper record 
is childhood immunizations. These are the safest and most cost-
effective health interventions. Ninety-five percent of children 
begin the recommended series, and 97 percent are fully 
immunized upon entry into kindergarten. However, only half of 
2-year-olds are fully immunized, yet they are the group at 
greatest risk for the diseases we are trying to prevent. The 
number of completely immunized 2-year-olds would go from 50 to 
85 percent if we eliminated all missed immunization 
opportunities.
    The biggest barrier to this is the lack of data. Many 
children change providers or are seen by multiple providers. 
Half of all children receive immunizations at two or more 
facilities. This makes responsibility for immunizations 
ambiguous. Who keeps track of them and who should be 
responsible?
    We have attempted to provide this type of information with 
Project Vaccine, a shared computerized immunization data base. 
Here is my younger's daughter immunization record. She is up to 
date. While this system can recommend immunizations, providers 
were resistant to this, so we provide current immunization 
schedules. Over the past 3 years, the rate of completely 
immunized 2-year-olds in central Virginia has risen from 58 to 
78 percent.
    In addition to recordkeeping, information technology is 
influencing the way health care is delivered. For the past 2 
years, we have been providing electronic mail consultations 
across the World Wide Web. Here is the e-mail form directed to 
me. There is a disclaimer that the information is being 
conveyed across the Internet and may not be secure or 
confidential.
    Over the past 24 months, I have received more than 1,000 
consultations. Here is an example from a parent in rural North 
Carolina whose 1-year-old son had chronic abdominal 
difficulties. Nearly 80 percent of my consultations have been 
initiated by parents. I have received requests from 38 of the 
50 States. Clearly, many people out there are seeking 
information.
    I believe information technology is helping to disseminate 
and redistribute medical information. Information that was 
previously only available to medical professionals is now 
available to anybody with access to a computer. This can only 
help patients and their families to be more active participants 
in their own health care and to make better and more informed 
health care decisions.
    Thank you.
    [The prepared statement follows:]

Statement of Stephen M. Borowitz, M.D., Associate Professor, Pediatrics 
and Health Evaluation Sciences, University of Virginia Health Sciences 
Center, Charlottesville, Virginia

    Mr. Chairman, Members of the Subcommittee on Health, thank 
you for your examination of two crucial and intertwined issues 
confronting our health system: the confidentiality of medical 
information, and the use of computer and communications 
technology to improve patient care. My name is Stephen 
Borowitz. I am a pediatrician who specializes in 
gastroenterology and nutrition and an Associate Professor of 
Pediatrics and Health Evaluation Sciences at the University of 
Virginia. I have long had interests in how information 
technology can be used to improve the delivery of health care 
as well as the delivery of medical education. My task today is 
to give you some idea as to the potential of information 
technology to improve the coordination of and access to health 
care, and help physicians and other health care providers 
become lifelong learners.
    While I speak today as an individual physician, I must note 
that the explosion of information technologies is reaching 
deeply into every corner of our nation. Today health data can 
be transferred from facility to facility in seconds, read and 
interpreted hundreds or thousands of miles away from the 
patient, stored on a variety of disks, drives, tapes, etc. In 
health care the global village is rapidly arriving, and 
patients in that global village could live in the smallest town 
in rural Virginia or across the world, and be treated by 
specialists at our Health Sciences Center through the use of 
telemedicine and other technologies.
    I am also a member of the American Medical Informatics 
Association (AMIA), a national organization dedicated to the 
development and application of medical informatics in support 
of patient care, teaching, research, and health care 
administration. AMIA's more than 3800 physicians, researchers, 
librarians, information systems managers, and other 
professionals with expertise in information technologies 
recognize that the enormous potential for computer and 
communications technology to improve health care cannot be 
realized unless individuals and the society-at-large are 
reasonably certain that safeguards are in place to protect the 
confidentiality of personal health data in medical records. My 
comments today reflect not only my own views as a physician who 
actively uses technology to improve patient care, but also 
those of many members of AMIA.
    The practice of medicine is information intensive. Nearly 
40% of hospital operating costs result from patient and 
professional communication activities. Despite the fact that 
physicians spend more than a third of their time 
``documenting,'' and nurses spend nearly half of their time 
``documenting,'' physicians report that 70% of the time they do 
not have all the information they need to best care for a 
patient.
    Perhaps the single greatest reason health care providers do 
not have all the information they need to deliver the best care 
is that we continue to keep most medical information in paper 
medical charts. Paper medical records have changed little over 
the past fifty years despite an explosion of medical knowledge 
and medical technology. While there are clearly advantages to 
the paper medical record in that it is familiar and portable, 
this form of record keeping has many limitations. Information 
in the paper medical record is not sorted for medical 
relevance. Rather, information in the paper record is sorted 
first by data source (i.e. medical orders, inpatient notes, 
laboratory results, radiology results, nursing notes, etc.), 
and then by chronology. This often means that the most 
important data elements are buried within the record rather 
than being one of the first things a health care provider sees 
when he or she opens that record.
    Increasingly, the medical record is serving purposes it 
wasn't originally designed for. The medical record now serves 
as the principal source for medical billing documentation and 
the major repository of medical-legal information. This means 
that there has been a tremendous increase in the amount of 
information within the record, much of it with little or no 
direct clinical relevance.
    While there are many potential obstacles to the development 
of computer-based patient records, such systems can overcome 
many of the limitations associated with paper-based medical 
records and offer health care providers better information upon 
which to base clinical decisions. When compared to a paper-
based record, a computer-based patient record provides easier 
and faster access to clinical information, the data are of 
higher quality, clearly legible, and can be displayed in a 
number of different formats. Computer-based patient records can 
generate prompts and reminders during the delivery of care and 
provide health care givers with decision support and links the 
medical literature thus integrating the delivery of care with 
the educational process.
    Computer-based patient records can decrease some of the 
costs associated with health care. With a completely searchable 
record, there will be a decrease in the number of redundant or 
unnecessary diagnostic or therapeutic procedures that are now 
performed because of incomplete or incorrect information. A 
computer-based patient record can dramatically reduce the costs 
associated with the filing, transporting, and copying the paper 
medical record and the generation and submission of bills. In 
large medical centers it costs $8.00 each time a paper record 
is pulled for use and $11.00 to complete each paper-based 
billing encounter form.
    Perhaps the greatest limitation of the paper-based medical 
record is that it actually does not exist. The paper-based 
medical record is based on the construct that people are cared 
for by a single physician or organization across the continuum 
of care, throughout a lifetime. Given the complexity of our 
current health care system and the mobile nature of our 
populace, no individual has a single ``medical record.'' 
Rather, every health care provider who has ever seen that 
individual has a separate paper record, even if many of those 
health care providers work in the same facility. The 
information within these disparate and uncoordinated paper 
medical records is often thought of as personal notes or 
reminders for that health care provider or health care 
organization rather than as part of a larger whole. These 
separate paper medical records are viewed as being owned by the 
health care provider rather than by the ``patient'' to whom 
they pertain.
    One of the most illustrative examples of the limitations of 
our current paper-record based system is childhood 
immunizations. Childhood immunizations are perhaps the safest 
and most cost-effective health interventions we currently have. 
For every dollar we spend successfully immunizing a child, we 
save $10.00 to $14.00 in the future. We know that 95% of 
children in this country begin the recommended series of 
immunizations; the first immunization is now administered 
before the infant leaves the hospital. We also know that 97% of 
children in this country are fully vaccinated at the time of 
kindergarten entry largely because it is required. However, 
only 37-56% of two-year old children are fully immunized 
despite the fact that these are the children at greatest risk 
for the diseases we are trying to prevent. Numerous studies 
have demonstrated that underimmunization rates among two-year-
olds do not vary substantially by ethnicity, geography, 
socioeconomic status, or health insurance status. Children who 
receive their health care from private pediatricians are just 
as likely to be underimmunized as are children who receive 
their health care from public health departments. Children who 
have private health insurance through their parents' employer 
are just as likely to be underimmunized as are children who 
have no private health insurance. This is primarily due to a 
lack of reliable information. Many young children are seen by 
multiple health care providers or change primary care providers 
during childhood. It has been estimated that approximately half 
of all children in this country receive their immunizations at 
two or more unaffiliated health care facilities. This makes the 
responsibility for administering immunizations ambiguous. Who 
keeps track of childhood immunizations and who should be 
responsible?
    We know that without any changes in patient behavior, the 
rate of completely immunized two year old children could be 
increased from 50% to 85% if the health care system eliminated 
all missed opportunities for immunization. In order to take 
advantage of these missed opportunities, health care providers 
need to have reliable information upon which to base their 
immunization decisions. A shared immunization repository could 
provide this information. If information regarding a child's 
immunization history were readily available to any physician 
treating that child, immunizations could be administered a 
timely fashion. We have attempted to provide this information 
for health care providers in Central Virginia with VaCCINe 
(Virginia Computerized Childhood Immunization Network) . 
Preliminary review of the available data from 16 out of 32 
child care centers and preschools throughout the Thomas 
Jefferson Health District of Central Virginia demonstrates that 
over the past three years, the apparent rate of completely 
immunized two year old children has risen from 58% to 78%.
    There are no longer any technological barriers to the 
development of computer-based patient records and many 
institutions have implemented portions of computer-based 
patient records with varying levels of success. However, there 
are many political and organizational issues that must be 
addressed. We must develop reliable means of identifying 
individual patients while insuring the data in their records 
are secure and confidential.
    There is little evidence that health care providers or 
health researchers misuse health information. While there are 
genuine concerns about unauthorized public release of personal 
information or the misuse of personal medical data by 
employers, insurers or others to discriminate against or 
otherwise harm an individual, at the same time it is crucial to 
recognize that access to all relevant patient-specific health 
care data is essential for those engaged in the provision of 
care, or in research to advance medical science and improve 
human life, or in the direction of public health programs and 
the protection of public safety. In the end, legislation 
governing health information must protect not only the 
confidentiality of individual medical records but also the 
ability of health professionals to provide care, conduct 
research, and prevent disease in a manner that benefits the 
entire population. Health information standards must 
thoughtfully and carefully balance the rights of the 
individual, the capacity of the health care system to provide 
needed care, and the interests of our nation as a whole.
    Issues of security and confidentiality are not unique to 
computer-based patient records. Paper medical records are far 
from secure. Paper medical records are often kept in relatively 
open public areas to afford ready access. Moreover, because of 
the way information is stored in the paper medical record, it 
is not possible to ``sequester'' certain types of information 
from individuals who have access to that record. Anything that 
is in the paper record can be seen by anybody. Moreover, there 
is no means of creating an audit trail of who accesses a paper 
record, or what they do once they have the record.
    A common concern about computer-based patient records is 
that they may less secure and confidential than paper medical 
records. However, a computer-based patient record can be made 
more secure than a paper medical record through the use of 
authentication and authorization, and the maintenance of audit 
trails. Authentication refers to a process that verifies the 
identity of the user. This can be by something the user knows 
(mother's maiden name, ID, password), something the user has (a 
key, a smart card, a token), by something related to who the 
user is (signature, fingerprint, voiceprint), and/or by 
something indicating where the user is (an IP address, a phone 
number, a hardware configuration). Authorization refers to a 
process whereby the information and services a user can have 
access to are limited based upon attributes of the user, 
attributes of the data, and/or attributes of the request. 
Finally, the use of audit trails can serve as strong and 
important deterrents to breaches in confidentiality if strong 
enough sanctions are employed. An audit trail is a record of 
information access events and can include the identity of the 
requestor, the date and time the request was made, the source 
and destination of the request, a description of what 
information was retrieved, and what the reason was for 
retrieving the information. Organizational policies and 
practices are at least if not more important than technological 
mechanisms in protecting health information and patient 
privacy.
    In addition to record keeping and access, information 
technology is influencing the way that health care is 
delivered. Quality health care is dependent upon good 
communications between physicians and patients. Successful 
communication results in the patient's understanding of the 
diagnosis and increased compliance with therapeutic 
recommendations and interventions. In addition to face to face 
and telephone contact, rapid written communication through 
electronic mail (e-mail) is now widely available to patients 
and health care professionals. E-mail can provide patients with 
a direct means of communicating with physicians and assuring 
them that their messages are received and read. E-mail provides 
physicians with the ability to follow-up or clarify advice that 
was provided during an outpatient visit and messages can direct 
patients to educational materials or other resources available 
on the Internet.
    As of late 1996, nearly 25% of people beyond 16 years of 
age in the United States have access to the Internet and at 
least 15% of the U.S. population was using e-mail. In certain 
regions, one fourth of patients use e-mail to communicate with 
their health care providers. Those patients who utilize e-mail 
to communicate with physicians perceive this means of 
communication as not only more convenient and faster than 
telephone communication, but also as increasing their access to 
medical care.
    While e-mail is generally viewed as a good means of 
communicating simple information and non-urgent requests 
between physicians and patients (i.e. refilling prescriptions, 
communicating laboratory results, or making appointments), up 
to 90% of patients who use e-mail to communicate with their 
physicians relay important and sensitive medical information 
electronically.
    Beginning in November of 1994, the Children's Medical 
Center at the University of Virginia instituted a pilot program 
of providing electronic mail consultations in selected 
pediatric subspecialties (http://www.med.virginia.edu/docs/cmc/ 
giconslt.html). A disclaimer was included at the top of the 
form alerting people that since the information contained 
within the form would be conveyed across the Internet, it might 
not be secure. All consultation replies included a copy of the 
original consultation request as well as a disclaimer to the 
effect that since the patient had not been physically examined 
and the entire history had not been obtained, the validity of 
the response might be limited.
    Between November 1, 1995 and February 28, 1998, the 
Division of the Pediatric Gastroenterology at the Children's 
Medical Center of the University of Virginia received 938 
electronic mail consultation requests. During this 28-month 
period, an average of 33.5  11 consultation 
requests was received each month with a range of 14 to 68 
requests. There has been a slow but steady increase in the 
number of consultation requests received each month.
    The greatest number of consultation requests were initiated 
by parents or guardians (79%), however 11% of the requests came 
from physicians and another 10% came from other health care 
professionals such as nurses, pharmacists, or respiratory 
therapists.
    85% of the consultation requests originated within the 
United States. During the 28-month period, consultation 
requests were received from 38 of the 50 U.S. states. Only 8% 
of all consultation requests originated in the states of 
Virginia or West Virginia, which comprise our traditional 
referral area. 15% of the consultation requests originated from 
sites outside of the United States; consultation requests were 
received from 37 different countries. Outside of the United 
States, the most frequent international source of consultations 
was Canada, followed by Australia, the United Kingdom, and 
Argentina.
    The large number of consultation requests we received from 
parents and guardians suggests that their primary health care 
providers do not always meet a family's information needs, or 
that they are dissatisfied with some of the information they 
have received. This dissatisfaction is further highlighted by 
the observation that nearly half of patients use some form of 
non-conventional medical therapy, often without consulting with 
or informing their primary care physician. As a group, parents 
seeking non-conventional medical therapies for their children 
are well-educated professionals, precisely the group of people 
who have ready access to the Internet and e-mail.
    Many parents appear to be very comfortable seeking medical 
information from relatively anonymous ``electronic 
consultants.'' This form of electronic communication provides 
people with a means of identifying qualified consultants 
outside of their local health care system and to communicate 
with these consultants directly without numerous layers of 
administrative bureaucracy. According to many of the families 
who consulted us, e-mail communications with an anonymous 
``electronic consultant'' are less intimidating than face to 
face conversations with time-pressured physicians. E-mail 
enabled many parents to ask questions that they were otherwise 
too timid to ask. This may in part be due to the mode of 
communication. E-mail is a hybrid between written and spoken 
language. It allows people to choose their words carefully 
without the pressures of time or place. Response time with e-
mail is substantially shorter than with written letters and yet 
e-mail offers more permanence than a face-to-face or telephone 
conversation.
    The public's increasing interest in online medical 
consultation reflects the changing nature of our health care 
delivery system. The rapid growth of electronic communications 
has paralleled the shift towards giving patients more 
responsibility for their own health care decisions. As the 
public has become better educated, they have become accustomed 
to seeking information about health care from printed media. It 
is only natural for them to turn to electronic sources of 
information such as Web sites and, when they have further 
questions, to contact web-site authors. More and more people in 
the United States receive their health care through managed 
care organizations which limit access to specialists and 
specialized treatments. This means that patients and their 
families have new incentives to find alternative sources of 
expert medical opinion, and when they go outside of their 
health care network, to seek the most time and cost-effective 
means of diagnosis and therapy to minimize their own out-of-
pocket costs.
    Given the complexities of the communication process, there 
are always potential misunderstandings when physicians and 
patients exchange medical information. The potential for 
misunderstandings may be magnified when medical information is 
exchanged across the Internet. The information could be based 
upon incomplete or incorrect assumptions, the information could 
be misinterpreted, it could be incorrect or out-of-date, or it 
could be more up-to-date than information provided by another 
physician. Given the wide variation in practice patterns, 
situations may arise in which an online consultant will 
disagree with the advice of another physician. In the United 
States, the law dealing with interactions between physicians 
and patients over the Internet has not been well defined. 
Potential legal issues include physicians practicing without 
licensure in the state or country in which the patient resides, 
alleged medical negligence, and abandonment of patients should 
the consultant not continue the relationship.
    The availability of vast amounts of medical information on 
the World Wide Web can have important implications for the 
future of our health care system. One author has called this 
``the next transformation in the delivery of health care.'' 
This dissemination and redistribution of medical information 
may influence public perceptions of the standards and quality 
of care and the nature of the doctor-patient relationship. 
Medical information on the World Wide Web can help health care 
professionals educate their patients, learn more about 
patients' concerns and fears, and help patients make better and 
more informed decisions about their own health care.
    While information technology is already helping to reshape 
our health care system, it can also help us change some of the 
paradigms of health care. In our current environment, the 
practice of medicine, continuing medical education, and 
clinical research are separate and somewhat independent 
enterprises. The innovative development and use of information 
technology and computer-based patient records can help us 
integrate clinical care with clinical research and lifelong 
learning while helping patients and their families to be more 
active participants in their own health care and make better 
and more informed decisions.

                          Selected References

    1. Bertakis, K.D. The communication of information from physician 
to patient: a method for increasing patient retention and satisfaction. 
J Fam Practice 1977:5;217-222.
    2. Coeira, E. The Internet's challenge to health care provision. 
BMJ 1996:312; 3-4.
    3. Culver, J.D., Gerr, F., Frumkin, H. Medical information on the 
Internet --a study of an electronic bulletin board. J Gen Intern Med 
1997;12:486-470.
    4. Dick, R.S., and Steen, E.B., eds. The Computer-based Patient 
Record: An Essential Technology for Health Care. National Academy 
Press, Washington, D.C. 1991.
    5. Elder, N.C., Gillcrist, A., Minz, R. Use of alternative health 
care by family practice patients. Archives of Family Medicine 
1997;6:181-184.
    6. Gleick, E. Picking a health plan: a how-to-guide. Time January 
22, 1996:60-61.
    7. Harris, E.D. Electronic mail--a physician extender? Western 
Journal of Medicine 1997;166:123-125.
    8. Impicciatore, P., Pandolfini, C., Casella, N., Bonati, M. 
Reliability of health information for the public on the World Wide Web: 
systematic survey of advice on managing fever in children at home. BMJ 
1997: 314; 1875-1881.
    9. Kane, B., Zands, D.Z. Guidelines for the clinical use of 
electronic mail with patients. JAMIA 1998;5:104-11.
    10. Kassirer, J.P. The next transformation in the delivery of 
health care. NEJM 1995:332-52-54
    11. Neill, R.A., Mainous, A.G., Clark, J.R., Hagen, M.D. The 
utility of electronic mail as a medium for patient-physician 
communication. Arch Fam Med 1994;3:268-271.
    12. Pealer, L.N., Dorman, S.M. Evaluating health-related web sites. 
J School Health 1997;67:232-235.
    13. Silberg, W.M., Lundberg, G.D., Musacchio, R.A. Assessing, 
controlling, and assuring the quality of medical information on the 
Internet. JAMA 1997;277: 1244-1245.
    14. Smith, R. The future of health care systems. BMJ 1997; 
314:1495-6.
    15. Sonnenberg, F.A. Health information on the Internet. Arch 
Intern Med 1997;157:151-152.
    16. Spigelblatt, L., Laine-Ammara, G., Pless, B., Guyver, A. The 
use of alternative medicine by children. Pediatrics 1994:94:811-814.
    17. Spooner, S.A. The pediatric Internet. Pediatrics 1996:98 1185-
1192.
    18. Widman, L.E., Tong, D.A. Requests for medical advice from 
patients and families to health care providers who publish on the World 
Wide Web. Arch Int Med 1997;157:209-212.
    19. Wyatt, J.C. Commentary: measuring quality and impact of the 
World Wide Web. BMJ 1997;314:1879-1881.


                                

    Chairman Thomas. Thank you very much, Doctor. And I will 
acknowledge I am the one who borrowed the information from your 
written statement to talk about the preventive aspects.
    Ms. Goldman.

STATEMENT OF JANLORI GOLDMAN, DIRECTOR, HEALTH PRIVACY PROJECT, 
 INSTITUTE FOR HEALTH CARE RESEARCH  AND  POLICY,  GEORGETOWN  
                           UNIVERSITY

    Ms. Goldman. Good morning, and thank you very much for the 
opportunity to testify here today. I am very pleased the 
Subcommittee is focusing on this issue and prepared to move 
ahead, as Congress now has set a time limit on itself.
    One of the questions that was asked earlier about existing 
privacy laws I think is an important one as we view this in the 
context that we do have an existing body of privacy statutes. 
And while they are not terribly consistent or related to each 
other, in some ways they do bear, I think, certain 
commonalities. I would hope that when we look at crafting a 
medical privacy law, we try to put it within the context of 
those existing privacy laws and, as you said, to learn 
something from what we have already done.
    What Congress has recognized is that medical privacy is a 
critical issue and we need to move forward within a certain 
period of time to pass legislation, and that if we are not able 
to do that, if we are not able in this body to reach some kind 
of consensus and move forward, the Secretary will then handle 
this as a regulatory matter. I do think Congress has a greater 
role in terms of setting enforceable rules and having remedies 
and enforcement mechanisms in place. We do have an important 
opportunity to do that work here.
    We have seen a much greater urgency in this area, even in 
just this past year. The recent stories involving the 
disclosures by CVS and Giant, I am sure many of you saw 
reported in the papers in the last few weeks, showed we are 
dealing in an unregulated environment. There is not now an 
existing Federal law protecting people's medical records.
    So while people are not necessarily acting with malice, 
there are considerations that are being given when information 
is disclosed that are not patient-focused, that are not focused 
on what is best for the patient or that do not directly involve 
the patient. So the response on the part of the public to those 
disclosures by CVS and Giant was very swift, very angry, and in 
fact both of those companies took out ads in the Post to say 
that they were stopping the practice altogether. Not trying to 
fix it, but stopping it all together until they could recoup 
some public confidence and decide how, if at all, they could 
move forward with compliance and marketing programs.
    One of the things I would like to suggest here this morning 
is that the way we have looked at privacy in the last decade in 
this area has been to view it in conflict with achieving public 
health goals. So that when we talk about privacy, we often talk 
about the costs associated or we see it as a barrier to getting 
access to data for research purposes or public health purposes. 
I do not think that has been a useful formulation, and I do not 
think it is an accurate formulation; such a view keeps us from 
developing the consensus we need.
    One of the things I found is that exactly the opposite is 
true. Privacy is not a barrier to achieving public health 
purposes, public health initiatives, and improving access to 
data for research. In fact, it is the opposite. Privacy is 
necessary for getting good quality data, complete data, and 
accurate data for use for those public health purposes.
    I want to spell out a few of those areas. When people do 
not trust that when they go to their doctor the information 
they are sharing will be handled in a confidential way, they do 
start to engage in certain privacy protective behaviors which 
have some very serious consequences. It has serious 
consequences for the individual, because if they do not 
accurately and fully share information, the doctor then does 
not have data he or she needs to accurately diagnose, to 
accurately treat. So the patient's care is undermined right 
there in the doctor's office.
    But, also, doctors then are not transmitting accurate and 
complete data on claims forms, the encounter data that the 
insurance industry relies on in doing the outcomes analysis 
that researchers rely on in doing their studies, that public 
health officials rely on in doing their studies and creating 
population data bases. So when we do not protect the 
information at the front end, it is undermined at the back end. 
We need this accurate and complete data. And I would say we 
need to give people some assurance that the data will be 
protected so that they will fully share information.
    One of the things we have seen is that the health care 
environment is changing so dramatically. There was an editorial 
in Sunday's Post that talked about privacy being a moving 
target and that the industry is developing so quickly, so 
rapidly around information uses and yet there are no 
enforceable rules in place. What I want to do is suggest that 
there are some key principles that can be built into a health 
privacy proposal.
    We do not have unanimity amongst all of us as to exactly 
how that language should be written, but I want to suggest that 
there are some key principles on which we do agree that we need 
to address. One is the very basic issue of giving people access 
to their own medical records, a fundamental right which only 
half the States in this country currently protect.
    We need to have limits on disclosure. We need to be able to 
say what information should be disclosed, how individuals make 
meaningful, informed voluntary choices by giving them notice of 
how information might be used, and having them sign 
authorization forms.
    Research, I think, is a tough area, as Dr. Detmer has said. 
One of the things that is important to acknowledge is that we 
do have Federal rules in place right now that apply to 
federally funded researchers, and those rules require an 
institutional review board to look at informed consent, to look 
at when there is an appropriate waiver of informed consent, if 
identifiable data is to be used, and I would suggest we take 
those Federal regulations and apply them across the board. 
There would be fairness and uniformity, and all researchers, 
not just those receiving Federal funds, should have to comply 
with those regulations.
    The Minnesota law is a source of some concern for folks. 
And while I agree it is the most restrictive law in this area, 
there have been studies done by the Mayo Clinic that show where 
consent is asked by patients for identifiable data, only 4.5 
percent, on an average of people who are asked, decline. Four 
and a half percent of the people withhold their permission for 
use of the information.
    Law enforcement. We need to have rules on government access 
to individual data. Right now every privacy law that exists on 
the books has a law enforcement limitation, and that is 
required by constitutional principle. It is the right thing to 
do.
    Remedies. We need to have strong remedies and enforcement 
mechanisms.
    I want to address the issue of preemption. I know it is on 
people's minds. We are dealing in a difficult area, because if 
we look at precedents of privacy laws, we currently do not ever 
preempt law in the civil rights and civil liberties area. In 
fact, Congress has been concerned about preempting State laws.
    In the medical privacy law, we have a particular problem in 
that we do not know what laws we would be preempting. There 
does not yet exist a comprehensive survey of existing State 
privacy laws. They are located in all different areas of the 
State code, from public health to consumer protection to 
insurance regulation.
    We need to have a better handle on what we would be 
preempting, and we need to look at whether we can determine 
preemption on a case-by-case basis, look at particular issues, 
and whether there is a justification for a carve-out in those 
areas. Right now there is compliance with existing State laws, 
so people are functioning in this environment even though it 
may not always be the most convenient.
    Let me quickly mention some of the other issues.
    Discrimination. We have an opportunity in crafting a 
privacy law to in some ways create the first line of defense 
against discrimination. We have the Americans With Disabilities 
Act, but nothing in that law prohibits an employer from getting 
access to the health information. A privacy law would do that. 
So it would prevent, in some ways, the temptation for using 
that information for discrimination.
    The technology is a critical issue you have all talked 
about. We have a chance with the increased technology to better 
protect information, to create more security for data, and to 
recognize that paper records are essentially a fairly 
unprotected realm. If we need it, we can take advantage of the 
security opportunities we have.
    And, overall, any health privacy law should create 
incentives to use nonidentifiable data. We should ask the 
question which we do not now ask: Do we need identifiable data 
in a particular project? Can we get by with nonidentifiable 
data? And by creating those incentives, we would take certain 
people out of the scope of the law and remove the concern.
    I know this is not an easy challenge. We have worked on 
this issue for a long time, but I think we now have the 
increased political will to move forward.
    At bottom, Americans should not have to worry when they go 
to the doctor, fill a prescription, file a claim form, or they 
get a job and do a preemployment physical; they should not have 
to worry their privacy is going to be put at risk. They should 
be able to fully share information with their doctors and not 
worry they are going to have their care threatened or their 
employment threatened.
    We will know that we have really made some progress here 
when we protect our medical records as well as we protect our 
video rental lists.
    Thank you very much.
    [The prepared statement follows:]

Statement of Janlori Goldman, Director, Health Privacy Project, 
Institute for Health Care Research and Policy, Georgetown University

                      I. Introduction and Overview

    Mr. Chairman and Members of the House Ways and Means' 
Subcommittee on Health: I very much appreciate the invitation 
to testify before you today on patient confidentiality.
    In December 1997, I launched the Health Privacy Project at 
the Institute for Health Care Research and Policy at Georgetown 
University Medical Center. Prior to creating the Project, I 
have focused on privacy and technology issues--particularly 
health privacy--for over a decade, as co-founder and Deputy 
Director of the Center for Democracy and Technology, and as 
Director of the Privacy and Technology Project of the American 
Civil Liberties Union.
    At present, there is no comprehensive federal law to 
protect the privacy of peoples' health records. However, most 
people mistakenly believe there is a federal privacy law that 
safeguards their medical records, and they believe the law 
gives them the right to access their own medical records; they 
are shocked when informed otherwise (Louis Harris & 
Associates, Health Information Privacy Survey, 1993). The 
recent debacle involving CVS and Giant Food selling customer 
prescription data to drug manufacturers for target-marketing 
and customer tracking--and the public outrage expressed over 
this practice--is another loud and clear call for Congress to 
enact a strong health privacy law to protect people against 
such unauthorized use and abuse of their personal medical 
records.
    I believe health privacy is one of the most important 
health issues facing our nation: it is critical to improving 
health care, and fostering valuable public health initiatives. 
Fortunately, Congress recognized the urgent need for 
enforceable health privacy rules, and set itself a time limit 
in the Health Insurance Portability and Accountability Act of 
1996 to pass health privacy legislation by August 1999.
    There are a number of proposals before the House and Senate 
with regard to medical privacy. Representative Jim McDermott 
(D-WA) and Representative Gary Condit (D-CA) have both 
reintroduced their bills from last Congress without significant 
change: ``Medical Privacy in the Age of New Technologies Act of 
1997'' (H.R. 1815) and the ``Fair Health Information Practices 
Act of 1997'' (H.R. 52), respectively. In the Senate, under 
consideration are: ``The Medical Information Protection Act of 
1998,'' (discussion draft 2/19/98) co-authored by Senator 
Robert Bennett (R-UT) and Senator James Jeffords (R-VT), and 
``The Medical Information Privacy and Security Act,'' (S. 1368) 
introduced by Senator Patrick Leahy (D-VT) and Senator Edward 
Kennedy (D-MA). Last week President Clinton released the 
Administration's proposal for a patients' ``Bill of Rights,'' 
which includes a broad confidentiality provision.
    There is a long history of congressional efforts to craft 
health privacy legislation, but, as yet, we have fallen short 
of achieving the necessary consensus. I believe we must take 
the critical next step to move away from viewing privacy and 
health initiatives as values in conflict, and towards viewing 
privacy as a key element in ensuring the success of health care 
goals. In my statement, I outline a new framework for 
addressing privacy in the larger health care arena as an 
ultimate good, which will foster patient trust and confidence 
in the doctor/patient relationship, and enhance the quality of 
patient data needed for improving patient care, research, and 
public health initiatives.

        II. The Value of Privacy to Individuals and Communities

    The potential benefits to individuals and communities from 
the emerging global information infrastructure are well 
documented. More and more, people are communicating, receiving 
information, and engaging in commerce through the Internet, 
often with little regard for local and national borders. 
Individuals, governments, libraries, universities, hospitals, 
museums, corporations, and non-profits are expanding their 
activities to include the use of the Internet and other 
interactive communications technologies.
    But there is a darker side to the ``Information Age'' that 
threatens to undercut the growth and promise of these powerful 
new developments. The same medium that makes possible the 
instant global communication and sharing of information, also 
provides people with the capacity to generate, capture, store, 
and reuse a tremendous amount of personal information. On a 
daily basis, applying for a driver's license, seeking credit, 
talking with a doctor, passing through a toll on the turnpike, 
making (or receiving) a phone call, subscribing to a magazine 
or joining an organization, logging on to a website, or even 
buying a small item with cash, often requires that people 
divulge a tremendous amount of detailed, sensitive information.
    The primary issue here is not the use of the person's 
information for the purpose for which it was collected 
(evaluating credit, issuing a driver's license, providing 
medical care), but the unanticipated, secondary disclosures of 
the person's information. Over the course of a person's 
lifetime, the record of one's life collected through 
distributed and largely unregulated networks can make real the 
``womb-to-tomb dossier'' that Harvard Professor Arthur Miller 
warned of over thirty years ago. Once personal information is 
collected for one purpose, the temptation to use it for other 
purposes is often irresistible.
    In a joint statement last year, President Clinton and Vice-
President Gore acknowledged the public's fear of losing 
privacy: ``Americans treasure privacy, linking it to our 
concept of personal freedom and well-being. Unfortunately, the 
[Global Information Infrastructure's] great promise that it 
facilitates the collection, re-use, and instantaneous 
transmission of information can, if not managed carefully, 
diminish personal privacy. It is essential, therefore, to 
assure personal privacy in the networked environment if people 
are to feel comfortable doing business.''
    Significant social, political, and economic consequences 
can result from our society's failure to preserve privacy. If 
people continue to lose control over their ability to choose 
when, what, and to whom to divulge personal, sensitive 
information, they will be reluctant and unwilling to step 
forward and fully participate in society, fearing unwanted 
exposure, judgements, discrimination, surveillance, stigma, and 
loss of jobs, credit, housing, or family. A continued failure 
to protect the privacy of personal information in a variety of 
spheres--most notably health--will undermine peoples' ability 
to fully participate in social, political, and commercial 
activities.

                      III. Privacy and Health Care

    A lot of attention has been paid in recent years to how to 
improve health care in this country, but a critical element 
that is often overlooked and misunderstood is the role privacy 
and confidentiality plays in the health care setting. Nearly 
every facet of health care--from health care delivery, to 
payment, prescribing medication, outcomes analysis, research, 
and marketing--is undergoing dramatic changes as our society 
moves towards managed care and the development of integrated 
health data networks. As a recent editorial in The New York 
Times observed, ``Preserving privacy in the ever-expanding 
world of electronic medical records is a daunting task that 
health care organizations and public policy makers have been 
slow to address. But as managed care puts more information into 
more hands, consumer anxiety over confidentiality makes the 
issue unavoidable.''
    A number of factors lead to privacy being viewed by some as 
being in conflict with other health care endeavors. These 
factors range from fear that addressing privacy at the patient 
level will lead to a diminution in the quality and quantity of 
health data made available, to concern about a lack of 
knowledge and tools to apply in protecting personal health 
information in both electronic and paper form. Anxiety exists 
among some downstream users of health information that 
protecting patient privacy means people will always choose to 
lock up their medical records in their doctors' offices.
    Some of those who fear privacy will reduce the flow of 
valuable patient data claim that:
     There is an overriding public interest in 
furthering their activities which trumps any individual privacy 
claim;
     People will not be able to responsibly exercise 
any decision-making authority over their own information--in 
other words, they will not understand (or care about) the 
larger social good to be gained by the use of their 
information;
     There are no horror stories of improper use or 
disclosure of personal medical information for which they are 
responsible;
     The complexity and cost of putting privacy and 
security safeguards in place are too burdensome, and will choke 
the flow of identifiable health data needed for health care-
related initiatives.
    At bottom, some health care organizations are concerned 
that health privacy regulation will go too far on the 
confidentiality side, and thus have a negative impact on 
beneficial health efforts. There is a fear that protecting 
privacy will clog the free flow of health information, and make 
less information available for outcomes analysis, research, 
public health activities, and other health-related purposes.
    Ultimately, the converse is true: without trust that the 
personal, sensitive information they share with their doctors 
will be handled with some degree of confidentiality, patients 
will not fully participate in their own health care. In the 
absence of such trust, patients will be reticent to accurately 
and honestly disclose personal information, or they may avoid 
seeking care altogether for fear of suffering negative 
consequences, such as embarrassment, stigma, and 
discrimination. Along the continuum, if doctors and other 
health care providers are receiving incomplete, inaccurate 
information from patients, the data they disclose for payment, 
research, public health reporting, outcomes analysis, and other 
purposes, will carry the same vulnerabilities.
    Initiatives to improve public health and reshape health 
care--such as community health information networks, managed 
care, telemedicine, outcomes analysis, disease management, the 
creation of population data bases--could not exist, let alone 
flourish, without access to complete and reliable information. 
However, the current lack of privacy and security protections 
for personal health information threatens to undermine 
significantly the quality of care people receive, as well as 
the accuracy and reliability of the information being collected 
and used for outcomes analysis, cost effectiveness studies, 
research, and public health activities.
    I urge that we abandon the current dialogue that places 
privacy and public health initiatives in conflict. A new 
framework is needed that intertwines the values of protecting 
patient privacy and fostering health care initiatives. At this 
juncture, let us treat patient privacy as a ``first principle'' 
of ensuring quality of care for individuals and their 
communities. Ideally, within such a health privacy framework, 
identifiable information patients choose to disclose outside 
the four walls of their doctor's offices would be more accurate 
and complete, and thus create more reliable data for use by 
doctors, researchers, and others working to enhance the quality 
of health care. By expanding our focus to incorporate privacy 
as an ultimate good to be achieved in the health care arena, we 
may better advance our health care initiatives.

              IV. The Role of Privacy in Care and Research

    Again, without trust that the personal, sensitive information they 
share with their doctors will be handled with some degree of 
confidentiality, people will not fully participate in their own health 
care. In turn, information that lacks integrity at the front-end will 
lack integrity and reliability as it moves through the health care 
information environment. Therefore, protecting privacy must be an 
integral part of both ensuring good health care to individuals and 
improving the health of the larger community. If people worry that 
their most sensitive information will not be treated confidentially by 
their doctors, and may be disclosed without their knowledge and 
permission to their employers, pharmaceutical companies, or marketers, 
these people are likely to engage in privacy-protective behavior, such 
as withholding information from their doctors, paying out-of-pocket for 
services to which they are entitled or avoiding health care altogether. 
Anxiety on the patient's part over unknown and coerced uses and 
disclosures of their records--even for altruistic purposes--leads 
people to withdraw from full, honest participation in their care. This 
privacy-protective behavior serves to both jeopardize peoples' health 
care, as well as undermine the health care initiatives that rely on 
high-quality information.
    In many ways, the relationship between people and their doctors 
bears the greatest burden in the health privacy debate; this 
relationship is the ``hot spot,'' the originating point on the health 
information continuum. Patients are beginning to understand that the 
open-ended waivers for disclosure they sign as a condition of receiving 
health care and reimbursement for services leave them vulnerable to a 
wide array of uses and reuses of their health information. It is here, 
in the first and subsequent encounters with a particular provider, that 
a person decides how much to divulge, and whether that provider can be 
trusted. There are many factors that affect a person's trust and 
confidence in his or her doctors, and it is that level of trust that 
ultimately determines the degree of willingness to fully divulge health 
and other personal information.
    The public has consistently expressed a high degree of concern over 
the vulnerability of their privacy, in particular the lack of 
protection for their personal health information. Decades of survey 
research conducted by Louis Harris & Associates document a growing 
public concern with privacy. The 1995 Harris poll found that 82% of 
people were concerned about their privacy, up from 64% in 1978.
    A Health Information Privacy Survey released by Harris in 1993 
found that the majority of the public (56%) favored the enactment of 
strong comprehensive federal legislation to protect the privacy of 
health care information. In fact, of that majority, eighty-five percent 
(85%) responded that protecting the confidentiality of medical records 
was absolutely essential or very important to them. An overwhelming 
percentage wanted penalties imposed for unauthorized disclosure of 
medical records (96%), guaranteed access to their own records (96%), 
and rules regulating third-party access to personal health information.
    Harris' 1996 survey elicited a disturbing public view of researcher 
use of medical records. Only eighteen percent (18%) of the public 
consider the use of patient records for medical research without prior 
permission to be very acceptable. Thirty-nine percent (39%) found the 
use somewhat acceptable. The public's comfort level increased if the 
information released did not identify individual patients, but one-
third found it not at all acceptable for researchers to use non-
identifiable health information without patient consent.
    Finally, in Harris' 1995 survey, sixty percent (60%) of respondents 
cited instances where they refused to provide requested information. 
This kind of privacy-protective behavior is not unfounded. Recent 
reports of abuse or misuse of peoples' health information have 
confirmed the public's fear of misuse of personal medical information. 
For example:
     The chain drug store CVS, and Giant Food, recently 
admitted to disclosing patient prescription records to a direct mail 
and pharmaceutical company to track customers who don't refill 
prescriptions, and send them letters encouraging them to refill, and 
consider alterative treatments. After public outrage was expressed 
following media reports of this practice, both CVS and Giant agreed to 
halt the marketing disclosures. (``Prescription Fear, Privacy Sales,'' 
Washington Post, p. A1, 2/15/98)
     An Orlando woman recently had her doctor perform some 
routine tests, and received a letter weeks later from a drug company 
touting a treatment for her high cholesterol (``Many Can Hear What You 
Tell Your Doctors: Records of Patients Are Not Kept Private,'' Orlando 
Sentinel, 11/30/97, A1)
     New York Congresswoman Nydia Velasquez' confidential 
medical records--including details of a bout with depression and a 
suicide attempt--were faxed from a New York hospital to a local 
newspaper and television station on the eve of her 1992 primary. After 
overcoming the fallout from this disclosure and winning the election, 
Rep. Velasquez testified eloquently about her experiences before the 
Senate Judiciary Committee as it was considering a health privacy 
proposal.
     The Harvard Community Health Plan, a Boston-based HMO, 
admitted to maintaining detailed notes of psychotherapy sessions in 
computer records that were accessible by all clinical employees. 
Following a series of press reports describing the system, the HMO 
revamped its computer security practices.
     In Maryland, eight Medicaid clerks were prosecuted for 
selling computerized record printouts of recipients' and dependents' 
financial resources to sales representatives of managed care companies.
     In a recent survey, 206 respondents reported 
discrimination as a result of access to genetic information, 
culminating in loss of employment and insurance coverage, or 
ineligibility for benefits.
     The director of a work site health clinic operated by a 
large manufacturing company testified that he was frequently pressured 
to provide personal information about his patients to his supervisors.
     The late tennis star Arthur Ashe's positive HIV status was 
disclosed by a health care worker and published by a newspaper without 
his permission.
     Patient Direct Metromail advertises in a pharmaceutical 
industry journal that it has 7.6 million names of people suffering from 
allergies; 945,000 who suffer from bladder-control problems; and 
558,000 who suffer from yeast infections. (``Medical Privacy is 
Eroding, Physicians and Patients Declare,'' San Diego Union-Tribune, 2/ 
21/98,
    Focusing specifically on mental health care, a New York Times 
Magazine article, ``Keeping Secrets,'' observed: ``[A]t present it is 
unrealistic for people to assume that the raw and tender subjects they 
talk over with their therapists will go no further than the four walls 
of the consulting room. And many patients have become legitimately 
concerned about the possibility that the depression, suicide attempt, 
marital problem or alcoholism being discussed could return to haunt 
them in cyberspace. They are uncomfortably aware of the shadowy figures 
sitting in on their therapy sessions: the insurance administrator, the 
electronic file clerk, the case reviewer, other physicians with an 
H.M.O.--even their own co-workers and supervisors.'' (June 16, 1996, p. 
38)
    Peoples' anxiety over whether they will maintain some decision-
making authority over the use and disclosure of their personal health 
information by their doctors strongly drives their decisions to seek 
care, how honestly and fully they interact with their health care 
provider, whether they `doctor hop' to avoid having all of their health 
information entrusted to one provider, and whether they pay out-of-
pocket or file a claim. Any lack of trust or confidence in the doctor/ 
patient relationship carries the potential of infecting all of a 
person's interactions with and perceptions of the health care 
environment.
    The consequences for patients, as well as the health care 
initiatives intended to serve them, are significant:
     The patient may receive poor quality of care, risking 
untreated and undetected health conditions.
     The doctor's abilities to diagnose and treat accurately 
are jeopardized by a lack of complete and reliable information from the 
patient.
     The integrity of the data flowing out of the doctor's 
office is undermined. The information the patient provides, as well as 
the resulting treatment and diagnosis, may be incomplete and 
inaccurate, and not fully representative of the patient's care or 
health status.
     A doctor may skew diagnosis or treatment codes on claim 
forms, or the doctor may keep separate records to be maintained and 
kept within the doctor's four walls, and send on incomplete information 
for claims processing in order to encourage a patient to more fully 
communicate.
     The credibility of any research or analysis performed in 
reliance on the patient's data is called into question. Not only is the 
patient's health data unreliable from her medical record and claims 
data, the downstream user (researcher, public health official) lacks 
any information as to whether the information might lack integrity or 
why. In other words, there may be no clue in the record that something 
is missing or false.
    In the health care setting, when patients withhold information or 
shun care to protect their privacy, they must do so with a broad, 
undiscriminating brush--they have to calculate for every negative 
possibility. But, if people are assured that their health information 
will be safeguarded, and if they are empowered to make informed, 
voluntary choices about the secondary use of their health information, 
people are likely to seek care, more fully open up to their health care 
providers, and make educated decisions about the disclosure and use of 
their personal health information.

           V. Consensus for a National Health Privacy Policy

    A consensus exists among the public, policymakers, and a 
broad spectrum of the health care field that a comprehensive 
health privacy policy is needed in this country. As a recent 
editorial in the Washington Post concluded: ``Of all the 
threats posed to personal privacy by new information 
technologies, the threat to the privacy of medical records is 
by the far the most urgent.'' (``Medical Files, or Fishbowls?'' 
9/23/97, p. A16)
    Reports of the last twenty years are unanimous in 
concluding that a comprehensive national health privacy law is 
critical to ensuring both the integrity of the doctor/patient 
relationship and the continued development of this nation's 
health care system (See For The Record: Protecting Electronic 
Health Information, National Research Council, 1997; Health 
Data in the Information Age: Use, Disclosure and Privacy, 
National Academy of Science, Institute of Medicine, 1994; 
Protecting Privacy in Computerized Medical Information, Office 
of Technology Assessment, 1993). In the past few years, every 
witness that has testified before the U.S. Congress has stated 
that a comprehensive federal privacy law is critical to 
preserving peoples' trust in their doctors and in the health 
care system.
    Most recently, the Presidential Advisory Commission on 
Consumer Protection and Quality in the Health Care Industry 
issued its recommendations for a patients' ``Bill of Rights,'' 
which states: ``individual patients' medical records should be 
treated confidentially, and disclosed only in order to treat 
them and pay bills.''
    S. 1360, The Medical Records Confidentiality Act of 1996 
introduced last Congress by Senators Bennett and Leahy, quickly 
garnered broad bi-partisan support, including co-sponsorship by 
Senators Dole, Daschle, Kassebaum, Kennedy, Jeffords, and 
Frist. Despite this powerful hand holding, agreement on the 
scope and implementation of a national health privacy policy 
continues to present a challenge.
    We now have a new and promising opportunity for meeting 
this challenge. The recently enacted Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) includes a 
provision mandating that either Congress or the Secretary of 
HHS establish an enforceable privacy regime to protect 
personally identifiable health information. ( P.L. 104-191, 
also known as Kassebaum-Kennedy) In HIPAA, Congress set itself 
a time limit of August, 1999 for enacting a health privacy law. 
If Congress fails to act by that time, the Secretary of HHS is 
required to promulgate health privacy regulations by January, 
2000.
    To provide some guidance for legislation, HIPAA required 
the Secretary to submit to Congress her blueprint for health 
privacy legislation. In September 1997, Secretary Shalala 
issued a set of recommendations to Congress to ``enact national 
standards that provide fundamental privacy rights for patients 
and define responsibilities for those who serve them.'' The 
Secretary's recommendations parallel to a large extent the 
recommendations of other national bodies, as well as 
incorporating approaches taken by many of the proposed medical 
confidentiality bills introduced in Congress over the past. The 
major recommendations are to:
     Impose new restrictions on those who pay and 
provide for care, as well as those who receive information from 
them. It should prohibit disclosure of patient-identifiable 
information except as authorized by the patient or as 
explicitly permitted by the legislation. Disclosures of 
identifiable information should be limited to the amount 
necessary to accomplish the purpose of the disclosure, and 
should be used within an organization only for the purposes for 
which the information was collected.
     Provide consumers with significant new rights to 
be informed about how their health information will be used and 
who has seen that information. Providers and payers should be 
required to advise patients in writing of their information 
practices. Patients should be able to see and get copies of 
their records, and propose corrections. A history of 
disclosures should be maintained by providers and payers, and 
be made accessible to patients.
     Provide for punishment for those who misuse 
personal health information and redress for people who are 
harmed by its misuse. There should be criminal penalties for 
obtaining health information under false pretenses, and for 
knowingly disclosing or using medical information in violation 
of the Federal privacy law. Individuals whose rights under the 
law have been violated should be permitted to bring an action 
for damages and equitable relief.
    Secretary Shalala concludes that ``without safeguards to 
assure that obtaining health care will not endanger our 
privacy, public distrust could turn the clock back on progress 
in our entire health care system.'' (Shalala report, pp 1,2.)
    However, the Secretary's report drew fire from the Hill, 
the media, health care providers, and health privacy experts 
for her recommendation that law enforcement officials continue 
to have virtually unfettered access to personal health records. 
As The New York Times editorial decried: ``The exemption for 
law enforcement agencies is a huge loophole The need to combat 
fraud in the nation's trillion-dollar health-care industry is 
indisputable. But it hardly justifies granting less privacy 
protection to the intimate information contained in medical 
records than existing Federal statutes now extend to the 
records of banks, cable television, video rental stores, or E-
mail users, as the Administration's plan bizarrely 
contemplates.'' (See ``Trifling with Medical Privacy,'' NY 
Times, 9/97)
    No other federal privacy statute provides such an exemption 
for law enforcement. In fact, most of the U.S. privacy laws 
were enacted specifically to bring law enforcement under a 
Fourth Amendment warrant mandate.
    It is also worth noting that HIPAA includes a provision 
known as ``Administrative Simplification.'' Coupled with the 
law's privacy mandate is a requirement that uniform health data 
standards for the electronic transmission of personal health 
data be developed by Spring 1998. The consequence of these dual 
and staggered requirements is that a time line has been 
established by which data standards must be created prior to 
the development of privacy and security rules governing 
personal health information. Both the short time frame and the 
awkward sequence of events laid out in the ``Administrative 
Simplification'' section pose unique challenges for health care 
entities, policymakers, and patients.
    However, the congressionally mandated time limit to pass 
health privacy legislation by August 1999 shifts the political 
landscape, and injects greater immediacy into the effort to 
find a strong, workable privacy solution.

            VI. Key Issues for Federal Health Privacy Policy

    The following is a broad outline of the key elements that 
must be incorporated in a comprehensive health privacy policy. 
Many of the health privacy proposals currently pending before 
Congress address, in various ways, these key factors.
     Access: People must have the right to see, copy, 
and supplement their own medical records. Only 28 states 
currently provide such a right.
     Notice: People must be given written, easy-to-
understand notice of how their health information will be used 
and by whom. Only with such notice can people make informed, 
meaningful choices about uses and disclosures of their health 
information.
     Consent: As a general rule, patient consent should 
be obtained prior to disclosure of personal health information 
by doctors, health plans, employers, and other health care 
entities, especially if the disclosure is not related to 
treatment or payment. There seems to be a broad recognition 
that exceptions to the rule of consent are needed for certain 
public health disclosures and in emergency circumstances.
     Research: A federal privacy law should strengthen 
and expand the reach of existing privacy safeguards for 
identifiable health information used by researchers. Overall, a 
national health privacy policy should create incentives for 
researchers to use non-personally identifiable health data.
    Specifically, there should be equity, uniformity, 
accountability and oversight in scope and application of the 
federal regulations governing Human Subjects research and the 
use of personally identifiable health information by 
researchers. Regulations should be applied to both federally 
and non-federally funded researchers, and the existing standard 
for granting waivers of informed consent for use of 
identifiable data should be codified, strengthened and strictly 
applied.
    Far from hindering research, a federal health privacy law 
can benefit health research--by bolstering patient confidence 
in the use of personal health information. Again, protecting 
patient privacy can help to insure the integrity of the data at 
the front end, when it is divulged by the patient.
     Security: It is important to require the 
development of security safeguards for the use and disclosure 
of personal health information. While it is critical to 
acknowledge that networked health information systems can pose 
a risk of greater magnitude and harm, technology can be used to 
better safeguard personal health information in electronic form 
than it would be protected if on a piece of paper in a file 
drawer (see For the Record: Protecting Electronic Health 
Information, National Research Council, 1997). Also, technology 
can be used to more efficiently anonymize and de-identify 
personal health data for public health initiatives.
    No system--either paper or electronic--can provide 100% 
fool-proof security, but existing technology does provide us 
with some powerful opportunities to better protect personal 
information. There has been some discussion about providing 
people the option to prohibit their personal health data from 
being maintained and transmitted in electronic format. I 
believe that such an ``opt-out'' may create a false expectation 
that sensitive information is better protected in paper form. 
Again, this is not necessarily true if strong security policies 
and tools are built-in to information systems.
     Law Enforcement: A federal health privacy law 
should include a court order requirement, with a standard as 
stringent if not more so than that set out in the Video Privacy 
Protection Act (better known as ``The Bork Bill''). 
Constitutional principle requires that individuals should be 
shielded from unjustified government intrusion. Currently, no 
federal privacy statute provides a broad exemption for law 
enforcement. In fact, most of the U.S. privacy laws were 
enacted specifically to bring law enforcement under a Fourth 
Amendment warrant mandate.
     Remedies: In order to be truly effective, a 
federal health privacy law must have strong remedies in place. 
For instance, strict civil penalties and criminal sanctions 
should be imposed for violations of the law, and individuals 
should have a private right of action against those who 
mishandle their personal medical information.
     Preemption: No precedent exists in our federal 
privacy and civil rights laws for preempting state law. In the 
case of health privacy, we do not yet have a comprehensive 
survey of state law that would even indicate what state laws we 
would be preempting. Further, health care entities are 
currently doing business and transferring information 
interstate, complying with various state health privacy laws.
    Serious consideration should be given to any proposal to 
preempt state law in this area, thereby locking the states out 
of tailoring their laws to reflect particular circumstances. 
For instance, stronger state mental health and communicable 
disease confidentiality laws should not be preempted, given the 
long history of stigma and discrimination against people with 
these conditions. Moreover, given what we know of the 
resistance to testing and accessing treatment, these state 
privacy laws help to promote broad public health interests.

                            VII. Conclusion

    I am optimistic that the political will exists this 
Congress to pass legislation that truly protects peoples' 
privacy in the health care setting, without unduly compromising 
valuable health care initiatives. The time has come for a 
cohesive, forward-thinking health privacy paradigm that 
acknowledges privacy's critical role in health care, and 
integrates it at various states throughout the health care 
system. People must be empowered to be more active, informed 
consumers of health care and knowing, willing participants in 
the broader health care activities that impact their lives and 
well-being of their communities. If we are to achieve the oft-
touted goals in health care, people must have trust and 
confidence that the health care system will safeguard their 
personal health information. Loss of personal privacy--and 
ultimately the erosion of reliable health information--must not 
be the price of progress.
      

                                

    Chairman Thomas. Thank you very much.
    Dr. Birge.

  STATEMENT OF JAMES BIRGE, M.D., MEDICAL DIRECTOR AND CHIEF 
  EXECUTIVE OFFICER, MACGREGOR MEDICAL ASSOCIATION, HOUSTON, 
 TEXAS; ACCOMPANIED BY JIM SLOANE, VICE PRESIDENT OF BUSINESS 
    DEVELOPMENT, AMERICAN MEDICAL MANAGEMENT, HOUSTON, TEXAS

    Dr. Birge. Again, thank you for inviting us to testify 
here. I am Dr. Birge, the medical director and the chief 
executive officer for MacGregor Medical Association. With me is 
Jim Sloane, vice president of business development for our 
computer systems. We are here to describe what we have been 
doing with electronic medical records from a clinical 
standpoint, which I will address, and Mr. Sloane will address 
it from a security standpoint with a little show-and-tell of 
what it looks like.
    Essentially, I echo everything that Dr. Borowitz said in 
his testimony. MacGregor is a fairly large group. Right now 
there are 22 sites in Houston, 5 in San Antonio, a total of 
about 220 doctors. We are taking care of about 210,000 patients 
in Houston, about 40,000 in San Antonio. By the end of the 
eighties it was very apparent to us that the paper medical 
record just did not work. We could not get the clinical 
information to the doctors at the time the doctor needed it. 
The only answer we came up with was the computer, and that is 
what we did.
    We installed an electronic medical record that went live at 
the end of 1991, and all of the patients are now in that 
computer base. It handles 1.1 million visits a year. It makes 
available essentially all the outpatient data for the physician 
at the time the physician needs it. We do this by providing 
computers in the doctors' offices, nurses' stations, in the ERs 
of plan hospitals, L&D, that sort of thing. They can also have 
access at home, if the physician wants.
    What that does is allow us to use the computerized 
information, which includes progress notes, lab reports, x 
rays, and problem lists, and use it in four fundamental 
categories: The first would be taking care of that individual 
patient, so that whether the patient shows up at the office on 
a scheduled visit, or they are showing up in the evening as a 
walk-in; or they are hitting the L&D room or the ER of the plan 
hospital, the medical information is there for the physician 
taking care of the patient. As other people have previously 
testified, the quality of care is better that way, and 
hopefully things are more economical and expedient from a time 
standpoint.
    A quick example. A 70-year-old woman hits her after-hours 
facility; feels a little tired, a little dizzy. The doctor does 
a review--does not have the paper record available but does 
have access to the clinical information in the computer. Finds 
a hemoglobin at 10.1, which is slightly anemic. Is that new or 
old? Should he worry or not worry? The computer says the 
hemoglobin has been like that for the last 10 years. You are 
not going to worry about it. There are just numerous examples 
like that.
    Second point: Identification of high risk patients. The 
medical paradigm, if you allow me to use this trite word, has 
always been episodic. We wait for the patient to intervene with 
us. We wait for them to get sick, feel lousy, something bad is 
happening, and then the doctor jumps in and tries to save the 
day, usually with poor success.
    What we need to do is move to the next millennium, and that 
is identifying the high risk patients before they blow up. How 
do you do it? Information. The computer systems can look at 
patients with mild renal failure. They have not been back in to 
see a doctor in more than 1 year. That is a high risk patient. 
Somebody whose glucose is not under tight control, hasn't seen 
a doctor in 6 months, that is a high risk patient.
    This is where the medical profession needs to go. It is our 
obligation to take that next step, to treat the patient as a 
continuum, not as an episode, and that all requires information 
linked together chronologically.
    The third area is quality assurance just within our 
organization. This would be data which is really not 
identifiable by the individual but looks at all the conditions 
of how tightly controlled are diabetics, what kind of renal 
functions are they obtaining, that sort of thing. This comes 
back to the outcome analysis the Chairman talked about earlier.
    And then, finally, quality assurance, or outside our 
organization; these are HEBIS initiatives; NCQA, that sort of 
thing, again where you can screen computer data as opposed to 
hordes of nurses floating through paper records one by one. It 
is a no-brainer. Obviously, the results are going to be more 
meaningful from a statistical basis, and you can look for more 
things using the computer than you can the paper record.
    With that, let me turn things over to Jim Sloane.
    Mr. Sloane. Good morning. Thank you for the opportunity. I 
would request that I move my seat over, and hopefully my 
technology will work appropriately and I will demonstrate some 
of what the providers at MacGregor have access to in our 
information system.
    To start off with, in addition to the confidentiality 
statement which every employee must sign as a condition of 
employment, every time that one of the users turns on their PC, 
this is the statement that they are presented with. The only 
option they have, in order to continue to use the PC in any 
manner, is to agree with this confidentiality statement. It 
serves as a constant reminder to the employees about the 
importance of keeping the patient information confidential.
    Chairman Thomas. I do not want to interrupt you, but what 
is the consequence of violating that statement? I am trying 
to--immediate dismissal?
    Mr. Sloane. Correct.
    Chairman Thomas. Is that a right that has been exercised?
    Mr. Sloane. It has.
    Dr. Birge. You are right, the consequence is immediate 
termination.
    Chairman Thomas. And it has been exercised?
    Dr. Birge. It has been.
    Chairman Thomas. OK.
    Mr. Sloane. The step for the user when they attempt to 
access the electronic medical record system is the same as many 
other systems. Each user has a unique identifier, user I.D., to 
gain access to the system. They also have a password. We do 
force the users to routinely change their passwords so that 
they cannot consistently use the same password. We also do not 
allow reuse of the passwords, so that they cannot bounce back 
and forth between one and two passwords.
    These screens do have automatic timeout after certain 
periods of inactivity and the user is logged off.
    Once they sign on to the system, depending upon the level 
of access, and it is different depending upon what type of 
position an employee has with the organization, they are 
presented with a menu of icons which they can choose from. Many 
of the providers start out with this view. It is basically a 
look at their schedule; what it looks like for a given day and 
a given month of the year.
    From this particular view, the physician can select a 
patient record off of the scheduling system and start looking 
at clinical data. This information is similar to what we just 
saw, just presented in a different format. The physicians have 
access to laboratory results, transcriptions, immunization 
histories, demographic information, and significant problems, 
as well as drug allergies.
    In order to look at a particular note, the user would just 
select which note they wanted to see off the appropriate tab. 
This happens to be my son's record. That is a common 
occurrence, too. This is my son's actual record from within the 
system. This happens to be a note dictated by Dr. Patel when my 
son came in for a visit. This is the immunization flow sheet.
    This also serves as information for what type of 
immunizations were given and as a reminder to the provider when 
particular immunizations should be given. This is just a view 
of the drug history.
    We have the capability within the system to search across 
the medical records for a given patient. In this case we search 
for the word ``sinusitis'' and the system highlights which 
particular progress notes contain that word or phrase. And 
again we see that highlighted within this progress note.
    I have pulled up a different patient here. This is a test 
patient within our system. We see a list of the significant 
problems in the upper left-hand portion; on the right-hand side 
we would see drug allergies; and below that the same 
information as previously seen. If you wanted to look at a 
particular lab result, you can select it off the lab folder. 
You see the particular details of that result and then the 
physician has the capability of graphing the results if they 
desire.
    This is just a different view of the same laboratory 
information, providing a little more detail before you go in 
and look at a particular result.
    That is basically what I had prepared just to give you an 
idea of what the system looks like. But to address more 
specifically some of the security aspects, I already talked 
about the users agreeing to the confidentiality statement. We 
also have the capability to restrict a user's access to the 
system by day of the week, hour of the day, and location of the 
device from which they are accessing the system.
    Also mentioned, we have the capability of restricting 
access by the level of user, so that not all users see all 
levels of patient information.
    We do keep audit trails of access to all of the 
information. Every time one of those records is pulled up of a 
patient and you go into a progress note or a laboratory result, 
that information is recorded in an audit trail.
    And to address the opening question, that is one 
circumstance where we monitor those audit trails on a routine 
basis. We noticed one particular employee had an unusually 
large number of accesses to patient records, patient data. When 
that employee was confronted, he immediately resigned. And we 
would have terminated him anyway if it was inappropriate use of 
the information.
    We do restrict access to other employees' information 
within the system, so that one employee cannot pull up another 
employee's information unless they have a high level of 
security in order to do so. And that can expand beyond just 
other employees. Certain individuals whose records are 
determined should be restricted, we have that capability.
    As far as the future of where we are heading, the use of a 
user I.D. and password is not the ideal situation. We continue 
to monitor the technology that is coming about. Two important 
areas are the use of fingerprint recognition devices, as well 
as retinal scanning devices. We have prototyped a fingerprint 
recognition device. We think it is very promising.
    Obviously, a fingerprint is not something that can be 
shared with other people. You cannot pass it on to other 
people. The technology is improving and the devices are 
becoming much more cost effective in order to look at 
implementing that type of security. We think that will help 
tremendously.
    In closing, I realize my time is up, and I would just like 
to state that I believe electronic records, with the 
appropriate controls, security, and auditing mechanisms in 
place, can be as secure, if not more so, than the hard copy 
patient records.
    Thank you.
    [The prepared statements follow:]

Statement of James Birge, M.D., Medical Director and Chief Executive 
Officer, MacGregor Medical Association, Houston, Texas; Accompanied by 
Jim Sloane, Vice President, Business Development, American Medical 
Management, Houston, Texas

    Mr. Chairman, thank you for the opportunity to testify 
today regarding the important issue of patient confidentiality. 
I am Dr. James Birge, Medical Director and CEO of MacGregor 
Medical Association. Accompanying me today is Jim Sloane, Vice 
President of Business Development at American Medical 
Management. Jim will briefly demonstrate for you the superior 
security system we have developed at MacGregor. This system not 
only ensures patient health information is kept strictly 
confidential, but also enhances our ability to provide our 
patients with the highest quality, state-of-the-art health care 
available.
    MacGregor Medical Association is a multispecialty clinic 
founded in 1953 by two physicians in Houston, Texas. It 
currently comprises 220 providers located at 22 sites in 
Houston and 5 sites in San Antonio. In Houston the physicians 
serve approximately 185,000 commercial HMO members, 10,000 
Medicare risk enrollees, and 15,000 fee-for-service patients. 
In San Antonio, the operation handles 18,000 HMO paneled 
members and 24,000 PPO or fee-for-service patients. The total 
combined visits for last year were 1.1 million.
    MacGregor is illustrative of the trend toward highly 
integrated health care systems. We have entered into a number 
of innovative arrangements with health plans and facilities and 
are responsible for several hundreds of thousands of patients. 
Along with this trend toward integration, however, has come new 
challenges over how to best keep patient information 
confidential while also making the information readily 
available for use in providing services to patients.
    This is the challenge Congress now faces--how to enact 
standards which ensure the highest level of patient 
confidentiality possible without undermining the ability of 
health plans, physicians, and other providers to use the 
information for producing higher quality health care services 
and treatments.
    Until very recently, the field of medicine has been devoted 
to mostly identifying and labeling various disease processes. 
Physicians have been able to cure almost nothing, though 
ameliorative treatment has made great strides over the past 
three decades. I believe that things are now changing. New, 
powerful medications and procedures entice us with the prospect 
of actually curing a few things and certainly controlling 
various disease and conditions a lot better than before. This 
possibility will require that a physician has prompt, complete 
medical data. Inadequate information will not only be costly in 
terms of delaying proper diagnosis and treatment, but could 
potentially be seriously harmful to the patient. In addition, 
complete medical information is necessary to conduct ongoing 
quality assurance activities and to continue the drive towards 
excellence through peer review and outcomes analysis.
    For example, today's medications are far more powerful than 
those used 20 years ago. If a doctor doesn't know what 
medications a patient is taking and attempts to treat another 
condition, the results may be catastrophic. It is our opinion 
at MacGregor Medical Association that medical information must 
be available in the context of an electronic medical record. 
Not only will the industry soon demand this technology, it will 
be malpractice to treat a patient in the absence of complete 
medical information. It is therefore our challenge to create a 
system that:
     Uses practical industry-wide standards
     Establishes safeguards to protect patient 
confidentiality without jeopardizing the usefulness of the 
electronic medical record
     Prevents medical information from being used 
inappropriately
     Develops a process of funding the electronic 
medical record which does not unfairly affect the patient, 
employer, physician, insurer, or hospital.
    MacGregor is a pioneer in the move toward electronic 
storage and transmission of patient data. MacGregor has 
received a great deal of national recognition and has won 
awards for the systems that it has developed. While this brings 
us a great deal of satisfaction, the more important matter is 
that we believe that these systems have assisted the caregivers 
in providing cost-effective, high quality care to the patients 
that they serve.
    At MacGregor, patients have always been allowed to see any 
primary care physician at any site. As a result of this policy, 
MacGregor realized by the late 1980's that all too often, we 
were unable to deliver the paper medical record to one of our 
offices scattered across Houston in time for a patient visit. 
It was decided that the only solution was a computerized 
medical record. This instrument went on-line at the end of 1991 
and has been successfully used ever since. In addition to the 
electronic medical record (EMR), MacGregor continues to use a 
standard paper chart which is protected by standard policies 
and procedures.
    Through the EMR, a MacGregor physician has access to a 
patient's significant problem list, drug allergies, progress 
notes, laboratory results, X-ray results, and immunization 
data. This information is available at the MacGregor clinics, 
plan hospitals, and--if desired by the doctor--at the 
physician's home via the Internet.
    The Structured Query Language database, which is explained 
in more detail in our written testimony, data base allows our 
physicians to perform a multitude of comparative studies which, 
we think, improve overall patient care. Again, without access 
to this data, quality of care is significantly compromised. 
Reports are particularly useful in identifying high-risk 
individuals and those patients who are overdue for screening 
tests. Some examples include: women overdue for mammogram; 
women overdue for a PAP smear; abnormal blood tests which 
haven't been repeated in a certain period of time; children who 
are due for certain immunizations; renal failure patients 
overdue for kidney tests; diabetics who have poor sugar 
control; and high cholesterol patients with inadequate follow-
up.
    Results of such studies are patient specific so that the 
clinical department may contact the patient and arrange to have 
the appropriate action taken.
    Federal standards which either limit our access to this 
information, or requires that we obtain patient authorization 
at every point of contact, will serve only to undermine our 
quality control and enhancement efforts. Results of such 
studies are patient specific so that the clinical department 
may contact the patient and arrange to have the appropriate 
action taken.

               Security of the Electronic Medical Record

    In spite of the positive aspects and advantages of an 
electronic medical record, we are certainly aware of the 
potential damage and danger of this information being 
disseminated to improper individuals or being used for other 
than the intended purpose. With that in mind, we will present 
the security measures and procedures that MacGregor has 
implemented to help prevent misuse.
    We consider ourselves a pioneer in the development and use 
of these types of outpatient clinical systems. While this 
brings us a great deal of satisfaction, the more important 
matter is that we believe that these systems have assisted the 
caregivers in providing cost effective, high quality care to 
the patient that they serve. It is simply impossible to have a 
hardcopy medical record available in 30 outpatient locations, 
emergency rooms and labor and delivery areas of the local 
hospitals, all at the same time, in anticipation of a patient 
showing up on the doorstep.
    Our central computing facility, which houses the patient 
clinical data, has several physical security measures in place. 
The front entrance to the building is monitored by a 
receptionist who ensures that all visitors to the building sign 
in and list which employee they are visiting. The receptionist 
then places a phone call to the employee letting them know that 
they have a visitor. The visitor is accompanied during his 
visit to our facility. The employee entrance to the building 
and the parking lot are secured 24 hours a day, seven days a 
week, 365 days a year. Each authorized employee, who has filled 
out the proper form, is given an access card to the parking lot 
and the building. Every time the card is swiped to enter the 
parking lot or the building, an entry is made in an electronic 
log which lists the owner of the card and the date and time 
they entered. The section of the building that houses the 
computer on which the data resides is also secured by an 
additional card reader. During off peak hours, when the 
employees working in this area are not present, only those 
select employees who have a need to enter the computer room are 
able to do so by swiping their card. This is also recorded in 
an electronic log.
    With respect to the EMR application that grants users 
access to patient data, only those users who have filled out 
the proper forms, have been authorized and approved by their 
manager, and have been assigned a User ID and a password are 
able to access the system. In addition, we have software in 
place which mandates that users change their passwords on a 
predetermined basis and which prohibits reuse of passwords 
during certain time intervals. Additionally, to limit the 
possibility of an employee leaving his system logged on 
indefinitely, the EMR application ``times out'' after a period 
of inactivity and the user is logged off of the system. Every 
time that a personal computer is powered on by a user of our 
system, the user is presented with a confidentiality statement, 
a copy of which is attached, to which he must agree in order to 
gain access to the EMR application. This serves as a constant 
reminder to our employees about the confidential nature of the 
information contained within our system.
    When remote users access our system, via direct dial-up on 
through the Internet, in addition to the User ID and password 
that are required to gain entry to the application, they must 
also have a second User ID and password to gain entry to the 
remote access server. This is in addition to a piece of 
proprietary software that they must have loaded on their 
personal computers in order to gain access remotely. All data 
that passes through the public network is encrypted through the 
use of this remote access software. We also use an Internet 
firewall which prevents our systems from being directly 
accessed through the Internet. Every outside system attempting 
a connection to our EMR system must first pass the criteria we 
have established. In our environment, the EMR is not accessed 
directly from the Internet. Access is first passed through a 
firewall and then to a gateway server that connects into the 
EMR system.
    Through the use of internally developed security software, 
we also have a great deal of control over access to the EMR and 
other applications. We have the capability to restrict a user's 
access by day of the week, hour of the day, and the location of 
the device which he is using to access the system. We can allow 
or restrict an individual user's access to all, or select 
elements, of patient data. We can restrict access to another 
employees' clinical information as well as other individuals 
whom it is determined should have restricted access to their 
clinical data. Within each ``window'' of the application we 
have the ability to restrict access to any or all of the 
following functions: inquiry, add, update, or delete 
capability. Within the MacGregor Medical Association provider 
group, which practices in two different cities in the state of 
Texas, we have the ability to logically separate patient's data 
by region code. Although patient data is not generally made 
available to the doctors from the city in which they do not 
practice, if a patient visits the doctor in the other city and 
signs a release form, electronic access to the data can be 
granted.
    In addition to all of the security measurers mentioned 
above, we maintain an electronic log in which a record is kept 
every time that a user accesses patient clinical data. This log 
lists the User ID that accessed the data, the date and time of 
the access, the type of information that was accessed, and the 
terminal ID from which the access was made. This log is 
monitored on a regular basis by the security administrator in 
an attempt to determine if patient records are being accessed 
improperly. In one particular circumstances an employee was 
confronted about his unusually high number of inquiries to 
patient clinical data. The employee immediately resigned. While 
some may rightfully argue that this auditing capability is 
``after the fact,'' compare it to the inability to audit access 
to hardcopy patient records. While in many places a handwritten 
log is maintained, I would argue that it is not nearly as 
accurate or effective at limiting inappropriate access to 
patient medical records.
    We know that a User ID and password mechanism is not 100% 
foolproof, so we continue to research and evaluate alternative 
means of uniquely identifying individual users of our system. 
Two promising possibilities include fingerprint recognition and 
retinal scanning. These types of systems are becoming more and 
more feasible as the technology improves and the cost declines.
    There is a tremendous tradeoff between the level of 
security implemented and the usefulness and usability of any 
computer system. If the restrictions imposed are too severe and 
time consuming, the physicians and other providers will not use 
the system regardless of the value it brings. I believe that 
Electronic Medical Record systems, if implemented with the 
proper controls and auditing mechanisms in conjunction with 
enforced policies and procedures, can be made as secure, if not 
more so, than hardcopy medical records.
    In conclusion, thank you again for the opportunity to 
testify on this complex and important issue. As you face the 
challenge of enacting federal confidentiality standards, 
MacGregor encourages you to reflect on the advantages of 
responsible use of patient information and to consider the 
negative consequences of imposing measures that are so 
restrictive that they undermine quality.
    The challenge is great. The rewards for the patient and the 
system as a whole will be fantastic.

                    Confidentiality Policy Statement

    All information in a patient's medical record is STRICTLY 
CONFIDENTIAL. This information should not be discussed with 
anyone other than MEDICAL PERSONNEL with proper authorization 
and a LEGITIMATE `NEED TO KNOW'. Breach of confidence may be 
grounds for immediate dismissal.
      

                                

    Chairman Thomas. Thank you very much. A question first to 
Dr. Birge and you, Mr. Sloane, but Dr. Borowitz may want to 
respond. The software you are utilizing, is it proprietary, is 
it off the shelf, partially off the shelf, modified for your 
own use?
    Dr. Birge. This software was developed by us, because back 
in the late eighties we could not find anything out there we 
thought would work. We would happily talk to any entity that 
would like to use it.
    Chairman Thomas. So, you are still amortizing the cost of 
development. I was going to ask whether or not you were keeping 
track of its cost effectiveness in terms of saving dollars for 
patient care. But because you had to do a bit of creating with 
this as well, it probably is not a fair question, because I 
don't think we should require the amortization of the software 
as part of the cost effectiveness.
    Dr. Birge. That is a very good question. We are certainly 
keeping track of the expense. The system was written up in the 
CIO magazine and received an award a couple of years ago, and 
did a breakdown of some cost analysis. The real problem is what 
others have identified earlier, that when you start talking 
about being proactive and prevention therapy, that sort of 
thing, your payback is measured in years and decades, not 
quarters or one financial year. That is an issue.
    Chairman Thomas. Dr. Borowitz, is yours proprietary or 
created?
    Dr. Borowitz. A hybrid of the two together. We do have some 
cost data regarding pharmacy errors when we brought up what is 
called physician order entry, where the doctors order the 
prescriptions themselves. And when doctors made the entry 
directly, the errors dropped to virtually zero within several 
months.
    Chairman Thomas. Well, it has obviously come to my 
attention this is a two-way street; that not only are you 
allowed to make sure you are cost effective in dealing with 
what needs to be done in a timely way, but that those who are 
not doing it in a timely way are exposed as well.
    Dr. Borowitz. That is correct.
    Chairman Thomas. Any reaction from physicians or other 
health care providers about big brother looking over their 
shoulder in terms of making these decisions?
    Dr. Birge. From our standpoint the answer is really no. We 
are a group practice, and that whole culture is one where you 
know people are looking at what you are doing and you are 
expected to be on your best behavior.
    Chairman Thomas. The concern about confidentiality. And, 
Ms. Goldman, although I agree with you in part, I find it 
difficult to talk about the points that you mentioned--
discrimination, identifiable data versus encrypted paper 
records versus electronic and the rest, and start with the 
assumption that privacy is so critical and important that we 
ought to immediately carve out a role for States to make 
decisions not limited by the broader societal needs and the 
protection of the individual, which may, in fact, create a 
crazy quilt pattern that would deny us the opportunity.
    I think this teeter-totter is very, very difficult to 
balance. My concern, and Dr. Detmer's concern, was the 
administration's position that States certainly should be able 
to go beyond what the Federal Government does in terms of 
rights of privacy. And I am trying to figure out where we wind 
up tipping in the direction of privacy which denies us, without 
real reason, the ability to collect data. Does that concern you 
at all?
    Ms. Goldman. Well, it absolutely concerns me, Mr. Chairman. 
If I can just address the preemption issue for a moment to try 
to respond to your concern, right now we do have this crazy 
quilt in the States, with nothing at the Federal level. The 
States are having to respond to the vacuum created by the 
absence of a Federal law, so they are moving forward to pass 
privacy legislation.
    What we have seen in other areas, for instance the Federal 
wiretap law, is that, as all other privacy laws, it creates a 
floor and States are able to go beyond that. The Federal law, 
for instance, requires one-party consent before a conversation 
can be taped or intercepted. What States have done, one-third 
of the States, not more than that, they have decided that is 
not a strong enough protection and all parties must consent to 
the conversation. So when law enforcement goes into a 
particular area, they understand that that State's law must be 
complied with if it is above what the Federal law requires.
    Now in this area I think it is a little more complicated, 
since we are dealing with so many.
    Chairman Thomas. You need to stand that whole argument on 
its head, do you not, as you are examining the issue? Does that 
make sense to you?
    Ms. Goldman. Say again.
    Chairman Thomas. The idea perhaps, where it is identifiable 
patient records, we can create an opportunity for States to go 
significantly beyond what the Federal Government believes is 
appropriate. But where we have protocols for encryption 
available, I would be very concerned about letting States go 
beyond the level that we establish to create that opportunity 
for uniformity of collection of data.
    Ms. Goldman. One of the ways I think we have tried, for 
instance, in some of the Senate proposals of last year and on 
this side, the way we have tried to address this concern about 
uniformity, because researchers and industry representatives 
have a valid concern, which is that it is more convenient, more 
efficient, often easier to transfer information around the 
country if you only have one standard with which to comply and 
you do not have to look at all the various State laws. But we 
have an opportunity to make that a reality without having to 
broadly preempt State law by making sure the Federal law is 
written at a high enough level.
    And, in fact, many of the proposals have been written with 
that in mind, looking at some of the existing State laws and 
saying, Let us make sure we do not disregard the efforts that 
California has made or that New York has made, and that we make 
sure the Federal law is set at that level, if not a little 
higher, so we are not preempting State law. We allow those laws 
to stand and be acknowledged and respected, but we are also 
knowing at the Federal level we need to set the bar high enough 
so that there really is, in effect, one standard.
    But I do acknowledge there may be some areas where we want 
to carve out for preemption. Research may be one of them. We 
may want to say that the Federal policy, as related to 
research, is preemptive. We may want to acknowledge, though, 
that in the public health area, as Dr. Detmer said, or in the 
mental health area, States have been fairly active, for good 
reason, to protect their citizens proactively in this area of 
crafting privacy legislation, and we should be careful not to 
preempt those particular laws and look at where we have a 
justification for preemption.
    Chairman Thomas. I do not want to get into a debate over 
this, but my concern there is if we deal with the use of the 
material itself, we may be missing the point. Rather than 
focusing on identifiable records versus nonidentifiable or 
encrypted records, the question is how good is the encryption.
    Because your point about the Minnesota law, to me, is not a 
very valid one, and that is, Gee, we come within 95.5 percent 
of accuracy in some areas of collection of the data, especially 
in epidemiology and other areas, throw it out. It is not worth 
anything.
    Ms. Goldman. I understand.
    Chairman Thomas. The whole value of the Mayo Clinic in its 
approach was it was a 100-percent universe, which gave you the 
ability to do certain things. When you are dealing with certain 
types of research, especially following on our carryback, you 
have to have 100 percent or it is not worth anything. And to 
get Mayo Clinic to spend its own money to convince people up 
front they should sign the waiver, which by the way is like a 
60-day window and then it is gone and you have to go back and 
get it, is, I think, not a good model to use regardless of 
their ability to drive that close to 100. Because I believe 
there is now something being lost in Minnesota because of the 
Minnesota law being operative, and we will hear from someone 
else on the panel that may not go as far as I did.
    But the other point I want to make is, I am very concerned, 
as we talk about the timeframe in which we are going to make 
laws, that we do not get too carried away with the anecdotal 
model for us to legislate with. The Minnesota, CVS-Giant 
Pharmacy list, has been used by everyone. The Maryland State 
legislature is moving to change that. Once it was identified 
and the problem was exposed, they are moving to solve the 
problem.
    Your argument that there are people who are carrying out 
certain behaviors of denial in terms of the physician-patient 
relationship because they are worried about confidentiality 
may, in fact, be the case. But I have also heard enough 
testimony about the failure in medical school for physicians to 
get a little bit of training in sensitivity, that perhaps the 
inability of the physician to draw out the patient, to talk 
about this information, is a lot closer to the real world model 
than the patient coming in and creating a defensive posture of 
not telling the doctor everything because they are worried 
about confidentiality.
    I think confidentiality models clearly would come from 
someone who is very concerned with privacy, but the failure of 
the doctor to do a good job of interviewing may, in fact, be 
closer to the real world. I do not want to argue the point. I 
want to say the anecdotal arguments are not going to be the 
ones we are going to legislate on, I hope. But, frankly, with 
the medical folk and press here, all we ever read about that 
makes the front page is anecdotal, and that is what our 
colleagues are going to respond to if we do not do a good job 
in trying to create a broad-based record of what the problem 
really is.
    Now, I will give you a chance to say something.
    Ms. Goldman. Mr. Chairman, you make some good points, and I 
want to respond to the concern about the Minnesota law. I am 
not advocating we take the Minnesota law and make it the 
Federal standard. I just wanted to point out that in their----
    Chairman Thomas. I understand.
    Ms. Goldman [continuing]. In their efforts there is the 
compliance rate they have gotten. What I am suggesting is that 
while a 4-percent error rate may suggest to epidemiologists to 
throw out the data, it is worthless, and I think that is a very 
important point, what we have not yet measured because it is so 
difficult to measure, is when people are worried about 
confidentiality, and of course there are other factors that 
keep people from fully disclosing information. I recognize 
that. I just want to raise the point that privacy is one of 
those factors.
    Where people do not accurately share data, where they do 
not fully disclose with their doctor or withhold or do not seek 
care at all, that undermines the quality and reliability of the 
data, and we have no way to measure that.
    Chairman Thomas. I understand your point. You made it well, 
both in written and verbal testimony. My concern is if we do 
not move at the Federal level, the Minnesota example will be 
the one used more often than not. That is my concern. And it is 
just not a good model, as far as I can tell. There might be 
better ones out there, and what we need to do is set an 
example.
    The concern about access, and again, Ms. Goldman, you are 
the one who focused on this, I do believe the patient should 
have a right to look at their medical records. The concern I 
get is that the next breath leads to, We ought to be able to 
supplement those records, we ought to be able to add to those 
records, and then even to the extent we ought to be able to 
delete from those records.
    I just want to have some statement on the record by the two 
doctors in front of us on this panel about their belief or 
attitude, in the material that they deal with, of patients 
being able to supplement their own medical records. I think the 
deletion one is a strong one. We all agree that that is not a 
concern. But has there been a discussion among the group or 
with you, in terms of the e-mail you get and about the 
supplementing of records?
    Dr. Borowitz. We have certainly discussed it. I think the 
e-mail experience suggests that a lot of people are more 
comfortable writing information down, if you will, to use e-
mail as a written analog. They have an opportunity to think 
things out without the pressure of time and being intimidated 
by a physician.
    I also believe it is an opportunity to allow patients to 
short circuit some of the history-taking process, because they 
can present the physician or health care provider with data 
they may think is important but is not readily available in a 
written record, so that they can put their medications, their 
allergies, the family history, and they can get down to what is 
important, which is the reason they showed up in the office 
that day.
    Chairman Thomas. Do you think that patients withhold 
information purposely over the concern of confidentiality?
    Dr. Borowitz. I have no data, but my personal experience is 
what you have already alluded to. There is usually another 
agenda that is not addressed, and it is that we have not asked 
the right questions to get that information; there is a fear 
they may not even know that we need to help them articulate. My 
brother's sister's uncle had appendicitis for 8 years, and you 
never asked me that question.
    Chairman Thomas. All I am trying to do is indicate there 
are a lot of reasons why it occurs, it is not just 
unidirectional.
    Thank you very much.
    Does the gentleman from Louisiana wish to inquire? Does the 
gentleman from California wish to inquire?
    Mr. Becerra. Dr. Borowitz, and actually Mr. Sloane and Dr. 
Birge as well, because you mentioned how important it might be 
in the future to head toward electronic data as the main source 
of information on patients, the question I asked earlier of Dr. 
Detmer is, How do you make sure you get everyone on board, if 
you want to make sure all patients have access to that same 
information and are provided the same type of health care 
coverage and expertise? How do you make sure the person who has 
to use that nonprofit, very valuable clinic in the community 
but is one of those that operates strictly on the margin, how 
do you make sure they get on board quickly?
    Dr. Borowitz. I do not have a good answer to that question, 
except to say there are certainly large costs in the medical 
system now related to the generation of information for 
billing. The example I give in our own organization, which is 
nonprofit, is that it costs approximately $12 to collect the 
necessary documentation to submit the bill to the billing 
computer system. Those data are of no clinical value.
    If we developed clinical information systems that in fact 
collected clinically relevant information, and as a result we 
had standardized billing processes, there would be a lot of 
money available. It would probably not solve all the problems 
but it would solve some of those problems. We would get more 
value for the systems already in place.
    Dr. Birge. In our universe, that effect has certainly 
helped us. The vast majority of our revenue is by capitation. 
So, we are not billing, per se, to an insurer. It costs us 
about $7 a visit for the system you saw. So, again, the dollars 
saved on the billing side can be transferred over to the 
information side.
    The other part is that we still have a paper record. It 
does exist. And if there would be some way to actually 
eliminate that, that is additional savings. It is just we have 
not figured out exactly how to do it.
    Mr. Becerra. I agree with everything you have said. It is 
just how do you make up for the startup costs? You are talking 
about institutions that probably have to get the computers and 
get the programmers and figure out how to work all of this out. 
How do you help them with that startup cost so they can help 
save money and start transitioning into that period where they 
are using only electronic data?
    Dr. Borowitz. I would suggest one of the things we need to 
know is, How much money are they already expending on 
information systems that are sequestered in the billing 
universe?
    Mr. Becerra. But that will not end so long as they have a 
patient that came in and was tracked with paper records. That 
patient remains that way. Somehow you have to start them into 
this new era. You are right, as soon as they get into it, they 
will probably save money, but that will not help them to buy 
the computer to get them there.
    Dr. Borowitz. We are in the process of upgrading our entire 
system throughout the University of Virginia health system, and 
one of the things we have realized is there is a core data set 
that most physicians want. It is fairly straightforward 
information. It is a problem list; list of allergies, list of 
medications, list of encounters. Those are things that can be 
captured fairly easily and backloaded into a system so you 
start with value in the system right off the bat.
    When we brought up our regional immunization registry, one 
of the things we realized is no one would use the system unless 
there was information already in it. We had to go back and 
backload, through office charts, 2 years' worth of data. We 
hired a bunch of high school students to do that. You will have 
to have some data in the system up front for there to be value. 
There are core data elements that all of us want that would 
provide for a lot of the needs we have.
    Dr. Birge. I would also have two suggestions, and I think 
you stated it earlier, but in the for-profit sector you could 
do things from a tax standpoint which could be advantageous. 
And for both the for-profit and not-for-profit sectors, this is 
a plea, but the requirements of various agencies, governments, 
insurers are so onerous and so expensive that if you took just 
20 percent of that away, there would be a lot of money left 
over to work with information systems.
    Mr. Becerra. OK. Let me provide, if I may, a couple of 
other questions that I hope can be responded to quickly. I know 
I do not have much time.
    Mr. Sloane, you mentioned that access to information on 
this data base that you have is limited to level of user, or I 
guess you mentioned different levels, the user levels and so 
forth. What gives you access? At what point does someone at the 
hospital or this provider have access to this type of 
information on this data base?
    Mr. Sloane. Well, each user in the system is set up with a 
user profile. Typically, depending upon the type of position 
they have, whether or not they are a physician, a physician's 
assistant, a nurse practitioner, a file room clerk, or a 
medical assistant, we can restrict access to certain pieces of 
the information when we set up their profile. So that within 
each window of the application that you saw, we can set up 
every user to have either inquiry, add, update or delete 
capability, or no access to it. So it really is determined by 
the medical group, on a need-to-know basis, what level of 
information a particular user should have access to.
    Mr. Becerra. So the data entry person--I think Dr. 
Borowitz' high school students had entered data--how do you 
restrict access to information if you could have a data entry 
person be almost anyone?
    Mr. Sloane. In our circumstance we have data entry people 
who input information off the encounter tickets. They have 
absolutely no access to the clinical information system at all. 
There is not a need to have it, so they do not. They just 
cannot get into the system. Their user ID and password do not 
allow them access to the clinical information.
    Mr. Becerra. One final question, if I may, to anyone on the 
panel. As I asked Dr. Detmer, How do you protect that 
ultrasensitive information, the person who has AIDS or the 
person who has a mental history? How do you protect that, and 
how do you resolve the dilemma for the person who has had the 
information disclosed?
    Ms. Goldman. Well, I think one of the things Congress is 
trying to do is to create a standard of protection that allows 
people to get notice about information practices and make real 
choices so people can decide what is the most sensitive kind of 
information for them.
    Some people would consider cancer-related information or 
mental health, genetic tests, HIV-related. Everyone has, I 
think, a different experience, depending upon the encounter, as 
to how much they want to protect it. So I think we can build 
some flexibility into a Federal policy that allows people to 
make those choices with their physicians, with their health 
care providers.
    And the remedy piece of it, which I think you are asking 
about, is a very important part. We have seen some of the 
failure of the existing privacy laws related directly to lack 
of strong enforcement mechanisms or lack of strong remedies. 
Right now the CVS or Giant story may be anecdotal for people 
who felt violated by that and felt it was an inappropriate 
disclosure. There are very few remedies available to them.
    Dr. Birge. I would just add that certainly it is more of a 
political call, I am sure, but as far as the doctor in the 
trenches is concerned, that doctor wants all the information 
that is available at that time, regardless of sensitivity, so 
the trick is how to do that. And I would again toss out the 
example you have heard, on the one side the privacy issue which 
is very, very important, but on the other hand you could have 
extremely adverse outcomes all the way up to death simply 
because you did not know something that you should have known, 
and the family is going to be very upset at that unfortunate 
outcome.
    Mr. Becerra. Thank you. Thank you, Mr. Chairman.
    Chairman Thomas. Of course, our ongoing concern is that we 
do collect that data, and it just seems to me we fought the 
battle on preventive care and finally won by spending the 
money.
    Maybe we talk about rewarding those who provide us data in 
the usable form to move toward that outcome. They get rewarded 
in some way in the system, and those that do not, do not, which 
would get us the base level of data out there faster than would 
otherwise be the case.
    What I find is a bit of an anomaly. You walk into a 
doctor's office and behind you are these shelves of individual 
manila folders with patient histories, but if you give them 
your credit card, they go to a computer and the billing is all 
computerized. It is the mental set of not computerizing the 
records because they have the hardware in the office. Perhaps 
we need to push software development.
    But, clearly, if there was a reward for putting it in a 
particular form, I imagine the private sector software would be 
out there quickly, or some entrepreneurial doctor like Dr. 
Borowitz will have something on the market that has already 
been pretested at the University of Virginia.
    But I want to thank all of you very much. This is an 
important area, and we are going to continue to rely on you to 
assist us. We do not want to legislate by anecdote and do not 
want to make mistakes that have to be corrected, but it is an 
area we will have to move in fairly quickly.
    Thank you very much.
    I would call today's final panel, then: Dr. Sherine 
Gabriel, associate professor of medicine and epidemiology at 
the Mayo Clinic, Rochester, Minnesota; and Dr. Harry A. Guess, 
who is head of the epidemiology department of the Merck 
Research Laboratories.
    I would indicate to both of you that any written statement 
you have will be made a part of the record, and you can address 
us as you see fit, in any way you choose.
    As soon as we move this cutting-edge technology stuff out 
of the way, Dr. Gabriel, you may begin.

    STATEMENT OF SHERINE E. GABRIEL, M.D., M.SC., ASSOCIATE 
     PROFESSOR OF MEDICINE AND EPIDEMIOLOGY, MAYO CLINIC,  
                     ROCHESTER,  MINNESOTA

    Dr. Gabriel. Thank you. Chairman Thomas, Members of----
    Chairman Thomas. I will also indicate to you, Dr. Gabriel, 
that the microphone is very unidirectional. You will have to 
pull it down and speak directly into it.
    Dr. Gabriel. Is this better?
    Chairman Thomas and Members of the Subcommittee, I am Dr. 
Sherine Gabriel, a physician and researcher at Mayo Clinic. I 
thank you for the opportunity to testify before you regarding 
the important issue of medical records confidentiality.
    What I would like to do today is address two fundamental 
questions bearing on this issue. The first is, What is the 
importance of medical-records-based research to the public; and 
the second is, What is the impact of legislation which 
restricts access to medical records on this category of 
research?
    I am privileged to work at a world-renowned medical 
institution. The Mayo Clinic's international reputation as a 
center of excellence in medicine and surgery grew out of the 
commitment of our founders, Drs. Will and Charlie Mayo, to 
integrate medical research and education with clinical 
practice. The Mayo brothers perceived a duty to use information 
from medical records to evaluate the outcomes of their care and 
to answer important public health questions and, in 1907, 
pioneered the concept of the unit medical record, where medical 
data on each patient is stored in one self-contained packet 
that is kept in perpetuity.
    As you heard earlier from Dr. Borowitz, that is not the 
case virtually everywhere else in the country, where each 
provider keeps his or her own personal records about a 
particular patient.
    This concept led to the formation of REP, the Rochester 
Epidemiology Project. The REP includes a complete medical 
history of nearly all Olmsted County residents from the time 
they were born or moved to the county until the time they died 
or moved away.
    The REP is a unique, national research treasury which has 
been continuously funded by the National Institutes of Health 
for over 30 years. It has resulted in more than 1,000 
scientific publications analyzing dozens of diseases and 
medical conditions. The central element of the REP is access to 
the complete medical records of all residents in the 
geographically defined population.
    Medical records research is vital to maintaining and 
improving the health of the American public. In fact, virtually 
every health hazard we know of today has been identified using 
information from medical records. Take AIDS, for example. If 
researchers had not been allowed to study the medical records 
of patients with unusual immune deficiency problems in the late 
seventies, the characterization of the AIDS epidemic would have 
been delayed at a substantial cost to the public's health.
    Similarly, the characterization of Lyme disease required 
collation of information from the medical records of children 
who were first presented with this new disease in Lyme, 
Connecticut.
    Other examples include studies examining the benefits and 
risks of estrogen treatment, as well as the risks of smoking, 
dietary fats, obesity, and certain occupations.
    You may have read than an outbreak of flesh-eating strep 
was identified at Mayo in 1995. Without access to the medical 
records of patients with these unusual infections, 
characterization of this syndrome and isolation of this deadly 
bacterial strain would have been delayed, and over 100 
schoolchildren, which our research showed were the unwitting 
carriers of this deadly germ in their throats, would have gone 
untreated.
    This discovery lead to the designation of invasive strep as 
a reportable disease. Such a designation permits recognition 
and control of epidemics such as the recent outbreak you may 
have heard about in Texas.
    Medical records research is also critical for evaluating 
the long-term side effects of drugs, the safety of medical 
devices or procedures, the cost effectiveness of alternative 
medical practices, and the usefulness of diagnostic tests. Let 
me give you an example or two in these categories.
    Long-term side effects. Nonsteroidal anti-inflammatory 
drugs, like Advil or Naprosyn, were on the market for decades 
before medical records research determined these drugs were 
associated with a higher risk of death due to peptic ulcer 
disease, particularly in the elderly. This work led to the 
development of a new class of nonsteroidal anti-inflammatory 
drugs, soon to be released, which promise a much lower risk of 
these side effects.
    Clinical information for medical records is critical to 
studies on the safety of medical devices or procedures. For 
example, studies examining the risk of breast implants.
    The cost effectiveness of alternative medical practices 
could not be established without clinical information from 
medical records. For example, it was medical-records-based 
research which determined that a 3-day course of in-hospital 
bed rest for people with acute low-back pain was just as 
effective and far less costly as the standard of care at that 
time of about a 10-day hospital stay.
    Finally, it was medical-records-based research at Mayo that 
led to the discovery of the serious side effects of the diet 
drug Fen-Phen and its eventual removal from the market.
    Every medical advance I have mentioned in the last few 
minutes relied heavily on information from patients' medical 
records. Without access to this rich source of clinical 
information, many of these advances and countless others would 
not have occurred.
    Let me turn quickly to my second question, What is the----
    Chairman Thomas. The light is a guide, Doctor, it is not an 
absolute necessity.
    Dr. Gabriel. Good. In scientific podiums, there is actually 
a trap door; and so when the red light goes on, the trap door 
opens.
    Chairman Thomas. We have one, too. Sit comfortably for a 
moment.
    Dr. Gabriel. What is the impact of legislation which 
restricts access to medical records on this category of 
research?
    Legislative restrictions limiting access to medical records 
threaten the very existence of this entire category of medical 
research. This is because individuals who refuse to authorize 
the use of their medical records for research purposes are 
systematically different in important ways from individuals who 
do.
    The recent Minnesota privacy law provided us with the 
opportunity to study these differences using a protocol 
approved by our institutional review board. We found that women 
were more likely to refuse authorization than men; that persons 
under 60 were more likely to refuse than older individuals; and 
persons with certain underlying illnesses, such as mental 
disorders, breast cancer, or reproductive problems were also 
more likely to refuse authorization.
    That means that studies describing the outcomes of these 
diseases or the effectiveness or cost effectiveness of 
treatments excluding these individuals would be biased. They 
would simply give us the wrong answer. Moreover, studies 
focusing on these conditions--diseases of women, mental 
disorders, conditions related to reproduction--would be at even 
greater risk for incorrect results; and this, in turn, might 
hamper advances against these important problems.
    Finally, while our research was clear on the point that 
individuals who refuse authorization are systematically 
different from those who do not, the direction and magnitude of 
those differences varied from topic to topic. Whereas, you 
heard the overall average was 4 percent, it varied widely. So 
not only may such research results result in the wrong answers, 
but it will be impossible to determine at the outset how wrong 
they will be or in what direction. Thus, the reliability and 
validity of findings from such research will be suspect.
    Let me illustrate this problem using an example. A study of 
depression following breast cancer would underestimate the 
magnitude of the problem if depressed women systematically 
declined authorization and were thereby excluded. Individuals 
who experience unsatisfactory outcomes may also be more likely 
to refuse authorization. If so, a study of a surgical treatment 
with a high complication rate would underestimate the risks of 
surgery.
    Data such as these form the basis of health care policies, 
so the examples above could lead to a decision against funding 
a mental health program to treat depression in women with 
breast cancer and to a decision to adopt a high risk surgical 
intervention. Patients need accurate information about health 
risks, disease prognosis, and outcomes of care in order to make 
informed decisions.
    In closing, I would like to comment briefly on what I 
believe the reasons are behind the public's strong desire to 
keep medical information between the patient and his or her 
physician.
    Our research showed that a major concern related to the 
possibility that insurers or employers might use sensitive 
information to an individual's disadvantage. This concern is 
understandable. Although access to medical records for research 
purposes may be the only access over which the patient is given 
any choice, there are literally dozens of other opportunities 
for loss of confidentiality during routine medical care.
    For example, in an average outpatient medical encounter in 
an integrated health care center, such as ours, the following 
individuals and groups must have access to the complete medical 
record in order to best serve that patient's needs: the 
appointment office, the registration desk, the physicians, 
physician assistants, nurses, EKG, lab, x-ray technicians who 
perform the necessary tests, and so forth.
    In fact, for a typical inpatient encounter, it has been 
estimated that at least 75 health professionals and hospital 
personnel have access to the medical record. After all this is 
taken care of, a qualified nurse researcher, bound by the rules 
of an IRB and strict patient confidentiality regulations, could 
be abstracting clinical data from the medical record which will 
be combined with similar data from hundreds of other patients 
to answer a specific public health question. The current 
Minnesota law and other proposed legislation influence only 
that nurse's access to the medical records and have no impact 
whatsoever on the 75 other points of access.
    Mr. Chairman, such legislation does not ensure the privacy 
of personal medical information. It does not address the 
public's concerns regarding potential misuse of personal health 
information by insurers and employers. Instead, it hinders 
scientific research and puts the public's health and well-being 
at risk for serious harm.
    Thank you for your attention.
    [The prepared statement follows:]

Statement of Sherine E. Gabriel, M.D., M.SC., Associate Professor of 
Medicine and Epidemiology, Mayo Clinic, Rochester, Minnesota

    Chairman Thomas, members of the committee, I am Dr. Sherine 
Gabriel, a physician and researcher at Mayo Clinic. Thank you 
for the opportunity to testify before you regarding the 
important issue of medical records confidentiality.
    Today, I would like to discuss two fundamental questions 
bearing on this issue. The first is: What is the importance of 
medical records-based research to the public? And the second 
is: What is the impact of legislation, which restricts access 
to medical records, on this category of research?
    I am privileged to work at a world-renowned medical 
institution. Mayo Clinic's international reputation as a center 
of excellence in medicine and surgery grew out of the 
commitment of our founders, Drs. Will and Charlie Mayo to 
integrate medical research and education with clinical 
practice. The Mayo brothers perceived a duty to use information 
from medical records to evaluate the outcomes of their care and 
to answer important public health questions and, in 1907, 
pioneered the concept of the ``unit medical record'' where 
medical data on each patient is stored in one self-contained 
packet that is kept in perpetuity. This concept led to the 
formation of the Rochester Epidemiology Project (REP) (See 
Appendix). The REP includes a complete medical history of 
virtually all Olmsted County residents from the time they where 
born or moved to the county until the time they died or moved 
away. The REP is a unique, national research resource, which 
has been continuously funded by the National Institutes of 
Health for over 3 decades. It has resulted in over 1000 
scientific publications analyzing dozens of diseases and 
medical conditions, and was ranked in the top 1% of all NIH 
proposals in 1995. The central element of the REP is access to 
the complete medical records of all residents of a 
geographically-defined population.
    Medical records research is vital to maintaining and 
improving the health of the American public. In fact, virtually 
every health hazard that we know of today has been identified 
using information from medical records. Take AIDS, for example. 
If researchers had not been allowed to study the medical 
records of patients with unusual immune deficiency problems in 
the late 1970's, the characterization of the AIDS epidemic 
would have been delayed at a substantial cost to the public's 
health. Similarly, the characterization of Lyme disease 
required collation of information from the medical records of 
the children who first presented with this new disease in Lyme, 
Connecticut. Other examples include studies examining the 
benefits and risks of estrogen treatment, as well as the health 
risks of smoking, dietary fats, obesity, and certain 
occupations. You may have read that an outbreak of 'flesh 
eating strep' was identified at Mayo in 1995. Without access to 
the medical records of patients with these unusual infections, 
characterization of this syndrome and isolation of this deadly 
bacterial strain would have been delayed. And over one hundred 
school children--which our research showed were the unwitting 
carriers of this deadly germ in their throats--would have gone 
untreated. This discovery led to the designation of invasive 
strep as a reportable disease. Such a designation permits 
earlier recognition and control of epidemics such as the recent 
outbreak in Texas.
    Medical records research is also critical for evaluating 
the long-term side effects of drugs, the safety of medical 
devices or procedures, the cost effectiveness of alternative 
medical practices, and the usefulness of diagnostic tests. Let 
me give you an example or two in each of these categories. 
Long-term drug side effects: Non-steroidal anti-inflammatory 
drugs (those are drugs like Advil or Naprosyn) were on the 
market for decades before medical records-based research 
determined that these drugs were associated with higher risk of 
death due to peptic ulcer disease, especially in the elderly. 
This work has led to the development of a new class of non-
steroidal anti-inflammatory drugs (soon to be released) which 
promise a much lower risk of these side effects. Clinical 
information from medical records is critical to studies on the 
safety of medical devices or procedures, for example, studies 
examining the risks of breast implants. The cost effectiveness 
of alternative medical practices could not be established 
without clinical information from medical records. For example, 
it was medical records-based research which determined that a 
3-day course of in-hospital bedrest for acute low back pain was 
just as effective and far less costly as the standard of care 
at that time--a 10-day in-hospital course. Finally, it was 
medical records-based research at Mayo that led to the 
discovery of the serious side effects of the diet drug Fen-Phen 
and its eventual removal from the market.
    Every medical advance I have mentioned in the last few 
minutes has relied heavily on information from patients' 
medical records. Without access to this rich source of clinical 
information, many of these advances would not have occurred.
    I'd like to turn now to the second question: What is the 
impact of legislation which restricts access to medical records 
on this category of research? Legislative restrictions limiting 
access to medical records threaten the very existence of this 
entire category of medical research. This is because 
individuals who refuse to authorize the use of their medical 
records for research purposes are systematically different in 
important ways from individuals who do. The recent MN privacy 
law provided us with the opportunity to study these differences 
using a protocol approved by our Institutional Review Board 
(IRB). We found that women were more likely to refuse 
authorization than men, that persons under 60 were more likely 
to refuse than older individuals, and that persons with certain 
underlying illnesses such as mental disorders, breast cancer, 
and reproductive problems, were also more likely to refuse 
authorization. Studies describing the outcomes of diseases, or 
the effectiveness or cost-effectiveness of treatments which 
exclude such individuals, would be biased--they would give us 
the wrong answer. Moreover, studies focusing on these 
conditions, i.e., diseases of women, mental disorders, and 
conditions related to reproduction would be at greater risk for 
incorrect results and this, in turn, might hamper advances 
against these important problems. Finally, while our research 
was clear on the point that individuals who refuse 
authorization are systematically different from those who do 
not refuse, the direction and magnitude of those differences 
varied from topic to topic and, thus, are completely 
unpredictable. So not only may such research result in the 
wrong answers, but it will be impossible to determine how wrong 
they are, or in what direction. Thus, the reliability and 
validity of findings from such research will be suspect.
    Let me illustrate this problem using a couple of examples. 
A study of depression following breast cancer would 
underestimate the magnitude of this problem if depressed women 
systematically decline authorization and were thereby excluded. 
Individuals who experience unsatisfactory outcomes may also be 
more likely to refuse authorization. If so, a study of a 
surgical treatment with a high complication rate would 
underestimate the risks of surgery. Data such as these form the 
basis of health care policies. So, the examples above could 
lead to a decision against funding a mental health program to 
treat depression in women with breast cancer and to a decision 
to adopt a high risk surgical treatment.
    Patients need accurate information about health risks, 
disease prognosis, and outcomes of care in order to make 
informed decisions about their own medical care. Health care 
policy makers need high quality data on the costs and outcomes 
of care provided to all patients (not just a select group) in 
order to make responsible health care decisions for the 
population as a whole. The inclusion of all qualifying 
individuals is the only way to assure that accurate conclusions 
are drawn about the prognosis of disease, the outcomes of 
therapy, or the quality of care. Such research can be done 
while taking appropriate measures for maintaining patient 
confidentiality, such as careful review and oversight by 
Institutional Review Boards and strict adherence to procedures 
restricting access to patient-specific medical information.
    In closing, I would like to comment briefly on the reasons 
behind the public's strong desire to keep personal medical 
information between the patient and his/her physician. Our 
research showed that a major concern related to the possibility 
that insurers or employers might use sensitive medical 
information to an individual's disadvantage. I understand this 
concern. Although access to medical records for research 
purposes may be the only access over which the patient is given 
any choice, there are dozens of other opportunities for loss of 
confidentiality during routine clinical care. For example, in 
an average outpatient medical encounter in an integrated 
medical center such as ours, the following individuals and 
groups must have access to a patient's complete medical record 
in order to best serve that patient's needs: the appointment 
office, the registration desk, all physicians, physician 
assistants, and nurses who provide care for the patient, as 
well as their receptionists and secretaries, all laboratory, 
medical, nursing and other students and their mentors, EKG, and 
x-ray technicians who perform the necessary tests, infection 
control officers who regularly survey medical records for 
reportable diseases, continuous improvement officers who strive 
to improve our health care processes and ensure patient 
satisfaction, the business office for billing, the legal 
department, and insurers and other third party payers. In fact, 
for a typical inpatient encounter, it has been estimated that 
at least 75 health professionals and hospital personnel have 
access to a patient medical record.1 After all this is taken 
care of, a qualified nurse researcher, bound by rules of an IRB 
and strict patient confidentiality regulations, could be 
abstracting clinical data from the medical record which will be 
combined with similar data from hundreds of other patients to 
answer a specific public health question. The current Minnesota 
law and other proposed legislation influence only that nurse's 
access to the medical record and have no impact, whatsoever, on 
any of the other points of access. Mr. Chairman, such 
legislation does not ensure privacy of personal medical 
information and does not address the public's concerns 
regarding potential misuse of personal health information by 
insurers and employers. Instead, it hinders scientific research 
and puts the public's health and well-being at risk for serious 
harm. Your attention should be focused instead on stopping the 
actual abuses of medical record information that harms 
patients.
    Thank you for your attention.
      

                                

    Chairman Thomas. Thank you very much, Dr. Gabriel.
    Dr. Guess.

 STATEMENT OF HARRY A. GUESS, M.D., PH.D., HEAD, EPIDEMIOLOGY 
      DEPARTMENT, MERCK RESEARCH LABORATORIES, BLUE BELL, 
   PENNSYLVANIA; ON BEHALF OF MERCK & CO., INC., WHITEHOUSE 
                      STATION, NEW JERSEY

    Dr. Guess. Mr. Chairman and Members of the Subcommittee, 
thank you for the opportunity to speak with you today on the 
important issue of protecting the confidentiality of the 
patient medical record. I am Harry Guess, pediatrician, 
epidemiologist, and head of the epidemiology department at 
Merck Research Labs, a division of Merck and Co., a global, 
research-based pharmaceutical company.
    As a physician, I took an oath to protect patients' 
confidentiality, and we at Merck support the efforts to protect 
the confidentiality of patient-identifiable medical 
information. At the same time, care must be taken not to 
inadvertently harm the interests of patients by unnecessarily 
restricting the access of medical information for medical 
research.
    As you consider the confidential standards for medical 
information, I hope you will appreciate how essential medical 
information and medical records research are to maintaining and 
improving the health of the American people. To ensure that any 
legislation or regulations do not jeopardize biomedical 
research, we believe the following four guides should be 
followed:
    First, legislation should exempt clinical research that is 
already subject to regulation by FDA, the Food and Drug 
Administration. This type of research is already stringently 
regulated by FDA, and there is strong confidentiality 
protection for subjects in such research studies.
    Second, that legislation would not restrict the use of 
encrypted or anonymized data. The use of these coded records is 
critical to medical research and allows, for example, 
researchers to link encrypted information from several 
different sources, while ensuring the patients themselves 
remain unidentified.
    Third, the legislation should not discourage collecting and 
maintaining information necessary to monitor the safety and 
effectiveness of products that had been approved by the FDA or 
by foreign regulatory agencies.
    Finally, any national standards should preempt conflicting 
or inconsistent State laws concerning confidentiality. To allow 
States to add more stringent provisions would risk creating an 
inconsistent patchwork of requirements that could jeopardize 
biomedical research. You have already heard about that this 
morning, very eloquently, from Dr. Gabriel.
    Let me give you one example of how regulation of medical 
information could inadvertently impede the conduct of research 
that is important to ensuring the safety of medicines.
    In 1995 Merck received FDA approval of our chicken pox 
vaccine. Despite decades of testing in thousands of children, 
you never really can be sure of what rare yet important safety 
issues can be found once a medicine or a vaccine is 
incorporated into broad clinical use. To provide this level of 
reassurance, we undertook a study in more than 85,000 children 
to provide further information on the safety of the vaccine 
under conditions of clinical practice. We conducted the study 
with pediatricians at the Kaiser Permanente Medical Care 
Program of Northern California.
    The children received the vaccine, with parental consent, 
as part of their regular medical care. A computer-based search 
was performed of the medical records of the children receiving 
the vaccine and of a historical age-matched comparison group of 
children who had not received the vaccine. The information we 
received was encrypted so that Merck did not have any patient-
identifiable data. The only people with patient-identifiable 
data were the pediatricians and their staff at Kaiser.
    This study provided valuable reassurance about vaccine 
safety under conditions of broad use in clinical practice and 
might have been impossible to conduct if it had been required 
to obtain specific informed consent for the medical records 
search from all of the parents of the vaccinated children and 
from the historical comparison group.
    This is just one of many examples of medical records 
research benefiting public health in a way that safeguards the 
patient-identifiable information.
    I thank you once again for the opportunity to express our 
views on this important topic. We at Merck believe that the 
confidentiality of patient-identifiable medical information 
should be protected. We also believe this can be accomplished 
without jeopardizing either biomedical research or the 
improvements in health care resulting from the research.
    Thank you very much.
    [The prepared statement follows:]

Statement of Harry A. Guess, M.D., Ph.D. Head, Epidemiology Department, 
Merck Research Laboratories, Blue Bell, Pennsylvania; On Behalf of 
Merck & Co., Inc., Whitehouse Station, New Jersey

                            I. Introduction

    Mr. Chairman, and distinguished members of the Committee, 
thank you for the opportunity to speak before you today on the 
important issue of protecting the confidentiality of patient 
medical information. I am Dr. Harry Guess, and I lead the 
Epidemiology department of Merck Research Laboratories, a 
division of Merck & Co., Inc. Headquartered in Whitehouse 
Station, New Jersey, Merck is a global, research-driven 
pharmaceutical company that discovers, develops, manufactures 
and markets a broad range of human and animal health products--
both directly and through its joint ventures--and provides 
pharmaceutical benefit services through Merck-Medco Managed 
Care.
    The Epidemiology department at Merck is responsible for 
providing information on diseases to support clinical trials of 
new drugs or vaccines, and for conducting studies to help 
evaluate the safety of drugs and vaccines after approval. This 
work frequently involves collaboration with health care 
providers to study the safety of drugs and vaccines as they are 
used in clinical practice. I have also served as an external 
reviewer of research proposals submitted by managed care 
organizations to the US Food and Drug Administration (FDA) and 
the Centers for Disease Control (CDC) to conduct government-
funded studies of drug and vaccine safety. I am also an Adjunct 
Professor of Epidemiology and Biostatistics at the School of 
Public Health at the University of North Carolina at Chapel 
Hill, where I teach epidemiology to graduate students.
    The purpose of my testimony today is to describe for you 
how important access to and the use of patient medical 
information are to medical research. I will (1) describe for 
you the manner in which we conduct various types of clinical 
and epidemiological research at Merck and monitor the safety of 
our marketed products, (2) talk about the types of medical 
information that we use to conduct that research, and (3) 
outline some general principles regarding patient 
confidentiality that we think are key to appropriate 
legislation in this area.
    Let me begin by emphasizing that we at Merck support 
efforts to protect the confidentiality of patient-identifiable 
medical information, particularly in light of developments in 
the area of information technology that have raised questions 
about levels of individual privacy. All of us are patients 
ourselves and we certainly recognize the need for protection of 
privacy. However, from a public health standpoint, we are 
concerned about simultaneously preserving necessary access to 
such data for research into new medicines that can cure or 
prevent disease. In protecting patients' privacy interests, we 
must be careful not to inadvertently harm the interests of 
individual patients by unnecessarily restricting access to 
information needed to determine the safety and effectiveness of 
medical treatments, assess the usefulness of diagnostic tests, 
identify disease risk factors, and monitor the cost-
effectiveness of new interventions. Such research is needed to 
continue to be able to provide the American people with health 
care that meets high standards of safety, effectiveness, and 
cost-effectiveness. The key to an appropriate legislative 
solution is to recognize and protect all of those interests.
    Innovations in medicine are revolutionizing health care 
research, as the molecular basis of human disease is revealed. 
In the past 50 years, medical science has rid the world of 
smallpox; drastically reduced the incidence of many childhood 
diseases such as diphtheria, tetanus, polio, measles, whooping 
cough, and rheumatic fever; and discovered highly effective 
treatments for many chronic diseases such as asthma, peptic 
ulcer disease, coronary heart disease, hypertension, diabetes, 
and osteoporosis. When I trained in Pediatrics nearly twenty 
years ago, Haemophilus influenzae type b was the most common 
form of bacterial meningitis among children in the United 
States, affecting nearly one in every two hundred children. 
Over the past ten years, the incidence of this devastating 
disease has been reduced nationwide by more than 95% by the 
introduction of vaccines.
    Given this track record of achievement, the public has come 
to expect a steady stream of innovations in treatment and 
prevention from the research-based pharmaceutical and 
biotechnology industries. In fact, our domestic research-based 
companies now discover and develop more than half of the new 
medicines used in the United States and around the world. 
Merck, for example, has introduced nine important medicines in 
just the last three years, including CRIXIVAN for 
HIV/AIDS, FOSAMAX for osteoporosis, and 
SINGULAIR for asthma in patients as young as six 
years old, and we are now conducting the research necessary to 
develop new medicines and vaccines to help patients around the 
world. Our investment in research will also allow us to enter 
nine new therapeutic areas by the year 2002, raising our total 
to 24--the broadest in the industry.
    Continued progress of this magnitude clearly depends on 
broad, multi-faceted research. This includes both basic 
research in chemistry, molecular biology, genetics, and 
pharmacology, which allows us to understand disease processes 
and identify the right compounds to combat the disease, and 
clinical research to evaluate the safety and efficacy of 
potential new medicines and vaccines. Finally, large-scale 
epidemiologic and health services research studies are needed 
to help us design new clinical trials and to monitor how well 
treatments work in clinical practice. For example, 
epidemiologic research helped show us that while aspirin can 
reduce the risk of heart attacks in adults, it can cause a 
serious life-threatening illness called Reye's syndrome when 
administered to children with chickenpox or influenza. Reye's 
syndrome has been almost completely eliminated as a result of 
this discovery.
    With that general background in mind, we would like to 
propose the following four principles, to help guide 
legislation on confidentiality of medical information. I will 
first outline the principles, then discuss the types and use of 
patient information used in medical research and safety 
monitoring, and finally discuss each of the principles in more 
detail.
    (1) Clinical research that is subject to regulation by the 
Food and Drug Administration should be exempted from any new 
confidentiality requirements because this research is already 
subject to strict confidentiality protections;
    (2) Only information that directly identifies an individual 
should be subject to confidentiality requirements; use of 
anonymized, encrypted or encoded data should be excluded from 
restrictions on access;
    (3) Legislation should not inhibit the collection and 
maintenance of information to monitor or verify the safety and 
efficacy of approved products; and
    (4) There must be uniform national standards that preempt 
conflicting or inconsistent state laws.

     II. Background--Different Types of Patient Medical Information

    Before I describe the various ways or settings in which 
pharmaceutical researchers use patient medical information, I 
think it would be useful to explain the three different types 
of patient information that we use. First, and most pertinent 
to our discussion of confidentiality, is information that 
directly identifies individuals, by providing a name or 
address, for example. For purposes of our discussion today, 
I'll refer to this type of information as ``patient-
identifiable'' information.
    The second type of information is referred to as 
``encoded'' or ``encrypted'' information. In my testimony 
today, I will use the term ``encrypted.'' This type of 
information is patient-identifiable information from which 
personal identifiers and means of directly contacting the 
individual (such as name, address, and social security number) 
have been replaced with a code, which is often in the form of a 
long number. The identity of such an individual is not apparent 
from the information itself or from the code, but may be 
determined by use of the encryption key. Encryption keys have 
two important functions. One is to permit the keyholder to 
identify the patient in the event that this becomes necessary--
for example if a safety problem is discovered that requires 
notifying the patient. The second function is to be able to 
``link'' one data set with another data set on the same 
patients without having to reveal patient identities. For 
example, a study may provide information on a group of patients 
who receive medical evaluations at yearly intervals. By linking 
together all of the visits on each patient, one may evaluate 
changes in medical conditions over time without having to 
reveal any patient-identifying information. One may also link 
encrypted information from pharmacy files to encrypted 
information from hospitalization records in such a way as to 
study the safety and effectiveness of drugs in very large 
populations without revealing any patient-identifying 
information. Essentially all patient information used in the 
research that I do is in an encrypted format, and the linking 
mechanisms allow for information about an individual contained 
in two or more data sets to be combined without revealing the 
identity of any individuals.
    The third type of information I will refer to as 
``anonymized,'' which means information from which all personal 
identifiers have been removed, and/or information that has been 
aggregated in such a manner that the identities of individuals 
who are the subjects of the information cannot be identified 
under any circumstances. There would be no means to identify 
individuals, dis-aggregate or link this information to other 
data sets containing information about such individuals by use 
of a code or a key. Information that is anonymized in this 
fashion is generally much less useful for research than is 
encrypted data because it may lack the detail that is required 
for meaningful or sophisticated analyses. Also, with anonymized 
data it would never be possible for anyone to notify the 
subjects if a safety problem were discovered or if it became 
highly important to obtain additional information. 
Nevertheless, we do use such anonymized information in certain 
specific areas of research, which I will discuss in more detail 
below.
    It is important to keep the differences between these types 
of patient information in mind, because concerns about privacy 
are different with information that is encrypted or anonymized 
than they are with patient-identifiable information.

          III. Use of Medical Information--In Clinical Trials

    Now I would like to describe for you some of the ways in 
which pharmaceutical researchers use these different types of 
information, and how patients' confidentiality interests are 
protected. I would like to begin with a brief overview of the 
clinical drug development process, and the roles that FDA and 
Institutional Review Boards (IRBs) play in that process.
    Before testing any new drug in humans, a sponsor such as 
Merck must run a potential new drug candidate through 
comprehensive animal pharmacology and toxicology studies. With 
those and other pertinent data in hand, the sponsor files an 
Investigational New Drug application, or IND, with the FDA. The 
agency has a fixed period of time to evaluate the IND 
application and notify the sponsor if the agency judges the 
application not to be sufficient to justify undertaking human 
clinical trials. Upon completion of the FDA review of the IND, 
the sponsor begins the clinical study program.
    The clinical program is designed to demonstrate the 
investigational drug's safety and efficacy in treating, 
preventing or diagnosing a disease or condition in humans. It 
is the most time-consuming and resource-intensive segment of 
the drug development process, including third party clinical 
investigators, institutional review boards (IRB's), FDA 
regulation and involvement, and, in many cases, thousands of 
study subjects, or individual patients. Today the process is 
made even more complex because companies such as Merck 
generally seek approval of new drugs not only in the United 
States but in many foreign countries. Consequently, such trials 
are subject not only to FDA regulations but also to regulations 
by many foreign regulatory agencies. Safety reports must be 
filed with these agencies and different agencies may require 
differing types of studies to evaluate efficacy.
    While the design of clinical trials will vary from drug to 
drug and from disease state to disease state, there are some 
general similarities in their typical overall structure, or 
``phases'' of development. This phased approach allows 
researchers to build upon information and knowledge generated 
during the preceding phases as they broaden their study of the 
drug.
    ``Phase 1'' studies are designed primarily to assess the 
clinical safety of the drug in humans, and to determine whether 
the compound is sufficiently safe to be studied further in 
humans. These studies usually involve a limited number 
(approximately 20 to 80) normal healthy adults, who can be kept 
under close medical observation and monitoring for a short 
period of time.
    If the data generated during the Phase 1 studies are 
acceptable, the sponsor can begin ``Phase 2'' studies, which 
are intended to demonstrate (1) the drug's efficacy in treating 
the disease or condition in humans, and (2) common or short-
term adverse effects and risks that might be associated with 
the use of the drug. Phase 2 studies may also help establish 
the most appropriate dose of a drug. Such studies may involve 
up to several hundred patients, who are treated under 
conditions of close medical observation and monitoring.
    In ``Phase 3'' trials, the number of patients participating 
expands significantly (involving several hundred to several 
thousand subjects) in order to study the drug's use in 
conditions that more closely resemble those that would exist 
after approval. The study group should be adequately 
representative in order to allow the generalization of the 
results to the population at large. Depending on the disease or 
condition being studied, study subjects can generally be 
treated on an outpatient basis, and medical monitoring is 
usually less strict than during the earlier phases. Phase 3 
studies intended to provide the evidence of efficacy necessary 
for drug approval must typically meet four criteria: they 
should be (1) controlled (one group receives the 
investigational drug and another group receives either a 
placebo or an active drug known to be efficacious), (2) double-
blind (neither study subjects nor investigators know which 
patient is receiving which therapy), (3) randomized (study 
subjects randomly assigned to treatment groups), and (4) of 
sufficient size to provide a statistically sound test of 
efficacy.
    All of these clinical studies are subject to extensive FDA 
regulations, including protection of patient confidentiality 
and the requirement that an IRB approve the studies before they 
can be initiated. The IRB's primary function is to minimize 
risks to the subjects, and to assure that the subjects are 
adequately informed about the trial and their treatment. The 
regulations require that the IRB be sufficiently qualified 
through the experience and expertise of its members to promote 
and to safeguard the rights and welfare of study participants. 
The IRB has five members, each appointed by the institution 
involved, such as the hospital or academic institution at which 
the study is being conducted. Race, gender, cultural 
backgrounds, and sensitivity to community issues may be 
considered in appointing members. The IRB must include 
individuals with the necessary expertise and professional 
competence to review proposed research for compatibility with 
institutional commitments and regulations, applicable law, and 
standards of professional conduct and practice, and should 
include both women and men as members. Its members may not 
consist entirely of members of one profession. At least one 
member must have scientific expertise, usually a physician, and 
at least one member must have a primary interest in non-
scientific areas. One member must not be affiliated with the 
institution or have an immediate family member who is 
affiliated with the institution; that person is often a member 
of the clergy or other representative of the broader community.
    The IRB reviews the study protocol, and is authorized to 
require changes to the protocol if necessary. The IRB weighs 
the potential risks to the patients versus the potential 
benefits. To approve a research study, the IRB must determine 
that the study meets seven criteria specified in FDA 
regulations, including, ``where appropriate, [that] there are 
adequate provisions to protect the privacy of subjects and to 
maintain the confidentiality of data.''
    FDA regulations also require that no humans may be subjects 
in FDA-regulated research unless the investigator has obtained 
the ``legally effective informed consent of the subject or the 
subject's legally authorized representative.'' To obtain a 
subject's ``informed consent,'' the regulations specify that 
information regarding eight basic elements must be provided to 
the subject, and six additional elements should be discussed 
``when appropriate.'' One of the mandatory elements is a 
statement that describes the extent to which confidentiality of 
patient records will be maintained, and notes the possibility 
that the Food and Drug Administration may inspect the records, 
including patient-identifiable information. The regulations 
also require that the subject's informed consent be documented, 
using an IRB-approved written consent form signed by the 
subject or his or her legal representative. The IRB reviews the 
patient informed consent forms, and may require revisions to 
strengthen or clarify them if needed.
    The clinical investigator--the physician who is actually 
working with the study subjects--keeps patient-identifiable 
information for all of the study subjects, just as any treating 
physician would. This is critical to the investigator's ability 
to provide follow-up care to these patients, and to be able to 
contact them, if necessary, if some safety issue should arise. 
The study sponsor, such as Merck, receives only encrypted data 
from the investigator.
    Thus, in a clinical trial program, the study subjects have 
expressly consented to the researchers' use of their medical 
information. The IRB assures that there are adequate provisions 
in place to protect patients' confidentiality and the privacy 
of their data. We do not believe that there is any need to 
require any further protections in this area.
    You may hear some mention of the ``Common Rule'' in 
discussions about confidentiality in research projects, and I 
want to explain the connection between the Common Rule and the 
FDA regulations I talked about before. The Common Rule refers 
to the common standards for the protection of human subjects 
involved in research conducted, funded or regulated by 16 
federal agencies, including the Department of Health and Human 
Services (DHHS). Those standards were published as a final rule 
in the Federal Register on June 18, 1991. The FDA had 
previously adopted regulations on the protection of human 
subjects in research that it regulates, published at 21 CFR 
Parts 50 and 56. Those regulations were largely consistent with 
the principles embodied in the Common Rule. On June 18, 1991, 
the FDA published a final rule that modified its existing 
regulations to conform them with the Common Rule to the extent 
possible. There are some minor variations due to FDA's unique 
statutory mission under the federal Food, Drug & Cosmetic Act. 
However, because the DHHS has adopted the Common Rule as 
applicable to all research with human subjects that it 
regulates, funds or conducts, clinical research that is subject 
to FDA regulation is also subject to the Common Rule to the 
extent that the two are not inconsistent. Where the Common Rule 
and the FDA regulations differ, the FDA regulations would 
govern.

IV. Use of Medical Information in Epidemiological and Outcomes Research

    Generally, epidemiologists study populations to understand 
the extent, natural course and burden of disease. This 
information provides background for the safe and effective use 
of medicines. In contrast to clinical trials (which are 
experimental), an epidemiologic observational study tracks 
patients in the real world of clinical medicine. It is this 
science that is used to evaluate the risks and benefits of 
medications in large numbers of patients in a ``real world 
setting.'' Epidemiologic studies have had a major impact on the 
public's health in general, and on our understanding of the 
risks and benefits of medications, in particular. For example, 
these studies documented the relationship between aspirin and 
Reye's Syndrome in children, and the risk of vaginal cancer in 
daughters of women who took diethylstilbestrol (DES) while 
pregnant. They have also been instrumental in documenting risks 
and benefits of vaccines, oral contraceptives, and a number of 
other widely used medications. Clearly, epidemiologic studies 
are critical to the future of public health.
    One of Merck's sources of data includes information in the 
public domain. This type of data is encrypted by the agency or 
organization supplying the data, and can be obtained from 
regional, national and international claims-based and survey 
data. Examples include survey data from the National Center for 
Health Statistics, or Medicare data from the Health Care 
Finance Administration. Public-use data is provided in an 
anonymous or encrypted form in which the user is not able to 
identify individuals who participated in the survey or study. 
This information may be used to determine the prevalence of a 
disease, or incidence of a disease relative to that found among 
users of an approved drug. We are not alone in our use of these 
important databases--the CDC, the National Institutes of Health 
(NIH) and other government institutions utilize these 
registries to track public health statistics, identify disease 
trends, and assess the economic impact of new medical and 
surgical treatments.
    Although large public-use databases are extremely valuable, 
they do not provide all of the necessary information needed to 
make drugs available to patients. Therefore, additional studies 
which involve either direct contact with a patient or 
collection of encrypted medical information are necessary. 
These studies collect information on what kinds of patients are 
likely to develop the disease, how well existing treatments 
work, what the types and rates of complications are, what costs 
and medical care utilization are associated with the disease, 
and what the long-term consequences of the disease are. Such 
information is needed to design clinical trials necessary for 
drug or vaccine approval. We generally conduct such studies in 
collaboration with managed care organizations, universities, or 
federal agencies such as the NIH or CDC. We use the data from 
these sources in encrypted or anonymized aggregate form. Within 
this context, we cannot--nor would we have the desire or need 
to--identify an individual patient who has participated in 
these types of studies.
    The information collected in this manner provides 
background for new clinical trials and also supports drugs that 
have been approved for use. This type of research is different 
from a clinical trial because it involves analysis of data 
under conditions of ordinary clinical practice, which can be 
different from the conditions in a clinical trial. The 
additional risk to the patient in being involved in this type 
of data review is minimal, since we are studying the treatment 
and care provided by the patients' own physicians and the 
impact of that treatment on the disease or condition. In 
contrast to a clinical trial, researchers are not proposing any 
particular treatment, prescribing any medications or providing 
any medical care. Medical information regarding a medical 
condition or the patient's health status is obtained via 
medical record review under the direction of the treating 
clinic or facility, or by third party patient interviews. In 
either case, Merck receives only data that is encrypted or in 
anonymized aggregate form.
    In support of clinical trials, these data are used to:
     Determine how many patients should be included in 
a clinical trial in order to minimize patient risk while 
maximizing clinical trial results
     Provide background on the incidence or prevalence 
of a disease
     Provide information on current treatment practices
     Aidin determining the appropriate patient 
population to include in the trial
     Provide data on the usefulness of questionnaires 
to assess safety and quality of life
    In addition to supporting clinical trials, outcomes and 
epidemiology research is also used to
     Identify risk factors for developing a disease
     Determine the long-term outcome of a treatment on 
disease
     Identify patient populations who may not be 
receiving state of the art treatment or therapy
     Identify prognostic factors and risks of disease 
complications
     Determine the impact of a treatment on quality of 
life
     Assess utilization of resources and provide 
information on the economic benefits of a treatment
    The importance of using encrypted patient-level data may be 
demonstrated by several studies that have impacted the health 
of the public and aided in the development of important drugs. 
For example, in collaboration with the government of 
Saskatchewan, we used encrypted data on all of the one million 
residents of that Canadian province to evaluate the risk of 
rare adverse events associated with use of drugs to treat 
arthritis in very elderly patients. For the past nine years we 
have been collaborating with investigators from Mayo Clinic as 
well as from Japan and Europe to study the long-term course of 
prostate diseases in men. This study has contributed numerous 
publications to the medical literature and greatly increased 
medical knowledge.
    We are currently conducting an epidemiology study in 
conjunction with a university to determine the prevalence of 
low bone mineral density, a measure of osteoporosis, in nursing 
home residents. This study will also determine what factors 
predict hip fracture in these patients. Patients must undergo a 
bone scan and allow the researcher access to their medical 
records, but the information gained from studying the records 
of these patients may provide insight into ways we can enhance 
the quality of life of nursing home residents by preventing hip 
fractures. The university IRB has approved the study, and all 
subjects have provided informed consent. The university 
researchers conducting the study provide us only with encrypted 
or anonymized data.
    In another study, we used clinical trial data combined with 
data published in the literature to articulate the economic 
value of a treatment with CRIXIVAN, our protease 
inhibitor for the treatment of HIV/AIDS. The clinical trial 
data was from our original clinical trials conducted before FDA 
approval of the product, and all study subjects had given 
informed consent to the use of their medical information. We 
simply re-examined those data in conjunction with the 
additional published data to simulate the long-term progression 
of the disease. The purpose of the cost-effectiveness model is 
to assist healthcare providers, payors and other decision-
makers in determining health, reimbursement, and clinical 
policies. This model suggests that initiation of therapy with 
CRIXIVAN alone and in combination with AZT and 3TC 
before the first AIDS-defining illness increases survival at a 
cost that is generally accepted by current standards.

     V. Post-Approval Safety and Efficacy Monitoring and Reporting

    In its role as the federal agency charged with helping to 
ensure the public health and safety relating to the use of drug 
products, the FDA has established extensive regulations to 
monitor the safety of drugs, biologics, and medical devices. 
FDA regulations impose on pharmaceutical companies mandatory 
reporting requirements for adverse experiences associated with 
the use of drug products in humans. To meet their obligations 
under this regulatory scheme, manufacturers must have access to 
patient medical information. These regulations contain 
stringent reporting time deadlines and record-keeping 
requirements that apply to both investigational drugs and 
marketed products. The purpose of the adverse experience 
reporting regulations and procedures is to support the FDA's 
efforts to protect the public safety by providing the agency 
with information necessary to determine the safety profile of 
investigational and marketed drug products.
    The vitality of this safety reporting system is critical to 
identifying safety issues in use of marketed products that were 
not identified in investigational studies. The reporting system 
is used to evaluate the seriousness of potential health 
problems and to alert the agency and health care community to 
take appropriate corrective actions.
    Because of its limited resources, the FDA heavily relies on 
manufacturers to investigate reports of adverse experiences 
with their drug products. Manufacturers most often receive such 
reports directly from the treating physician for the patient 
involved. Sometimes patients themselves report their own 
adverse events. Whenever a manufacturer receives notice of an 
adverse experience associated with any of its products, the 
manufacturer is required to investigate the incident and to 
provide the information to the FDA. If additional information 
is not obtainable, a follow-up report is required to explain 
what steps were taken to obtain additional information relating 
to the adverse experience and why the information could not be 
obtained. The more detailed information that can be obtained 
about a particular adverse experience, the better informed the 
manufacturer, the FDA and the health care community can be 
about the safety profile of marketed products. By necessity, 
this requires knowledge about confidential medical record 
information. In fact, FDA's 1997 Guidance on adverse experience 
reporting specifies that before submitting any adverse 
experience reports to the FDA, a manufacturer must have four 
specific pieces of information, including ``an identifiable 
patient.'' This does not mean that the reporting physician must 
supply the manufacturer with the patient's name; the reporting 
physician can provide the manufacturer with encrypted 
information on a specific patient, as long as follow-up 
information can be obtained from the physician if necessary.
    The FDA has issued regulations to ensure that the 
identities of patients and those who report adverse experiences 
are held in strict confidence and are not disclosed by the FDA 
or by manufacturers who possess these reports. Manufacturers 
are required to encode patient identifying information before 
submitting reports to the FDA, but must maintain sufficient 
information to permit additional information to be obtained, if 
necessary, from the person who reported the event. Moreover, 
the identity of the adverse experience reporter, usually the 
patient's health care provider, must be deleted when reporting 
to the FDA. These privacy protections were instituted to enable 
the FDA to continue to collect information on safety risks 
associated with FDA-regulated products that is considered vital 
to protection of public health. In addition to the need to 
comply with FDA reporting requirements, Merck must also comply 
with the reporting requirements of foreign regulatory agencies. 
Typically an agency from a given country will want to be made 
aware of worldwide safety information on all products which are 
approved in that country. Because of this, Merck will often 
have to supply foreign regulatory agencies with information on 
adverse events occurring in patients in the United States. 
Foreign regulatory agencies also respect the need for patient 
confidentiality and hence do not require any patient-
identifiable information.
    Learning more about the safety profile of marketed products 
may not be limited to reports that meet the regulatory 
definition of adverse drug experiences but may also include 
additional information that may lead to a better understanding 
of certain aspects of a product's safety profile. Thus, for 
example, many drug and vaccine products are contraindicated for 
use in pregnant women because of a lack of clinical study 
information about the safety of the product for use in that 
patient population. Yet, manufacturers may choose voluntarily 
to collect and report to the FDA information about a drug 
product's use during pregnancy even though that use is not 
associated with an adverse experience. Information on use 
during pregnancy may be collected from health care 
professionals who report such use to drug manufacturers or the 
FDA. At Merck, we treat such information in the same manner as 
we treat information associated with adverse experience 
reports. The purpose of collecting and reporting this 
information is to enhance our knowledge about the overall 
safety profile of a product in pregnant women.

                     VI. Principles for Legislation

    As you consider confidentiality standards for medical 
information, I hope you will appreciate how vital medical 
information and records research is to maintaining and 
improving the health of the American public. Research on new 
medicines vitally depends upon patients' participation in 
clinical trials and researchers' access to their relevant 
medical information as well as to patient-level archival 
databases.
    In order to ensure that any new legislation, regulation or 
standards do not jeopardize biomedical research, we believe 
that the following four guides should be followed.
    First, clinical research subject to regulation by the Food 
and Drug Administration should be exempt from any new or 
additional requirements. This is because, as explained above, 
this type of research and use of information is already 
stringently regulated by the FDA through application of the 
Common Rule, which, in turn, provides strong confidentiality 
protection to the subjects of clinical trial research.
    Second, access to and use of anonymized or encrypted data 
should be excluded from any new requirements or restrictions 
applicable to information that identifies patients. Only data 
sources or collections of samples that directly identify 
individuals should be subject to confidentiality protections, 
since information that does not identify an individual cannot 
violate one's confidentiality interest. In addition, the code 
numbers should be permitted to be used for the purpose of 
linking to additional information about subjects in a database 
without triggering unnecessary or burdensome requirements, so 
long as the subjects remain unidentified.
    Third, legislation should acknowledge and encourage the 
collection and maintenance of information to verify or monitor 
the safety and efficacy of products that have been approved by 
the FDA or international regulatory authorities.
    And finally, uniform national standards that preempt 
conflicting or inconsistent State laws concerning 
confidentiality are necessary. Individual states should not be 
able to add to or detract from federal rules in this area that 
is so critical to improving the public health through research 
yielding better medicines. To allow states to add more 
stringent provisions would risk creating an inconsistent 
patchwork of requirements that will at best confuse and at 
worst seriously jeopardize biomedical research projects. 
Researchers whose primary concern should be quality and 
integrity of study design and execution should not also be 
faced with the additional complexities of satisfying 
inconsistent state requirements for research that crosses state 
lines.

                            VII. Conclusion

    I thank you once again for the opportunity to express our 
views on this important topic. We at Merck believe that the 
confidentiality interests of patients in their medical 
information can and should be protected. We also believe that 
this can be accomplished in a way that does not jeopardize 
biomedical research and the quality and improvements in 
healthcare that result from that research.

                                

    Chairman Thomas. Dr. Gabriel, I guess for most of us, if 
you say health in Minnesota, you think of the Mayo Clinic. My 
concern was, how did Minnesota wind up passing a law which 
probably wounded significantly one of its cash cows from a pure 
mercenary point of view? Did you work with the legislature 
prior to the passage of the law? Was there a relatively high 
level of understanding among the legislators of the 
consequences of their decision?
    Dr. Gabriel. I cannot speak directly to that because I was 
not involved, but I know that some of my colleagues were 
involved, and the extent to which there was a complete 
understanding of the consequences, I guess I cannot speak to 
that.
    Chairman Thomas. Has there been a followup with the 
Minnesota legislature after the passage of the law so that they 
could understand the consequences?
    Dr. Gabriel. Yes, the law has recently been amended. When 
the law was first put into place, as you may know, it required 
us to put in place a very complicated and costly computerized 
system, which you alluded to earlier.
    Chairman Thomas. And you chose to do it because you thought 
it was important.
    Dr. Gabriel. We chose to be in full compliance. And that is 
no longer required. That level of compliance is no longer 
required, according to the amendment.
    Chairman Thomas. And according to your testimony, and this 
is one of my concerns, again operating, if in fact we do, on an 
anecdotal basis or an incomplete understanding of what we are 
doing, Minnesota apparently created the system that plugged one 
leak that may or may not have been a leak of the information 
source by dealing with the nurses but left open myriad areas of 
leakage, which, in fact, if an investigation were carried out, 
were probably the primary sources of leaks, if leaks occurred. 
Is that a relatively accurate statement?
    Dr. Gabriel. That is my impression. Any legislation that 
focuses strictly on research access would do exactly the same 
thing. I listed in my written testimony not all 75 but 
certainly all of the other points of access where leakage could 
occur.
    I think the main concern is that legislation should address 
the concerns of the patients. And from our research, which we 
did on our local population, the main concern of the patient is 
not that a nurse abstracter will collect information and remove 
identifiers and lead to a published study. The main concerns 
are the issues of discrimination, that were brought up before, 
and the misuse of information by employers and insurers.
    Chairman Thomas. Dr. Guess, I can understand the narrow 
focus of your testimony in terms of Merck carrying out research 
and wanting us to stay away from FDA and the rest, but your 
example of Kaiser providing you with a research component, that 
was real-world and actually off of ordinarily collected data, 
which indicates to me that what we maybe need to focus on is 
not ``what'' but ``who and why.'' If we can get the ``who and 
why'' right, then the ``what'' is less of a concern, except 
when you go to the patient-identifiable data level, which is of 
great concern.
    I am talking more about your area of research and the 
encrypting. I am not so wild about building barriers between 
FDA and HHS in terms of collecting data. I know you are, and 
you have to go it based upon who you are here for, but I am 
more interested in getting it right on all of the data that may 
flow than creating pockets of accuracy or I like what I have, 
so leave me alone. Any reaction?
    Dr. Guess. Well, sir, I really agree with the tone and the 
overall scope of your testimony. I think the concern we have 
about FDA is that we are subject to such stringent regulation 
in so many ways with FDA that adding another layer of 
complexity on top of that could create problems.
    Chairman Thomas. I would be concerned about layering, but 
if they are doing something right there, I want to borrow it 
and apply it in other areas, if it makes sense. I know it is a 
relatively narrow area you are dealing with, but in areas where 
there has been complete ability to maintain confidentiality, I 
want to look at those.
    Dr. Guess. Right. I think the issue with FDA is that, with 
drug research under FDA regulations, it is all interventional. 
So one can obtain informed consent from the subjects in a 
clinical trial, but in a retrospective data base search, where 
you are looking through anonymized records of several thousand 
people, some of whom may have moved away, because it is 
historical data, there would really be a problem of applying 
that paradigm in a sort of slavish way.
    Chairman Thomas. Thank you.
    Does the gentleman from California wish to inquire?
    Mr. Becerra. If I could continue that line of questioning. 
Are there then some aspects of the FDA protocol which would be 
most useful as we are trying to come up with ways to protect 
privacy in every other aspect of research and disclosure that 
occurs?
    Dr. Guess. Well, I think, as I said in my testimony 
earlier, that for encrypted or anonymized data, we feel that to 
subject that to the kinds of provisions we have with FDA 
studies could create a real burden. I think when it comes to 
patient-identifiable data, which is really the concern, I think 
some of the provisions we have with FDA do make sense.
    When we collect primary data on identifiable patients or 
when investigators collect that, it does make sense to have 
stringent provisions on that. But when we obtain anonymized 
data, where we do not know who the patients are, I think that 
is a very different situation.
    Mr. Becerra. For either of the two panelists, what is the 
whole issue of the fact that more and more we are finding that 
medical research and answers to medical dilemmas are really 
more than just national in scope, they are really global? The 
whole AIDS epidemic is certainly one of those illnesses or 
diseases that falls within that category.
    How do you go about establishing privacy laws that will be 
sufficient if the European Union on one end has very stringent 
privacy laws and we may have other countries in other parts of 
the globe who probably do not have any at all, and if they do, 
they may not be enforced? How do you go about doing the 
research going beyond the U.S. border and ensuring that as you 
try to collect information which will give you the best result 
for your research that you are also providing the privacy that 
people deserve?
    Dr. Guess. I would be happy to take that, since we do 
research on a global scale.
    I do not claim to be an authority on what is going on in 
the European scene, but I do know the pharmaceutical industry 
is working with the European Union to try to create a code of 
conduct that will enable pharmaceutical research, specifically 
clinical research, to be carried out in a way that is not 
impeded by some of the privacy initiatives in Europe.
    I feel the problem is actually more a problem with some of 
the proposed initiatives in Europe actually inhibiting research 
in a way that becomes inappropriate and actually harmful to 
them.
    I will say in certain countries in Europe, such as Germany, 
for one, and France, to a certain extent, for another, 
epidemiologic research and health services research is very 
underdeveloped relative to what it is in the United States. As 
you go down the list of things that Dr. Gabriel mentioned, 
virtually all of those discoveries are American-based 
discoveries. We have a very strong force in that area.
    Dr. Gabriel. Could I respond to that?
    Mr. Becerra. Yes, of course.
    Dr. Gabriel. I think what you said also speaks to the 
importance of preemption, so that at least in the United 
States, we can have a common approach and a unified approach to 
these problems.
    As far as the international scene, there are a number of 
international epidemiology and research groups that are now 
assembled. I am part of a couple of them that are devising 
international standards for these studies and trying to discuss 
that with the regulatory agencies in their own settings.
    Mr. Becerra. Thank you, Dr. Gabriel.
    If I can follow up on that, where would you break on the 
issue of preemption in view of what you just said?
    Dr. Gabriel. Well, Mayo Foundation operates in five 
different States. That means the clinical practice as well as 
the clinical research crosses State boundaries, and it makes 
very little sense for us to have this patchwork of rules and 
regulations. It really hampers both the practice and the 
research activities. So we would be in favor of it. However, I 
do agree with one of the previous speakers about the value of 
having States do their own reportable disease and public health 
work. I think that is a different category. But, in terms of 
confidentiality, I think it makes a lot of sense for integrated 
health care delivery systems such as ours that operate in more 
than one State to have one set of rules.
    Mr. Becerra. Dr. Guess, if I could return to the whole 
issue of what you face in Europe as you try to conduct 
research, is part of the difficulty that you have in Europe or 
in certain European countries, is it due more to commercial 
issues or factors here than it might be actually conducting the 
research where, for example, they may want to keep their 
particular research market closed to their researchers that are 
home based?
    Dr. Guess. I do not actually think so. I think some of the 
privacy initiatives there may come about because much of the 
health care is socialized, and so I think it is a privacy 
tradition. Also, the German privacy tradition has its origins 
in other problems, and so I do not think it is really a 
commercial interest. I think it just stems from the way the 
health care is organized.
    Mr. Becerra. You mentioned that that has caused Merck and 
other U.S. pharmaceuticals problems in trying to conduct the 
research necessary.
    Dr. Guess. Well, I think if certain of the provisions were 
to go through, problems would be caused.
    I will also say that much of the type of research we do, 
for example the study that we did at Kaiser, could not have 
been done in many parts of Europe. So there are certain things 
that, just from their very cumbersome restrictions, would be 
quite difficult to do in many parts of Europe. I do not mean to 
take Europe as a whole, but in many parts of Europe would be 
quite difficult to do.
    Mr. Becerra. Thank you.
    Mr. Chairman, if I could ask one last question.
    How does the European Union treat the various nations 
within the Union? Are they provided with particular discretion? 
For example, a European Union-wide preemption. Does that exist?
    Dr. Guess. I think the objective with the European Union 
directive is to create some uniformity to the European 
requirements, and they are working toward this right now. So 
they are trying to create some sort of preemption of a 
patchwork of national laws right now. But the problem may be 
setting the level at an appropriate level.
    Mr. Becerra. Thank you. Thank you, Mr. Chairman.
    Chairman Thomas. I would tell the gentleman this is going 
to be an ongoing area in which, if we do not coordinate between 
the European Union, the more emerging union of the European 
Union, than we have in the past, where the historical situation 
of drug companies going to Europe to do certain types of 
testing and research because of the laws in the United States 
making it more difficult--that if, in fact, the European Union 
moves on the basis in large part of anecdotal or other reasons 
for restricting that research, we have the opportunity, were we 
to get it right, to carry on the research here.
    But if we do not change other areas of the law, we will not 
have the ability to do it, notwithstanding the fact that we 
have now created an opportunity to transmit the information in 
a confidential way. So that what we do here is not the complete 
story. We have to deal with the opportunity to allow research 
to go on beyond the patient records and the collection of data.
    It would be an ultimate irony if the European drug 
companies, if there are any left after those laws are passed in 
Europe, would be coming to the United States to do the kind of 
research where the populations make sense on an analogous 
basis. Where they do not, Merck and other companies, obviously, 
are moving around the globe; and what I would very much like to 
do is get it right and set a model which is appropriate so that 
we can at least urge others to follow our example.
    I want to thank all of you for the testimony that was 
given, and especially the last panel. Without any additional 
questions, the Subcommittee stands adjourned.
    [Whereupon, at 12:10 p.m., the hearing was adjourned.]
    [Submissions for the record follow:]
      

                                

American Association of Health Plans

                            I. Introduction

    The American Association of Health Plans (AAHP) is the 
largest national organization of health plans. AAHP represents 
more than 1,000 health maintenance organizations (HMOs), 
preferred provider organizations (PPOs), and similar network-
based plans. Together, AAHP member plans provide quality health 
services for approximately 140 million Americans. AAHP member 
plans are dedicated to a philosophy of care that puts patients 
first by providing coordinated, comprehensive health care.
    The subject of today's hearing--how to craft federal 
legislation to protect against inappropriate use of patient-
identifiable health information, while at the same time 
permitting the coordination and delivery of high quality health 
care--is one of the most important issues facing federal health 
policy makers today. Not only is there great potential for harm 
if patient information is misused, but our health care system 
relies on patient trust as an essential ingredient to quality 
health care. The use of patient information by health care 
providers, health plans, and health researchers has already 
greatly improved the quality of health care. Continued use of 
this information will enable us to build on that improvement.
    Chairman Thomas, members of the Committee, and staff have 
been extremely open to discussing this issue with AAHP and our 
member plans, and we appreciate their efforts to develop 
workable, real-world policies and procedures regarding the 
confidentiality of patient-identifiable health information.
    This statement highlights how health plans currently use 
patient-identifiable health information to support quality 
assurance and improvement programs and emphasizes the 
importance of properly structuring federal confidentiality 
legislation in order both to preserve patient confidentiality 
and ensure that quality of patient care can continue to be 
enhanced.

 II. Health Plans Support Safeguarding the Confidentiality of Patient-
                    Identifiable Health Information

    AAHP and its member plans strongly support the goal of 
assuring consumers that health plans and health care providers 
will respect the confidentiality of their identifiable health 
information. We believe that appropriate confidentiality 
safeguards for patient-identifiable information are essential 
to ensuring that health plan members feel comfortable 
communicating honestly and openly with their physicians and 
other providers. Without open communication between patients 
and their providers, treatment decisions are based on 
incomplete or inaccurate information and quality of patient 
care suffers.
    AAHP's member plans have demonstrated their commitment to 
confidentiality by addressing this issue as part of AAHP's 
ongoing Putting Patients First initiative. Because AAHP is 
committed to addressing the issue of consumer confidence in 
health plans, association members must meet standards related 
to confidentiality. Member plans must safeguard the 
confidentiality of patient-identifiable health information 
through policies and procedures that, consistent with federal 
and state law, (a) address safeguards to protect the 
confidentiality of patient-identifiable health information; (b) 
provide for appropriate training of plan staff with access to 
patient-identifiable information; and (c) identify mechanisms, 
including a clear disciplinary policy, to address the improper 
use of patient-identifiable health information. The policy 
reinforces that health plans should not disclose patient-
identifiable health information without the patient's consent, 
except when necessary to provide care, perform essential plan 
functions such as quality assurance, conduct bona fide 
research, comply with law or court order, or for public health 
purposes.
    This policy on confidentiality joins other policies that 
are also part of AAHP's Putting Patients First initiative, 
covering areas such as information for consumers, physician-
patient communication, choice of physician, grievance and 
appeals, physicians' role in plan practices, and, of course, 
quality assessment and improvement.
    Virtually all of the current federal legislative proposals 
related to confidentiality recognize that health plans need 
access to patient-identifiable information for purposes of 
facilitating treatment and securing payment for health 
services. However, one area where there continues to be some 
confusion over health plans' need for information relates to 
health plans' efforts to improve quality of care.
    It is true that, for some of the quality-enhancing 
activities health plans undertake, they are able to use non-
identifiable health information--information that has been 
aggregated, anonymized, coded, or encrypted in such a way that 
the information no longer reveals the identity of particular 
individuals. Consistent with the vast majority of legislative 
confidentiality proposals that have been considered to date, 
AAHP believes that a patient's interest in confidentiality is 
pertinent only when his or her identifiable information is 
involved. Because aggregate, anonymized, coded, or encrypted 
information does not identify individuals, consumers need not 
be concerned about the use of this information.
    However, some of the fundamental, quality-enhancing 
activities undertaken by health plans do require the use of 
identifiable health information. The use of health information 
in health plan quality assurance and improvement activities can 
greatly enhance the quality of health care for both the 
individual plan member and the member population as a whole, 
and AAHP believes that health plan members should benefit from 
these quality improvement activities. These activities are not 
only fundamental to coordinated, quality care, but in many 
cases are also required of health plans under a variety of 
state and federal programs and regulations, as well as under 
voluntary private sector reporting and accreditation standards.

   III. Health Plans Use Patient-Identifiable Health Information to 
                            Enhance Quality

    Health plans use patient-identifiable health information in 
a variety of activities that improve the quality of health 
care. These activities, which focus on both the processes of 
delivering care as well as on the outcomes of care, include 
health promotion and prevention, disease management, outcomes 
research, and utilization management. Health plans' ability to 
enhance quality through these activities could be seriously 
jeopardized unless federal confidentiality legislation is 
properly structured.

Health Promotion and Prevention

    Health promotion and prevention activities improve quality 
by enabling plans and providers to identify members at risk for 
certain illnesses or eligible for certain services. Plans and 
providers can then reach out to those members to provide 
information to them and encourage them to seek out services 
when they can benefit most from intervention and before disease 
progresses. Often, determining who is at risk involves the use 
of patient-identifiable health information. Health plans add 
much of value in this area because they have access to claims 
data and can help busy physicians accurately identify patients 
at risk of certain illnesses or who are eligible for certain 
services--even among patients the physician may not have seen 
in some time. Once the plans have identified these members, 
they contact them and, in many cases, the members' physicians 
as well. Many plans encourage their physicians to follow-up 
with the identified members to schedule the necessary 
appointments.
    For example, nearly all plans have implemented postcard or 
phone-call mammography reminder systems for their female 
members. Patient-identifiable information is used to identify 
female enrollees of a certain age who have not received a 
recent mammogram. United HealthCare's plans use patient-
identifiable information to single out women aged 50 to 74 who 
are overdue for a mammogram. The plans send reminder notices to 
these women as well as to their physicians so that the 
physicians can follow-up with their patients directly. As a 
result of this program, in 1995, United HealthCare's plans 
across the country experienced increases in mammography rates 
ranging from 30-45%. This program and others like it promote 
detection of breast cancer in the earliest and most treatable 
stages.

Disease Management

    Disease management activities improve quality by 
identifying members who have been diagnosed with certain 
chronic diseases and then coordinating and monitoring their 
care. Again, because health plans have access to claims data, 
they are well-positioned to identify those members who will 
benefit most from disease management programs. Health plans 
then contact the identified members and, in many cases the 
members' physicians, in order to encourage them to seek the 
appropriate care.
    For example, according to a recent study, 45.4% of all HMOs 
had diabetes disease management initiatives in place in January 
1996.\1\  Harvard Pilgrim New England has developed a 
comprehensive gestational diabetes management program that 
includes directed case management and regular vision 
screenings. The plan uses patient-identifiable information to 
identify members with diabetes and involve them in the plan's 
disease management program. As a result, the plan was able to 
increase annual retinal exams by 26%, eliminate diabetes-
related newborn major malformations, and decrease the incidence 
of low blood sugar reactions in patients receiving insulin 
therapy.
---------------------------------------------------------------------------
    \1\ The InnerStudy Competitive Edge Part II: Industry Report, 
September 1996, p. 76.
---------------------------------------------------------------------------
    Asthma management is another area where health plans use 
patient-identifiable information to target members and improve 
the quality of care delivered to them. As of January 1996, 
50.4% of all HMOs had asthma management programs in place.\2\ 
PrimeCare Health Plan, for example, examines clinic and 
hospital record information to identify children with asthma 
who are missing an inordinate number of clinic appointments and 
who have high hospital admission rates. Working with the 
children's pediatricians, the plan involves the children and 
their families in an asthma education and management program 
that initially resulted in a 30% reduction in emergency room 
visits and a 60% reduction in hospital admissions for 
participants of the program.
---------------------------------------------------------------------------
    \2\ Ibid.

---------------------------------------------------------------------------
Outcomes Research

    Another method health plans use to improve the quality of 
care is outcomes research. Health plans use patient information 
to evaluate the effect of particular treatment programs, assess 
the typical course of a chronic disease over time, and identify 
variations in outcomes that may be targeted for future 
improvements in health care processes.
    For example, Kaiser Permanente of Northern California used 
patient-identifiable information to study the most effective 
treatment for a type of diabetes. Using identifiable health 
information of their members who had been treated for diabetes, 
Kaiser studied whether patients who matched a certain clinical 
profile and were treated with the drug Metformin experienced 
better outcomes than patients who did not have the same profile 
but who were also treated with Metformin. The outcomes analysis 
indicated that, in fact, outcomes were better in the patients 
who matched the profile than in those who did not match the 
profile. This study provided Kaiser physicians with the 
clinical evidence needed to select the most effective course of 
therapy for their diabetic patients.

Utilization Management

    Utilization management activities involve evaluating the 
medical necessity and appropriateness of health care services 
both for the purposes of payment as well as for quality 
improvement. Utilization management enables plans to respond to 
inappropriate patterns of care. For example, evidence suggests 
that hysterectomies and caesarean section deliveries are over-
performed in the U.S. Hysterectomies are the second most common 
procedure--performed on 1 in 3 American women by the age of 60. 
In Italy, by comparison, the figure is 1 in 6 and in France it 
is only 1 in 18. Similarly, the Centers for Disease Control 
estimated that physicians performed 349,000 unnecessary 
caesarean section deliveries (approximately 1 out of every 12 
deliveries) in 1991--unnecessarily placing women at risk of 
infection and unnecessarily exposing them to the complications 
and trauma associated with major abdominal surgery. Health 
plans' utilization management programs require patient-
identifiable information to ensure that patients receive 
necessary, appropriate, high-quality care in a cost-effective 
manner.

Integrated Delivery of Services

    Integrated delivery of services enables health plans and 
providers to utilize patient-identifiable health information in 
even more ways to improve the quality of care. Often, 
physicians are provided with increased access to patient 
information in order to aid them in their management of certain 
health conditions. For example, physicians at LDS Hospital in 
Salt Lake City created a computer-assisted management program 
for antibiotics and other anti-infective agents which 
Intermountain Health Care now uses in its hospital intensive 
care settings. The program compares historical patient data 
(rendered non-patient-identifiable) on infection 
characteristics and antibiotics effectively used in treatment 
to current patient infection data. The system then provides 
decision support to physicians by recommending anti-infective 
regimens and courses of therapy based on its comparison. The 
system also helps to prevent adverse drug reactions and promote 
cost-effective care by enabling physicians to choose anti-
infective regimens that are the most effective for the lowest 
cost.\3\ In this example, patient-identifiable information that 
has been rendered non-identifiable is used to link previous 
patient record information on infection causes and treatment 
regimens to the computer-assisted antibiotic management program 
to improve care for current patients.
---------------------------------------------------------------------------
    \3\ Evans RS, Pestotnik SL, Classen DC, et. al., ``A computer-
assisted management program for antibiotics and other anti-infective 
agents,'' New England Journal of Medicine, January 22, 1998; 338:232-8.
---------------------------------------------------------------------------
    As previously mentioned, not only are these activities that 
use patient-identifiable information fundamental to improving 
patient care, but many are also required of health plans under 
a variety of state and federal programs and regulations, as 
well as under voluntary private-sector reporting and 
accreditation standards. For example:
     Activities to monitor, detect, and respond to 
over- and under-utilization are required by state HMO and 
utilization review laws, federal laws, and private 
accreditation standards;
      Data collection and analysis of condition-
specific patient outcomes are required of plans participating 
in the Federal Employees Health Benefits Program;
     Ongoing quality assurance programs that (1) stress 
health outcomes and provide for the collection, analysis, and 
reporting of data; (2) monitor and evaluate high volume and 
high risk services and the care of acute and chronic 
conditions; and (3) after identifying areas for improvement, 
take action to improve quality, are required of Medicare+Choice 
plans under Medicare;
     Procedures to ensure health care delivery under 
reasonable quality standards, consistent with recognized 
medical practice standards, and ongoing, focused activities to 
evaluate health care services, are required by the NAIC Model 
HMO Act, which approximately 30 states have adopted;
     Quality management programs that ``monitor, 
evaluate, and work to improve the quality of care and quality 
of services provided . . . utilizing a variety of quality 
management studies, reviews, and evaluations such as . . . 
medical record reviews'' are required of plans seeking URAC/ 
AAHCC accreditation;
     Quality management standards that monitor aspects 
of patient care such as disease management, acute and chronic 
care, and preventive care are also required of plans seeking 
URAC/AAHCC accreditation;
     Health management systems that identify members 
with chronic conditions and offer appropriate services and 
programs to assist in managing their conditions are required of 
plans seeking NCQA accreditation; and
     Actions and interventions to improve quality by 
addressing opportunities for improved performance are also 
required of plans seeking NCQA accreditation.
    It is clear that health plans' efforts to improve patient 
care have been recognized by state, federal, and private 
regulatory entities alike. It also should be clear that 
compromising plans' abilities to improve patient care--whether 
by imposing excessive regulatory requirements or by leaving 
plans with inadequate or partial information for quality 
studies--would result in reduced quality of care. This would 
present an obvious quandary for plans legally and contractually 
required to conduct quality-enhancement activities, yet at the 
same time forbidden to use the information necessary to fulfill 
these obligations.

 IV. Unduly Restricting Health Plan Use of Patient-Identifiable Health 
                    Information Would Reduce Quality

    Some of the current federal confidentiality proposals 
include provisions which would unduly restrict health plan use 
of patient-identifiable health information and, as a result, 
seriously threaten quality of care. One of the more restrictive 
and quality-compromising approaches put forth would be to 
require health plans and providers to obtain patient 
authorization each and every time they use identifiable health 
information. This type of authorization requirement would be 
impractical, costly, and a major burden for patients as well as 
for plans. Moreover, the nature of many of these plan 
activities is that they are seeking to identify individuals at 
risk--it would be impossible to obtain consent from individuals 
who had not yet been identified. As a result, health plans 
would be unable to send mammography reminder notices or 
information on asthma management programs to plan members in 
need of these services.
    A second approach to restricting the use of patient-
identifiable information for quality-enhancing purposes which 
has also been proposed by some would be to permit patients to 
opt-out of participating in quality-enhancing activities, such 
as health promotion, disease management, outcomes research, and 
utilization management. Such an opt-out provision would 
diminish the capacity of current health plan quality assurance 
programs and be counterproductive to improving the quality of 
patient care. In fact, withholding some patients' information 
within a health plan setting could make engaging in these 
quality-enhancing activities so impractical that plans and 
providers would forgo these activities for all patients--again, 
raising the potential conflict between plan obligations to 
improve quality and legal restrictions on the use of the 
information needed to fulfill those obligations. For example, 
in the case of the computer-assisted management program for 
antibiotics, if patients were permitted to object to the use of 
their medical record information for this program, the data 
available to physicians would be incomplete and could skew the 
computer-generated treatment recommendations, potentially 
threatening the quality of care not just for the patient who 
opts out, but for all current patients. Such a threat could 
likely prompt the discontinuation of this innovative and much-
lauded program. This would also be true for other quality-
enhancement endeavors of this type.
    Leaving plans with incomplete information could also force 
current state, federal, and private reporting and quality 
improvement requirements to be modified and weakened to reflect 
the health plans' diminished capacity even to report on health 
outcomes or enrollees' use of services. This in and of itself 
would make plan quality improvement less effective and 
accreditation status less meaningful. On a more global level, 
our national goal of finding out the most effective ways to 
deliver health care--to make sure that patients get the best 
care for their health dollar--would be severely compromised.

V. A Statutory Authorization Would Preserve Quality of Care With Fewer 
                          Procedural Barriers

    For the reasons just mentioned in the previous section, 
AAHP supports the inclusion of a statutory authorization in 
federal confidentiality legislation. A statutory authorization 
would authorize in law all of the widely accepted positive uses 
of patient-identifiable health information, including 
facilitating treatment, securing payment, and conducting health 
plan quality-enhancing activities. Both the Administration's 
proposal and the National Association of Insurance 
Commissioners' (NAIC) draft Health Information Privacy Model 
Act follow the statutory authorization approach. A statutory 
authorization would achieve the goal of providing plans and 
providers with access to identifiable health information to 
improve quality of care. And, by working in tandem with strong 
penalties for the misuse of identifiable health information, a 
statutory authorization would also achieve the goal of assuring 
consumers that plans and providers will respect the 
confidentiality of their identifiable health information. It is 
AAHP's recommendation that any penalties be consistent with the 
penalties already established by the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) for the 
wrongful disclosure of individually identifiable health 
information.
    A slightly less effective alternative to the statutory 
authorization that has also been proposed is the consolidated 
authorization. As proposed, the consolidated authorization 
would allow plans to procure a single authorization at the time 
of enrollment to use identifiable health information for the 
purposes of facilitating treatment, securing payment, and 
conducting quality improvement activities central to patient 
care. While the consolidated authorization is a vast 
improvement over having to obtain separate authorizations each 
and every time patient-identifiable information is used, this 
approach has limitations that the statutory authorization does 
not.
    For example, one legislative proposal that has followed the 
consolidated authorization approach has also included 
provisions permitting revocation of that consolidated 
authorization. Yet, expecting health plans to facilitate and 
pay for quality health care services after a patient has 
revoked his or her prior authorization for use of health 
information is a Catch-22 for health plans. Not being able to 
use patient-identifiable information would interfere with 
plans' abilities to effectuate payment for services already 
rendered, facilitate and coordinate treatment, and fulfill 
legally required operational functions--in essence, paralyzing 
plans' ability to effectively serve patients. On the other 
hand, plans--and physicians and hospitals--could be held 
criminally liable for continuing to facilitate high quality 
treatment by using identifiable information.
    This particular legislative proposal has addressed this 
dilemma by giving health plans explicit permission to disenroll 
individuals from the plan upon the individual's revocation of 
his or her authorization. While health plans prefer not to have 
to disenroll patients, revocation provisions often provide them 
no choice. In fact, given the liability involved for 
unauthorized use of information as well as for substandard 
care, revocation by an enrolled individual should perhaps be 
treated as disenrollment without requiring any further action 
by the plan. It should also be noted that plans may have 
underway at the time of an individual's revocation quality 
improvement activities, such as outcomes research, that would 
continue to require the use of the patient's identifiable 
health information lest the entire endeavor be compromised by 
an individual's withdrawal of his or her information mid-study. 
This again points to the superiority of the statutory 
authorization approach.

 VI. The Same Level of Protection Should Be Required for All Types of 
                Patient-Identifiable Health Information

    AAHP believes that federal confidentiality legislation 
should require the same level of protection for all types of 
patient-identifiable health information. Health care providers 
rely on the completeness of medical records in their treatment 
of patients. Segregating certain types of health information, 
such as genetic information, from the rest of the medical 
record could interfere with a provider's access to health 
information that can just as easily be a predictor of future 
health problems as other types of health information. Because 
of this, current practice in most health plans supports uniform 
treatment of all health information and, in many cases, genetic 
information is an integral part of the medical record 
indistinguishable from other personal health information. For 
example, given a notation of a positive marker for one of the 
breast cancer genes in a patient's record, a physician can 
encourage increased mammography screenings to detect any breast 
cancer tumors at an earlier and more treatable stage.
    Moreover, oftentimes genetic information may not be any 
more sensitive than other medical record information. HIV 
status, treatment for mental health, reproductive history, or 
evidence of sexually transmitted disease can be considered 
equally sensitive information. Because many types of health 
information can be considered sensitive, singling out 
information based on its presumed sensitivity would only 
promote inconsistent protections.
    With advanced software capabilities available, it is far 
preferable to limit access to information through the use of 
passwords and other software controls than to require plans and 
providers to physically store different types of information 
separately or treat different types of information differently.

 VII. There Should Be Nationally Consistent Rules in Areas that Affect 
                    Computerized Information Systems

    AAHP believes that, given the complex and interstate nature 
of the way information flows in today's health care system, 
federal confidentiality legislation should address the need for 
nationally consistent rules in areas that affect computerized 
information systems. Moreover, consistent rules governing 
disclosure of various portions of computerized health records 
will facilitate compliance by multi-state health plans and 
employers.

   VIII. Patients Should Have the Opportunity to Inspect, Copy, and 
       Request Amendment To Their Identifiable Health Information

    AAHP supports patients having the opportunity to inspect, 
copy, and request amendment to their identifiable health 
information. Federal confidentiality legislation should 
recognize, however, that health plans that arrange for services 
through provider networks typically do not maintain central 
medical records files. While health plans that employ salaried 
physicians and those that contract with physician groups whose 
practice is solely focused on serving the health plan's members 
may be prepared to provide their members with access to a 
comprehensive medical record, even members of these plans may 
occasionally seek care outside of the plan's affiliated 
providers. Given that it is a provider who originates health 
information, we believe it is appropriate for providers to be 
responsible for facilitating access to records and appropriate 
amendment procedures. Federal legislation should permit health 
plans to direct patients wishing to inspect, copy, or request 
an amendment to their record, to their physician or other 
provider who originated the information in question.
    In addition, some proposed legislation includes a 
requirement to include patients' written requests for 
amendments and written statements of disagreement in the 
patient's medical record. However, for the growing numbers of 
plans and providers that utilize electronic medical records, 
this requirement would entail transforming the patient's 
written statements into electronic format in order for it to 
become part of the medical record. Instead, AAHP suggests that 
a notation concerning the patient's request to amend or 
statement of disagreement fulfill any such requirement.

                              IX. Research

    Any provisions targeted to research in federal 
confidentiality legislation must ensure that intra-plan quality 
improvement and other health plan operational activities are 
not suddenly subject to a federal oversight process that was 
intended for the protection of human subjects participating in 
clinical research and that was never intended to encompass 
routine quality improvement activities related to health care 
treatment and payment. Intra-plan quality improvement 
activities should not be subject to federal oversight.
    Federal confidentiality legislation must also ensure that 
those health plans and providers that wish to provide patients 
access to clinical trials may continue to do so without being 
subject to a federal research approval process. Current federal 
oversight of clinical trials already subjects researchers to 
review by an independent board specially designed to protect 
and safeguard the interests of human subjects.

                             X. Conclusion

    AAHP wholeheartedly supports the goal of assuring consumers 
that health plans and health care providers will respect the 
confidentiality of their identifiable health information. At 
the same time, AAHP believes that consumers should benefit from 
the quality-enhancing activities health plans undertake--many 
of which are required by public regulators and private sector 
oversight entities. In order to craft federal confidentiality 
legislation that achieves these two goals, it is essential to 
have a firm understanding of how our current health care system 
works, how information flows within the system to make it work, 
and how health plans use information to improve the quality of 
health care.
    In this statement, AAHP has highlighted the following 
recommendations for federal confidentiality legislation:
    (1) Federal confidentiality legislation should not unduly 
restrict health plan use of patient-identifiable health 
information. Instead, legislation should statutorily authorize 
the use of patient-identifiable health information for the 
purposes of facilitating treatment, securing payment, and 
conducting health plan quality improvement activities central 
to patient care. This statutory authorization would work in 
tandem with penalties for misuse that are consistent with 
HIPAA.
    (2) Federal confidentiality legislation should require the 
same level of protection for all types of patient-identifiable 
health information.
    (3) Federal confidentiality legislation should address the 
need for nationally consistent rules in areas that affect 
computerized information systems.
    (4) Federal confidentiality legislation should permit 
health plans to direct patients wishing to inspect, copy, or 
request an amendment to their record, to their provider. In 
addition, any requirements to include written statements 
submitted by the patient in the patient's record should permit 
plans and providers to include a notation of that a written 
statement exists if it is more technologically feasible to do 
so.
    (5) Any research provisions included in federal 
confidentiality legislation must be carefully constructed to 
ensure that intra-plan quality improvement activities are not 
suddenly subject to a process that was intended for the 
protection of human subjects participating in clinical research 
and that was never intended to encompass routine quality 
improvement activities related to health care treatment and 
payment. In addition, any research provisions must ensure that 
those health plans and providers that wish to provide patients 
access to clinical trials may continue to do so without being 
subject to a federal research approval process. Current federal 
oversight of clinical trials already subjects researchers to 
review by an independent board specially designed to protect 
and safeguard the interests of human subjects.
    We look forward to working with the Committee in its 
continued work on federal confidentiality legislation.
      

                                

Statement of American Association of Occupational Health Nurses (AAOHN)

    The American Association of Occupational Health Nurses, 
Inc. (AAOHN) appreciates the opportunity to submit written 
testimony to the House Committee on Ways & Means, Subcommittee 
on Health for the hearing record on the matter of Health Care 
Information Privacy and Confidentiality. We want to thank the 
Chairman and express our special appreciation for his 
leadership on this important issue.
    Our primary interest in participating in these hearings is 
to urge Congress, in the strongest terms, to enact truly 
comprehensive medical records confidentiality legislation. In 
summary, we believe that for Congress to be successful in this 
area, it must craft legislation that will ensure that all 
medical records are protected under the law regardless of the 
mode of payment or the setting where the health information is 
obtained or maintained.
    AAOHN is the professional association for more than 13,000 
occupational and environmental health nurses who provide on-
the-job health care for the nation's workers. Occupational 
health nurses are the largest group of health care providers at 
the worksite. As such, our professional nurses assume 
responsibility for all aspects of health and safety for 
individual workers and the work environment. AAOHN supports the 
development of uniform laws, rules and procedures governing the 
use and disclosure of health care information. AAOHN has had a 
long-standing interest in the debate on confidentiality of 
health information. The Association has developed position 
statements and guidelines on the issue to ensure that the voice 
of the occupational and environmental health nurse is heard in 
Washington.

                               Background

    In the course of their jobs, occupational health 
professionals collect personal information about the health and 
lifestyles of their company's employees. AAOHN members are 
responsible for a great deal of data collection and maintenance 
of personal health information. This often includes records 
that document medical and/or health surveillance activities, 
wellness programs, pre-job placement and return-to-work 
physical examinations, and other similar types of worksite 
health initiatives. It is our observation that, to date, the 
confidentiality issues surrounding the protection of health 
information gathered and maintained at the worksite have gone 
largely unnoticed in the confidentiality debate. Health care 
information obtained and maintained at the worksite is both 
personal and sensitive. Clearly, health information records 
found at the worksite are as important to the confidentiality 
interests of the nation's workers as the patient data contained 
in the more traditionally thought of medical record. Worksite 
information, if improperly used or released, may be equally as 
harmful to an employee's interests as unauthorized disclosure 
of more traditional medical records.
    AAOHN maintains that employers should have access only to 
that amount of health information necessary to determine 
whether a worker may perform his or her job in a safe manner. 
For example, we believe that in cases of fitness for work exams 
(e.g., health surveillance, pre-job placement and physical 
examinations, and return-to-work physical examination records) 
health care professionals should provide the employer with a 
written determination based on the medical record rather than 
handing the employer the actual record itself.
    Also, in cases in which workers' compensation benefits are 
at issue, information obtained through the company's wellness 
or employee assistance programs should not be used to defeat 
the claim. Employees seeking medical or disability payments 
under state workers' compensation laws should not be forced to 
sign releases covering their entire medical record in order to 
file their claim. Only information directly relevant to the 
illness or injury underlying the compensation claim and any 
appropriate secondary injury determination should be available. 
No other information should be released without meaningful, 
uncoerced consent on the employee's part for a more expansive 
disclosure.
    Limiting the amount of personal health information an 
employer may learn about his or her employee is not a novel or 
untested regulatory approach. The ``bloodborne pathogens'' 
regulations issued by the Occupational Safety and Health 
Administration (OSHA) explicitly requires that such information 
must be kept confidential and ``not disclosed or reported 
without the employee's express written consent to any person 
within or outside the workplace except when required by this 
section or as may be required by law.'' \1\
---------------------------------------------------------------------------
    \1\ 29 CFR Ch. 1910.1030.
---------------------------------------------------------------------------
    The law also narrows the extent of the information provided 
to the employer to that which is necessary to make a 
determination regarding work fitness. For example, the 
regulation states that the ``healthcare professional's written 
opinion .... shall be limited to whether (a particular 
treatment) is indicated for an employee, and if the employee 
has received such (treatment).'' \2\
---------------------------------------------------------------------------
    \2\ Id.
---------------------------------------------------------------------------
    We believe that Congress should enact a law to protect 
individually identifiable health information utilizing the 
standards set forth in the bloodborne pathogens regulations.
    To be clear, occupational health professionals have an 
ethical obligation to safeguard health information 
confidentiality. AAOHN's ethical tenets caution against 
inappropriately disclosing confidential information yet 
recognize, however, that there are a number of appropriate 
ethical and legal exceptions to the rule. For example, it is 
perfectly ethical and legal to disclose information concerning 
threats of homicide, threats of suicide, reportable diseases, 
child or elder abuse, any injury caused by firearms or other 
violent acts, and other information covered by law. Other types 
of disclosures for specific purposes such as controlled 
research, emergencies, civil, judicial and administrative 
purposes, law enforcement, oversight and payment may also be 
appropriate.
    Employers must be able to access certain personal health 
information when considering pre-placement testing, fitness for 
work exams and work place safety health testing. Specific 
limited information must be available to employers making 
reasonable job accommodations in cases of disability or 
reviewing claims for workers' compensation benefits. In 
addition, because employers are also responsible for providing 
a number of other types of benefits such as health and 
disability insurance, family medical leave and employee 
assistance programs, they may require that certain specific 
health information be disclosed. AAOHN firmly believes that 
employers should be allowed to administer these important 
programs in an efficient manner.
    Unfortunately, occupational health nurses are often 
pressured by employers to release a workers' entire medical 
record. As such, the occupational health professional is caught 
between management demands and the nurse's ethical 
responsibility to protect the employee's confidentiality. Many 
of our members can attest to the fact that employers often 
pressure occupational health nurses to divulge the confidential 
health information of their employees. For too many 
occupational health nurses this ethical and legal dilemma is 
not a theoretical issue. The cases of Bettye Jane Gass and 
Kathleen Easterson provide two such examples:

Bettye Jane Gass

    Bettye Jane Gass became a registered nurse when she passed 
her Kentucky Nursing Boards in 1975. She received her degree in 
nursing from Western Kentucky University. Shortly thereafter, 
Ms. Gass began working at both Western Kentucky University and 
the Lord Corporation on a part-time basis. She later left the 
employment of Western Kentucky University to become a full-time 
Health Services Specialist at the Lord Corporation's Bowling 
Green plant.
    In that position Bettye Jane Gass was responsible for 
providing treatment to employees who sustained injury or became 
ill. She was also responsible for maintaining the case 
histories of workers; coordinating paper work flow for injury 
compensation reports; scheduling pre-employment physicals and 
follow-up physician visits; preparing summaries and reports; 
and maintaining OSHA record-keeping requirements as well as 
coordinating activities of the company's wellness program. She 
was asked to return to part-time status in 1993 and was 
terminated on September 7, 1995, without prior notice after 
approximately thirteen and one-half years at the Lord 
Corporation.
    On that date, the human resource manager demanded access to 
the routine physical examinations given to all plant employees. 
Betty Jane Gass refused to turn over the keys to the filing 
cabinet where the worksite health information was kept. She 
refused to violate her ethical obligations and despite a 
written company policy that expressly stated that health 
services personnel should maintain confidentiality and provide 
limited access to the medical files, she was fired for 
``insubordination.'' The state court that heard her case issued 
a summary judgment stating that Ms. Gass ``failed to show that 
her discharge was in violation of any fundamental and well 
defined public policy as evidenced by a constitutional or 
statutory provision.'' Bettye Jane Gass has filed an appeal and 
the case is still in pending litigation.

Kathleen Easterson

    In the case of Kathleen Easterson, the issues of employer 
pressure resulting in the termination of an occupational health 
nurse are again presented. Kathleen Easterson, an occupational 
health nurse and Assistant Director of Nursing and Director of 
Employee Health at a New York area medical center, was 
terminated by her employer when she refused to disclose the 
contents of a doctor's note containing an employee's non-
occupational diagnosis of severe headache and TMJ trauma. Like 
the case of Bettye Jane Gass, the termination occurred despite 
the fact that there was an explicit corporate policy pertaining 
to medical records confidentiality.
    In the court case that followed the hospital's actions, Ms. 
Easterson sued for wrongful discharge and reinstatement of 
employment. Ms. Easterson explained to the court that she 
believed that the worker in her care had a reasonable 
expectation of privacy with respect to the medical records kept 
in her care. She believed this to be true because of the 
existence of the nurse-client confidential relationship. She 
explained to the court that the employer's policy and practice 
of reviewing an employee's medical record without consent 
should not be tolerated. If employers were allowed to continue 
this policy, she argued, it would erode trust in the health 
care system and should therefore, be held to be against the 
interests of good public policy. Ms. Easterson maintained that 
the doctor's note was part of the employee's confidential 
record and that there was no governmental compulsion to reveal 
the employee's medical record.
    Unfortunately, the two lower courts that heard the case 
held that there was no nurse-client relationship between the 
occupational health nurse and the employee. In addition, the 
court held that the doctor's note at issue was not information 
acquired by the nurse in attending the employee/client. The 
court also found that the doctor's note was not necessary to 
enable the nurse to act in a nurse-client capacity. The court 
determined that the doctor's note did not create a substantial 
and specific danger to the public health. Finally, the court 
determined that there was no basis in law upon which to provide 
Ms. Easterson with relief for her claims.
    AAOHN believes that the lack of legal recourse in both the 
Gass and Easterson cases is egregious and should be corrected 
through Congressional enactment of comprehensive 
confidentiality legislation.

        Greater Protections Should Be Created Under Federal Law

    AAOHN maintains that workers must be allowed to feel that 
their private disclosures will be treated in a dignified and 
confidential manner. The existence of the patch work of state 
laws does not always provide such assurances in the worksite 
setting. Under the laws of many states, employers are not 
prohibited from accessing detailed personally identifiable 
employee health information with the company. This is true 
because the occupational health professional is viewed as an 
agent of the employer, not as a health care provider with a 
duty of confidentiality to the patient-employee. In addition, 
courts have found that physicians representing employers are 
not bound by the physician-patient duty of confidentiality.\3\
---------------------------------------------------------------------------
    \3\ Rogers v. Horvath, 237 N.W. 2d 595 (Mich. 1995).
---------------------------------------------------------------------------
    At the same time, health care professionals have been held 
liable in some states for violations of their professional duty 
to respect privacy. For example, when a private physician 
notified an employer that an employee had a ``long-standing 
nervous condition with feelings of anxiety, and insecurity,'' 
the patient won an award for damages from the physician because 
the patient had asked not to have the information released and 
because the court could find no compelling reason for the 
disclosure.\4\
---------------------------------------------------------------------------
    \4\ Horne v. Patton, 287 So.2d 824 (Ala. 1974).
---------------------------------------------------------------------------
    In another case, the West Virginia Supreme Court held that 
under the state's workers' compensation statute, physicians can 
allow employers access to written medical reports but not to 
information collected from oral communications. The court also 
ruled that employees can sue both their physicians for 
releasing confidential information and their employer for 
requesting the information.\5\
---------------------------------------------------------------------------
    \5\ Morris v. Consolidation Coal, 446 S.E.2d 648 (W.Va. 1994).
---------------------------------------------------------------------------
    In still other cases, health care professionals have not 
been held liable in at least one state that has attempted to 
protect patients from unfair information practices, for 
arguably the wrong reasons. In a Maryland case, a plaintiff 
named Leo Kelly, Jr., brought suit against a physician named 
Dr. Brad Lerner based on medical malpractice. In that case the 
parties agreed to submit the claim to binding arbitration. The 
plaintiff hired an expert witness named Dr. Horst Schirmer to 
testify that Dr. Lerner had breached the standard of care by 
performing an operation known as a transurethral resection of 
the prostate (``TURP'') on the plaintiff.
    On cross-examination, Lerner's counsel sought to impeach 
Schirmer by introducing a copy of a pathology report that 
indicated that Dr. Schirmer had performed the identical surgery 
under conditions he alleged constituted a breach of care on the 
part of Dr. Learner. The subject of that pathology report was 
William Warner. Based on this use of his medical records, 
Warner sued Learner alleging that a violation of the Maryland 
Confidentiality Records Act of 1990, resulted from Lerner's 
improper taking and use of Warner's medical records without his 
prior consent. Warner v. Lerner, 115 Md. App. 428, 693 A.2d 394 
(1997). Lerner filed a motion to dismiss the case which the 
Court granted on the grounds that the law stated that in 
litigation ``a health care provider may disclose a medical 
record without the authorization of a person in interest.'' 
Despite the fact that the Maryland legislature intended to 
protect patients from violations of their confidentiality, they 
did not foresee that health care providers such as Dr. Lerner 
would use a provision apparently intended to allow physicians 
to defend themselves in malpractice actions for other purposes. 
The Court stated:
    [w]e are troubled here ... [d]espite this Court's quite 
obvious discomfort, maybe even displeasure, or its severe 
reservations regarding just what was intended by the general 
assembly, the language of the statute is clear, and we must 
give meaning to those words as those words set forth by that 
deliberative body.
    This case points out some of the more egregious perils and 
pitfalls that exist in the current patch work quilt of state 
confidentiality laws.
    AAOHN believes that workers must be provided with adequate 
confidentiality safeguards regardless of where the personally 
identifiable health information is obtained or maintained. We 
believe that Congress, therefore, must enact comprehensive 
uniform medical record confidentiality legislation in order to 
protect both workers and occupational health professionals. 
Without an appropriate amount of carefully crafted legal 
protections, health care professionals will continue to have 
difficulty in protecting workers' personal health care 
information and struggle with the burdens of carrying out their 
ethical obligations.

       The ``Medical Information Protection Act of 1998'' (Draft)

    AAOHN has indicated its support for a number of elements 
contained in the latest draft version of the ``Medical 
Information Protection Act of 1998,'' prepared by Senator 
Robert Bennett (R-UT) and co-sponsored by Senator Jim Jeffords 
(R-VT). Although this bill has not been introduced in either 
the Senate or House we commend several sections of this 
proposal to your attention. In general, we believe that this 
proposal would provide sufficient protections without creating 
unreasonable burdens on participants and providers in the 
health care system. The proposal prescribes the following 
federal standards that would:
     provide individuals with access to their own 
health information and the right to make corrections;
     impose civil and criminal penalties for wrongful 
disclosure and mishandling of protected medical records;
     limit an individual's personally identifiable 
health information that could be disclosed without consent to 
certain specified circumstances (e.g., emergencies, health 
research conducted by an approved certified institutional 
review board, fraud and abuse, etc.); and
     require that a notice of confidentiality practices 
be posted in public.

In general the proposed legislation would also preempt state 
law.
    AAOHN supports defining the ``term health information'' 
broadly enough to include medical records obtained or 
maintained at the worksite for purposes other than treatment or 
payment. We also support the draft bill because it would 
require that entities that create health information post a 
notice of their confidentiality practices. The simple practice 
of posting such a notice, we believe, will allow employees an 
opportunity to gain a clearer understanding of their rights. It 
will also provide employees with a better understanding that 
individuals do, indeed, have the power under the law to take 
legal action against violators when appropriate.
    In addition, we are encouraged by the bill's criminal 
sanctions provisions because we believe it is essential that 
those who would knowingly and intentionally obtain personally 
identifiable health information and disclose this information 
in violation of the proposed law be penalized.\6\
---------------------------------------------------------------------------
    \6\ The ``Medical Information Protection Act of 1998,'' Title III, 
Subtitle A, Section 301(a).
---------------------------------------------------------------------------
    We suggest, however, that the draft bill could be 
strengthened by extending penalties to those circumstances in 
which individuals are ``attempting'' to obtain personally 
identifiable information for purposes of unauthorized 
disclosure. It is not enough, in our view, to merely penalize 
those who are successful at inappropriately obtaining and 
disclosing personally identifiable health information. The 
recent news stories regarding the highly aggressive marketing 
practices of certain health related corporations remind us that 
greater protections are essential. The change we propose would 
improve the bill and serve as a significant deterrent against 
inappropriate disclosures. We note that at least one previous 
draft version of the bill contained this important provision 
and suggest that any further drafts would be greatly improved 
by including the old provision in the final bill prior to its 
introduction.\7\
---------------------------------------------------------------------------
    \7\ See, ``Medical Information Confidentiality Act,'' Title I, 
Subtitle B, Section 311(a)(1). Version, (0:/BAI/BAI97.721). Fall 1997.
---------------------------------------------------------------------------
    We also support providing uniform legal protections across 
the nation. Without a broad uniformity provision, conflicts 
will arise due to the fact that it will not always be obvious 
that a specific state law does provide for ``greater 
protections'' than the federal law. While we believe enacting a 
weaker preemption provision would be an improvement over the 
status quo, we suspect that anything less than full preemption 
could lead to more litigation and confusion rather than less.
    Finally, AAOHN is actively working to ensure that any 
legislation that moves through Congress includes a provision 
that would clarify that the law should not require a health 
care provider within an entity (e.g., a physician or nurse who 
provides occupational health services) to disclose protected 
health information to others within the company or entity. This 
issue is often complicated and steeped in terminology that 
courts may find unfamiliar. Under the Bennett-Jeffords 
approach, it appears clear that health information concerning 
wellness records and first aid would be protected but that 
other types of worksite records may not be covered. We urge you 
and others to include in any confidentiality legislation a 
provision that would protect employee medical records related 
to fitness to work as well as those records that document the 
treatment of illness or injuries or participation in wellness 
or employee assistance programs. While we prefer that this 
important concept be included in actual legislative language, 
we want to also offer the following suggested Report language:
    The Committee believes that the health provider who 
creates, originates or maintains the health information within 
the entity is the proper person to determine whether a 
disclosure is consistent with the limitations under subsection 
(d). The intent is to protect the confidentiality of an 
individual's medical records in the workplace, especially those 
related to an employee's fitness to work (e.g., medical 
surveillance records, health screening, return-to-work physical 
examination records).
    In summary, we believe this type of language would limit 
the releases of important information to protect employee 
confidentiality while allowing employers to operate their 
worksite health programs appropriately.

              The Clinton Administration's Recommendations

    As you know, in September of 1997, Secretary of Health and 
Human Services Donna Shalala provided your Committee with a 
number of recommendations regarding standards for privacy and 
protection of individually identifiable health information. 
These recommendations were in fulfillment of her duties 
required by the Health Insurance Portability and Accountability 
Act (HIPAA). While not legislation, these recommendations put 
forth the following five important principles:
     Boundaries: An individual's health care 
information should be used for health purposes and only for 
those purposes, subject to a few carefully defined exceptions. 
It should be easy to use information for those defined 
purposes, and very difficult to use it for other purposes. 
Federal health record confidentiality legislation should impose 
a legal duty of confidentiality on those who provide and pay 
for health care, and on other entities that receive health 
information from them;
     Security: Organizations to which we entrust health 
information ought to protect it against deliberate or 
inadvertent misuse or disclosure. Federal law should require 
such security measures;
     Consumer Control: Patients should be able to see 
what is in their records, get a copy, correct errors, and find 
out who else has seen them. [The Administration's] 
recommendations significantly strengthen the ability of 
consumers to understand and control what happens to their 
health care information;
     Accountability: Those who misuse personal health 
information should be punished, and those who are harmed by its 
misuse should have legal recourse. Federal law should provide 
new sanctions and new avenues for redress for consumers whose 
privacy rights have been violated; and
     Public Responsibility: Individuals' claims to 
privacy must be balanced by their public responsibility to 
contribute to the common good, through use of their information 
for important, socially useful purposes, with the understanding 
that their information will be used with respect and care and 
will be legally protected. Federal law should identify those 
limited arenas in which our public responsibilities warrant 
authorization of access to our medical information, and should 
sharply limit the uses and disclosure of information in those 
contexts.
    AAOHN is convinced that personal health information can be 
collected and effectively utilized in the workplace without 
sacrificing the employee's right to privacy if employers 
conscientiously follow Secretary Shalala's principles. 
Unfortunately, the Secretary envisions defining employer 
``activities that use health information'' too narrowly to 
fully protect the privacy interests of American workers. 
Addressing only the privacy issues raised by employers' access 
to traditional treatment, payment, wellness and first aid 
records still leaves employees significantly at risk because of 
the potential for employers' misuse of information in other 
types of worksite records. AAOHN and its members know from 
experience that business can operate effectively while adhering 
to well-thought-out policies that guarantee the confidentiality 
of personally identifiable health information. Such policies 
provide adequate physical, administrative and technical 
safeguards against nonconsensual intra-company disclosures of 
employee data that exceed the scope of information legitimately 
needed by the employer to run its business safely and 
effectively.
    AAOHN urges Congress to expand upon Secretary Shalala's 
recommendations and to enact a medical records confidentiality 
statute that adequately protects all employee health 
information held at the worksite not just those records 
mentioned by the Secretary.

                               Conclusion

    Mr. Chairman, AAOHN greatly appreciates this opportunity to 
offer our comments for the hearing record. In addition to our 
specific comments, we offer the following five principles that 
we believe will be useful as Congress deliberates on this 
important issue:
     First, define health information broadly enough to 
include all medical records obtained or maintained at the 
worksite for purposes other than treatment or payment;
     Second, require entities that create or maintain 
health information to post a notice of their confidentiality 
practices;
     Third, apply the guiding principles of 
compatibility of purpose and minimal disclosure to all 
personally identifiable health information available to an 
employer regardless of the reason why the employer holds or has 
access to the records;
     Fourth, recognize that the health care 
professional who creates, originates or maintains the health 
information at a worksite is the appropriate person, rather 
than management, to determine whether a disclosure is 
consistent with the purposes underlying the reason for the 
release of the information;
     Lastly, include penalties for coercing or 
attempting to coerce inappropriate record disclosures as well 
as penalties for actual misuse.
    These elements are essential components of any 
comprehensive federal medical records confidentiality law 
intended to protect the personal health information of 
America's workforce. We urge Congress to keep principles in 
mind when legislating, and we look forward to working with you 
and your colleagues as this important matter moves through the 
legislative process.
      

                                

Statement of American College of Occupational and Environmental 
Medicine, Arlington Heights, Illinois

    The American College of Occupational and Environmental 
Medicine (ACOEM) is pleased to have the opportunity to submit 
testimony to the House Committee on Ways and Means, 
Subcommittee on Health on the issue of confidentiality of 
medical records and Secretary Shalala's recommendations for 
legislation.
    ACOEM, representing over 7,000 physicians, is the world's 
largest medical society committed to promoting and protecting 
the health, safety, productivity and well-being of people at 
work and in their environment.
    ACOEM supports the development of uniform comprehensive 
legislation addressing the confidentiality of medical records. 
The College feels that such legislation should include 
provisions that encompass the treatment of employee medical 
information in the workplace.
    There is great potential for a worker to be adversely 
affected by the misuse of workplace medical records. Decisions 
on return to work, job placement, and promotion can be 
influenced by improper access to workplace medical records. 
Current federal law, such as the Americans with Disabilities 
Act (ADA), are inadequate in scope. For example, the medical 
record confidentiality requirements in the ADA go no further 
than requiring the medical record to be kept in a separate 
file. The ADA does not address who has access or when access is 
permitted.
    Occupational physicians and other workplace health care 
providers depend on the individual to completely and truthfully 
disclose private information before rendering a professional 
opinion. An employee must feel secure that the physician will 
treat their private disclosures in a dignified and confidential 
manner. The physician should disclose information received in 
confidence only in narrowly defined circumstances and only when 
it is in the best interests of the individual.
    Employers may require access to personal information when 
considering requests for job accommodations, addressing threats 
to health or safety, or reviewing claims for workers' 
compensation benefits. Additionally, employers shoulder an 
increasing responsibility for providing other types of benefits 
and obligations, such as health and disability insurance, 
family medical leave, and employee assistance programs. As a 
result, the employer becomes inextricably and unavoidably 
involved in employees' personal and medical affairs.
    Thus, competing interests between a worker's desire for 
privacy and the employer's legitimate interest in the health of 
workers create sensitive ethical and legal dilemmas for 
physicians in occupational medicine. Difficult ethical problems 
arise when attempting to balance the importance of the worker's 
need and right to keep medical information confidential versus 
the employer's need to know.
    Occupational physicians acknowledge the importance of 
medical confidentiality in the College's Code of Ethical 
Conduct. The code includes the following:
    ``5. keep confidential all individual medical information. 
Releasing such information only when required by law or 
overriding public health considerations, or to other physicians 
according to accepted medical practice, or to others at the 
request of the individual"; and
    ``6. recognize that employers may be entitled to counsel 
about an individual's medical work fitness, but not to 
diagnosis or specific details, except in compliance with laws 
and regulations.''
    ACOEM recognizes its Code of Ethical Conduct to be the 
standard of conduct expected from those providing occupational 
medical services. However, the College believes that additional 
guidance by legislation is necessary to protect the worker's 
expectation for confidentiality and to give the physician's 
ethical responsibility the force of law.
    Secretary Shalala's recommendations for workplace 
protections are too narrowly crafted. The Secretary recommends 
that employers not be ``controlled by the legislation,'' but be 
considered health care providers or payers when they actually 
perform those activities and ``be obliged to conduct themselves 
accordingly.''
    The College recommends that comprehensive federal 
legislation reflect the following principals:
    1. Physicians should disclose their professional opinion to 
both the employer and the worker when the worker has undergone 
a medical assessment for fitness to perform a specific job; 
however, the physician should not be required to give the 
employer specific details or diagnoses unless the worker has 
authorized the disclosure.
    2. Supervisors and managers may be informed by the 
physician regarding necessary restrictions on the work or 
duties of the employee and recommended accommodations. However, 
the physician should not provide, or be coerced to provide, the 
medical information on which the restriction or accommodation 
is based.
    3. Physicians should recognize a consent for disclosure 
only if the consent is informed and is made without duress.
    4. Physicians should be a source of professional, unbiased, 
and expert opinion in the workers' compensation or court 
systems, and should only disclose medical information that is 
relevant and necessary to the claim or suit. The decision on 
disclosure of relevant and necessary medical information should 
be solely that of the physician.
    5. The physician should develop a written policy for the 
treatment of medical records in their offices, clinics or 
workplaces. The policy should address such issues as where and 
how medical records are stored; the security of medical 
records, including medical databases; what happens in the event 
of employee resignation, layoff, termination, job transfer, or 
plant closure; and the mechanisms of employee access and 
consent for disclosure.
    6. Although workplace medical records may be considered the 
property of the employer, this ownership does not abrogate any 
of the principles of confidentiality. However, the custodian of 
the record should always be the physician or responsible health 
care provider and access to the record should be controlled by 
the custodian. The medical record captures the confidentiality 
of communications within the patient-physician relationship. 
For the physician to provide the best and most appropriate 
medical care, a worker must feel that they can disclose to 
their physicians personal facts and information that they may 
not want others to know. Access by corporate officials, e.g., 
employee relations, in-house legal departments, and other 
functions, should proceed via the physician and in accordance 
with procedures for disclosure.

    ACOEM urges the Congress to enact comprehensive federal 
medical records confidentiality legislation that encompasses 
protection of an individual's personally-identifiable medical 
information in all settings, including the workplace.

Washington Contact: Pat O'Connor (202-223-6222)
      

                                

Statement of American Hospital Association

    The American Hospital Association (AHA) represents the 
nation's 5,000 hospitals, health care systems, networks and 
other providers of care. We appreciate this opportunity to 
present our views on an issue of great importance to our 
members and the patients we serve: protecting the 
confidentiality of private health care information.
    As health care providers, AHA members are deeply involved 
in both the use of private health information, and in ensuring 
that the information remains confidential. Our comments reflect 
our members' experiences and needs in balancing these two 
important issues.

          Protecting the Trust Between Providers and Patients

    Every day, thousands of Americans walk through the doors of 
America's hospitals. Each and every one of them provides care 
givers information of the most intimate nature. They provide 
this information under the assumption that it will remain 
confidential. It is critical that this trust be maintained. 
Otherwise, patients may be less forthcoming with information 
about their conditions and needs--information that is essential 
for physicians and other care givers to know in order to keep 
people well, ease pain, and treat and cure illness.
    If care givers were not able to obtain and share patients' 
medical histories, test results, physician observations, and 
other important information, patients would not receive the 
most appropriate, high-quality care possible.
    Our members consider themselves guardians of this 
information, which is why AHA has long supported the passage of 
strong federal legislation to establish uniform national 
standards for all who use health information. We were pleased 
that the Health Insurance Portability and Accountability Act 
(HIPAA) of 1996 pushed this issue to the forefront by requiring 
the Secretary of Health and Human Services to issue 
recommendations to Congress on this important topic. We commend 
Congress and this committee for taking up the difficult task of 
balancing the needs in this area.
    It's an issue that affects each of us personally. We live 
in a time of rapidly advancing technological improvement, when 
the world seems to get smaller as computers get more powerful 
and databases get bigger. This technological change can be 
positive--it has led to significant improvements for both 
health care providers and their patients--but it worries people 
who are justifiably concerned about how information about them 
will be used.
    In health care, we must take the steps necessary to protect 
that information from those who would misuse it. We need 
strong, uniform federal legislation to do it.

                       AHA Goals For Legislation

    First and foremost, because we as hospitals and health 
systems put our patients first, we must restore people's trust 
in the privacy and confidentiality of their personal health 
information. Federal legislation can do this by establishing a 
uniform national standard for the protection of health 
information--including genetic information--a standard that 
balances patient privacy with the need for information to flow 
freely among health care providers. The AHA believes that 
federal confidentiality legislation must meet the following 
goals:

Allow patients and enrollees access to their medical 
information, including the opportunity, if practical, to 
inspect, copy, and, where appropriate, add to the medical 
record.

    Patients have a right to know what information is in their 
records. This level of accountability encourages accuracy and 
has the added benefit of encouraging patient involvement in 
their care. It is not appropriate for patients or enrollees to 
request deletions from their records even if the information is 
incorrect. Medical or claims decisions may have been made based 
on that erroneous information and it should be left in the 
record to ensure accuracy for future users. Any amendments or 
corrections should be added to the original information.

Preempt state laws that relate to health care confidentiality 
and privacy rights, with the exception of some public health 
laws.

    Health care today is delivered through providers that are 
linked across delivery settings, and through organizations that 
cross state boundaries. AHA believes that the best way to set 
important standards for confidentiality of health information 
is to do so uniformly--through a strong federal law. This law 
must be both a floor and a ceiling, preempting all state laws 
with which it may conflict, weaker or stronger. Only through 
such a uniform law can patients' confidential information be 
equally protected regardless of the state in which they live or 
travel.

Be broad in its application, covering all who generate, store, 
transmit or use individually identifiable health information, 
including but not limited to providers, payers, vendors, and 
employers.

    Patient confidentiality cannot be ensured unless standards 
are applied to all who may have access to health information. 
Legislation should cover all types of individually identifiable 
health information, including sensitive issues such as 
substance abuse, mental health, and genetic information.
    Because of our strong belief in this concept, the AHA has 
been very concerned about model privacy regulation that is 
being developed at the National Association of Insurance 
Commissioners (NAIC) and would apply only to insurance 
carriers. This attempt to address enrollee privacy concerns 
through insurers potentially expands the ability of insurers to 
use individually identifiable information by expanding insurer 
responsibility into areas that are more appropriate for 
providers. The model holds insurers responsible for amending 
patient records and establishing Institutional Review Boards 
(IRBs) for research. It also holds insurers responsible for 
making sure that providers with whom they contract have 
confidentiality and security policies that are ``substantially 
similar'' to their own. This limited approach illustrates the 
problems with addressing this problem in a piecemeal manner.

Strike an appropriate balance between patient confidentiality 
and the need to share clinical information among the many 
physicians, hospitals and other care givers involved in patient 
care.

    Care is increasingly provided by groups and systems of 
providers as opposed to individual providers. These new systems 
create opportunities for real improvements, but they rely 
heavily on a free flow of information among providers. Patient 
confidentiality is of the utmost importance. But in order to 
ensure that care is coordinated and the patient's experience is 
as seamless as possible, information must be accessible to all 
providers who treat the patient.
    To ensure this smooth coordination of care, the AHA 
supports legislation that requires a health plan to obtain from 
its enrollees authorization for the entire range of treatment 
activities that could be needed. Providers should still be 
allowed to ask for other authorizations--for example, if a 
patient is to receive sensitive tests or procedures that might 
require the provider to consult with others during a course of 
treatment. But, because it is impossible to know in advance all 
the different practitioners who might be involved in a single 
health care case, multiple levels of authorization would create 
unscalable barriers to the smooth coordination of care.
    Another important issue is how to make sure providers have 
all the information they need to treat the patient. Some 
proposals allow patients to decide which providers can and 
cannot have access to their records, and what information the 
provider can and cannot see. While we understand the concerns 
of patients who want to limit the amount of information in 
their records that is made available to providers or payers, we 
believe strongly that decisions about what information is 
necessary must be made by trained health personnel. At the same 
time, however, information that is requested by a provider or 
payer must be clearly related to the purpose for which it is 
disclosed.

Recognize that a hierarchy of need exists among users of health 
information.

    While access to individually identifiable information is 
essential for patient care, it may also be necessary for 
provider and health care system efforts to measure and improve 
the quality of care they deliver.
    To limit its potential misuse, all within the health system 
should restrict the availability of individually identifiable 
information. Technology is available to do this, through 
encryption, audit trails, and password protection, for example. 
Another method for restricting the availability of individually 
identifiable information is to aggregate information whenever 
possible. Patients should be assured that unique, identifiable 
information about them is available for their treatment, but 
that its availability for other uses is tightly controlled.
    Specific guidelines should be established to control the 
disclosure of individually identifiable information to various 
categories of users, including law enforcement officials, 
researchers, and employers.
    Regarding law enforcement, the AHA believes that leaving in 
place current state laws--as recommended by the secretary of 
HHS--would set a dangerous precedent. Inconsistencies in these 
laws could allow local law enforcement agencies unrestricted 
access to confidential patient records, and free rein to re-
disclose the information contained in them. Federal safeguards 
need to be put in place that ensure patient information is 
provided only when truly necessary--and that its subsequent use 
is tightly controlled. Such decisions should be left to a 
neutral magistrate, from whom law enforcement agents must 
request a warrant or subpoena to obtain individually 
identifiable patient information.
    In the area of research, it is critical that legislative 
proposals distinguish between--on the one hand--human subject 
research under an IRB and non-intervention medical records 
research involving no contact with patients, and--on the other 
hand--the internal operations that a hospital or health system 
undertakes to improve care. For example, many institutions use 
individual medical records to track outcomes and conduct case 
and disease management. Confidentiality legislation should 
recognize that these activities are not research, but 
activities integral to the basic function of a hospital or 
health system--continually striving to improve the health care 
they deliver.
    When individually identifiable information is used by 
employers, two things are critical: the employer must have 
access only to information needed for the functions it may 
perform as an ERISA health plan--treatment, payment or 
administration; and this private information must be available 
only to those who administer the health plan.

Include sufficient civil and criminal penalties to deter 
inappropriate disclosure of individually identifiable 
information.

    The level of these sanctions should vary according to the 
severity of the violation. At the same time, any penalty 
imposed must take into account good-faith efforts by providers 
who establish data safeguards, educate employees about 
complying with the safeguards, and attempt to maintain secure 
record-keeping systems.
Conclusion

    The smooth exchange of patient information is critical to 
providers and patients alike as our nation's health system 
rapidly becomes more integrated. We need federal legislation to 
protect this sensitive information from being misused. The AHA 
looks forward to working with you to develop legislation that, 
by adhering to the goals stated above, protects patient 
confidentiality, does not get in the way of high-quality health 
care delivery, and is truly a uniform national standard.
      

                                

Statement of Healthcare Leadership Council

    The Healthcare Leadership Council (HLC) a trade association 
representing all sectors of the health care industry, including 
pharmaceutical companies, hospitals, managed care, providers 
and device manufacturers, submits the following statement 
regarding patient confidentiality for the record created in 
response to the March 24 hearing held by the House Committee on 
Ways and Means, Health Subcommittee. The HLC members are the 
innovators in the health care industry, and share a commitment 
to a consumer-focused health care system and a dedication to 
providing high quality health care services to every patient. 
Information is the cornerstone of innovation and quality. It 
serves as the basis for the knowledge we need to serve, treat, 
counsel, prescribe therapies, and reimburse patients, and to 
discover how all of these activities can be done better and 
more effectively. Without efficient access to information, the 
evolving health care delivery system will come to a grinding 
halt, and consumers will be denied the real-world benefits of 
all that the health care industry has to offer today and well 
into the future.
    The HLC supports the passage of federal confidentiality 
legislation, while assuring the appropriate information sharing 
needed by network-based health plans, researchers and 
purchasers to provide high quality affordable care for 
consumers. We applaud the recent Ways and Means Health 
Subcommittee hearing. The issues discussed will help build a 
strong foundation for the upcoming debate Congress will have on 
this most important issue. We appreciate the inclusion of our 
statement in the record.
    For more than two years, the HLC has been engaging in an 
earnest effort to work with its members and others in the 
industry to craft workable and meaningful confidentiality 
protections that provide important confidentiality assurances 
to the patient while at the same time allowing health plans, 
providers and health product manufacturers to use patient 
health information for purposes that are necessary and 
appropriate to the provision of high quality health care 
services.
    In searching for a workable federal legislative solution, 
the HLC has identified the following principles as necessary to 
striking the right balance between the patient and the 
information needs of the health care industry. These basic 
principles are as follows:
    (1) Support for federal standards regarding the 
confidentiality of all patient health information; (2) 
Application of standards only to identifiable health 
information, leaving non-identifiable health information (i.e., 
coded and encrypted data) available for use in research and for 
other health-related purposes; (3) Treatment of all 
identifiable patient health information, including genetic 
information, the same way to assure the same strong 
confidentiality protections; (4) Facilitation of appropriate 
uses and sharing of patient health information with recognition 
that access to information is not harmful, but rather helpful 
to the patient; and (5) Provision for strong and thorough 
preemption of state law.
    1. Federal standards. Federal standards ensuring the 
confidentiality of patient health information are critical to 
guaranteeing the uniform, consistent treatment of such 
information throughout the country. In 1996, the Health 
Insurance Portability and Accountability Act (HIPAA) took 
important steps in the right direction by requiring that a 
standardized information transmission and storage system be 
developed, and that such systems be kept secure. In addition, 
HIPAA mandates that Congress enact federal confidentiality 
standards by August of 1999. Failure to do so will trigger 
Secretarial authority to promulgate regulations guaranteeing 
such protections within six months.
    The time has come for a uniform federal standard. The HLC 
supports federal standards regarding disclosure and use of an 
individual's identifiable health information, for safeguarding 
the confidentiality of that information, and for establishing 
an individual's rights to inspect and copy his or her records. 
A uniform standard is the only way to avoid a dual-regulatory 
environment. State authority should remain paramount over areas 
of confidentiality that do not conflict with national 
uniformity and consistency, such as state reporting 
requirements for public health and safety dangers and licensure 
of providers.
    2. Treat all identifiable health information in the same 
manner. The HLC supports extending strong and consistent 
confidentiality protections to all personally identifiable 
patient health information. As such, the HLC is concerned about 
recent proposals, such as that introduced by Rep. Slaughter (D-
NY) (H.R. 306), to treat genetic information separately from 
other patient health information. As a practical matter, it 
would be difficult if not impossible for health plans and 
providers to treat and secure genetic information differently 
than other patient health information as almost all health 
information contains an important genetic component. How then 
can we elevate certain types of health information to a higher 
status more deserving of protection than other information? All 
personally identifiable patient health information should 
receive the same strong protections against inappropriate 
disclosure.
    3. Scope of federal standards should apply to individually 
identifiable information only. In its effort to craft federal 
confidentiality standards, Congress should apply these 
protections to individually identifiable health information 
only where there is a legitimate need for confidentiality. The 
current trend is toward anonymizing information--that is, 
rendering the information available but leaving the identity of 
the subject individual unknown--and a more narrow focus on 
individually identifiable health information would provide an 
important incentive to encrypt, encode and otherwise anonymize 
patient health information wherever possible.
    The HLC strongly believes that any federal confidentiality 
standards should provide incentives for health plans, 
providers, purchasers and other product manufacturers to 
continue using non-identifiable health data to make 
advancements, cure diseases and study the effects of new 
treatments. Allowing the use of anonymized health data directly 
facilitates health research and limiting its use would stifle 
the phenomenal medical advances being made almost daily in this 
country. To further ensure the confidentiality of patient 
health information, however, the HLC strongly supports 
subjecting any ``encryption key'' or other such code used to 
anonymize information to the same strong protections provider 
for other protected, identifiable health information.
    4. Provide for appropriate health information sharing with 
confidentiality protections. Any federal confidentiality 
standards adopted by Congress must adequately and effectively 
recognize that most health care services are delivered through 
some form of integrated delivery system. This modern health 
care system, which is marked by a team-approach to health care 
delivery, relies heavily on information sharing and 
collaboration to ensure high quality services are provided to 
the patient. As a result, it is crucial that strong patient 
confidentiality protections allow and facilitate appropriate 
information sharing to further this goal. Following are several 
key points explaining the HLC's perspective:
     An integrated health care delivery system requires 
more information sharing. Only in focusing on what are and are 
not appropriate ``uses'' of patient health information can we 
develop confidentiality protections that effectively 
distinguish between what is helpful and harmful to the patient 
and to consumers generally. Our health care delivery system is 
no longer one defined by discrete encounters with a number of 
different and unrelated physicians and providers. Rather, the 
current delivery system is distinguished by a growing number of 
innovative arrangements between and among physicians, health 
plans, employers, hospitals and researchers. We now have teams 
of professionals responsible for coordinating the health care 
services provided to patients. These teams involve multiple 
individuals, including physicians, nurses, lab technicians, 
pharmaceutical manufacturers and others. Together, these varied 
participants are working in the interest of the patient.
    As a result of these important improvements in the health 
care delivery system, the HLC supports establishing strong 
confidentiality protections consistent with the direction of 
our delivery system. Specifically, the HLC supports allowing 
the use of patient information for purposes of providing 
treatment, securing payment, conducting health care research 
and undertaking quality assurance activities. These activities 
are all designed to benefit the consumer.
    Medical records research is vital to maintaining and 
improving the health of the American public. In fact, virtually 
every health hazard that we know of today has been identified 
using information from medical records. Take AIDS, for example. 
If researchers had not been allowed to study the medical 
records of patients with unusual immune deficiency problems in 
the late 1970's, the characterization of the AIDS epidemic 
would have been delayed at substantial cost to the public's 
health. Other examples include studies examining the benefits 
and risks of estrogen treatment, the health risks of: smoking, 
dietary fats, obesity, and certain occupations; infectious 
disease studies which led to the development of vaccines for 
polio, measles and other infectious diseases; and studies which 
show the effect of breast cancer screening programs.
    Another example is the outbreak of ``flesh eating strep'' 
identified at the Mayo Clinic in 1996. Without access to the 
medical records of patients with these unusual infections, 
characterization of this syndrome and isolation of this deadly 
bacterial strain would have been delayed. And over a hundred 
school children--which the Mayo research showed were the 
unwitting carriers of this deadly germ in their throats--would 
have gone untreated. Every medical advance mentioned here has 
relied heavily on information from patients' medical records. 
Without access to this rich source of clinical information, 
many of these advances simply would not have occurred.
     You can't expect a surgeon to operate blind. 
Legislation must emphasize confidentiality and provide strong 
disincentives for abuses of information; however, the HLC is 
concerned over recent proposals that would appear to place the 
patient in a position of having ultimate veto power over access 
to information. To put patients, who by and large rely on lay 
knowledge, in a position of deciding whether to grant access of 
information to some and not to others ultimately puts them at 
risk. Again, federal standards should focus on the 
appropriateness of information disclosure and its use.
     The move toward electronic transmission of 
information brings forth tremendous benefits for the patient, 
but also creates fears. The Health Insurance Portability and 
Accountability Act (HIPAA) will result in numerous standards 
regarding the security of electronically transmitted 
information. The concept of a unified medical record is 
revolutionary in the benefits that will inure to patients. 
There will be fewer adverse drug reactions, fewer mistakes made 
and fewer unintended consequences. Electronic data storage 
presents a greater opportunity to secure information than in 
the current system of open file cabinets, etc. At the same 
time, anything new and unfamiliar can cause trepidation. It is 
the fear of the unknown. Yet a unified medical record stored 
electronically actually can keep information more secure than 
paper copies in files, as mentioned before. Computer records 
can be safeguarded through encryption, password access and 
other similar technologies.
     The HLC is concerned over efforts to use the 
confidentiality debate to advance other agendas, such as anti-
managed care and insurance product pricing issues. The HLC 
grows increasingly concerned that the debate over how to keep 
patient health information confidential in the current health 
care delivery environment is becoming a vehicle for debate 
regarding the delivery system as a whole. Again, the HLC 
advocates responsible and appropriate information sharing and 
use. However, any debate desired about such practices as 
medical underwriting, utilization review/utilization management 
and other quality assurance techniques should be held 
separately and should be dealt with on the basis of their 
merits. The HLC caution's Congress against effectively putting 
an end to such practices through the guise of protecting the 
confidentiality of patient information.
     Confidentiality protections are already in place. 
Health plans and providers submit to voluntary accreditation, 
which includes evidence of strong confidentiality protections. 
For example, the National Committee for Quality Assurance 
(NCQA) and the Joint Commission on Accreditation of Healthcare 
Organizations (JCAHO) are two accrediting bodies which require 
health plans and hospitals to have written confidentiality 
policies and procedures in place, to take action at patient 
care sites to guard against unauthorized or inadvertent 
disclosure of confidential information, and to obtain patient 
consent for information release. In addition, the Federal 
Privacy Act imposes numerous confidentiality requirements on 
health plans and providers participating in the Medicare 
program. Similarly, the Institutional Review Board (IRB) 
process involving clinical research holds pharmaceutical 
manufacturers, device manufacturers and other researchers to 
stringent confidentiality standards.
    5. Strong federal preemption of state law. The HLC strongly 
supports effective federal confidentiality protections for 
consumers as long as the standards include strong and thorough 
preemption of state law in those areas in which the federal 
government has legislated. Without adequate preemption, 
providers, health plans, purchasers and manufacturers would 
essentially be subject to 52 different confidentiality laws, 
which is unworkable and leaves consumers vulnerable under a 
patchwork of protections.

                               Conclusion

    With these important HLC principles in mind, we are 
concerned that current legislative proposals fail to recognize 
that most health care services today are delivered in some 
integrated delivery context. Any legislative restrictions 
limiting access to medical records threaten our ability to 
engage in quality-enhancing activities as well as the very 
existence of entire categories of medical research. In 
addition, we are concerned about proposals that would require 
that we obtain patient authorization each time patient 
information is used. This could result in a patient's ability 
to revoke authorization to use information to provide essential 
services, as well as undermine research. This is because 
individuals who deny consent are systematically different in 
important ways from individuals who do consent. For example, 
individuals who deny consent may have had worse outcomes or 
they may be less satisfied with their care.
    Studies describing the outcomes of diseases or the 
effectiveness or cost-effectiveness of treatments which exclude 
such individuals would be biased--they give us the wrong 
answer. Moreover, while research is clear on the point that 
individuals who deny consent are systematically different from 
those who consent, the direction and magnitude of those 
differences are completely unpredictable from study to study. 
So not only will such research result in the wrong answers, but 
it will be impossible to determine how wrong they are or in 
what way. Thus, the reliability and validity of findings from 
such research will be suspect and lead to the design of 
potentially incorrect medical treatments. The inclusion of all 
qualifying individuals is the only way to assure that accurate 
conclusions are drawn about the prognosis of disease, the 
outcomes of therapy or the quality of care.
    The underlying motivation for many of the legislative 
proposals is to keep personal medical information between the 
patient and his or her physician. While this idea could be very 
attractive; in our complex health care environment, it is an 
unattainable ideal. For example, in an average medical visit 
the following individuals and groups have access to a patient's 
complete medical record: the appointment office, the 
registration desk, all physicians, physician assistants, and 
nurses who provide care for the patient as well as their 
receptionists and secretaries, all laboratory, EKG, and x-ray 
technicians who perform the necessary tests, infection control 
officers who regularly survey medical records for reportable 
diseases, continuous improvement staff who strike to improve 
out health care processes, members of the marketing department 
who seek to ensure patient satisfaction, the business office 
for billing, the legal department, and insurers and other 
third-party payers.
    With this in mind, the Healthcare Leadership Council would 
like to work with lawmakers in search of meaningful and 
balanced federal confidentiality standards that allow us to 
achieve the promise of the information-based 21st Century 
health care delivery system. The HLC looks forward to working 
with you and your staff.
    Thank you for your attention and leadership on this most 
important issue.
      

                                

                      International Society for            
                               Pharmacoepidemiology        
                           2000 L Street NW., Suite 200    
                                       Washington, DC 20036
                                                     March 25, 1998

The Honorable Bill Archer
Chairman, House Ways and Means Committee
Attention: Bradley Schrieber
Room: 1102 LHOB
Washington, DC 20515

    RE: Written Testimony on Medical Confidentiality, March 26, 1998 
Hearing

    Dear Mr. Chairman:

    On behalf of the International Society for Pharmacoepidemiology 
(ISPE), we are pleased to submit written testimony in response to the 
hearing regarding the confidentiality of medical records and draft 
legislation scheduled for March 26, 1998. Our professional society 
embraces the principle of protecting the confidentiality of 
individually identifiable medical information while preserving 
justified research access to such information in the interest of the 
public's health.
    The research conducted by members of our society and others in our 
field evaluates populations to understand the extent, natural course, 
and burden of diseases. Pharmacoepidemiology is an observational, non-
experimental science. In contrast to clinical trials, which are 
experimental, an epidemiologic observational study observes patients in 
the real world of clinical medicine, and the patient is at no medical 
risk from being part of the study. It is the science of 
pharmacoepidemiology that is used to evaluate the risks and benefits of 
medications in large numbers of patients in the real world setting. 
Pharmacoepidemiologic studies have had a major impact on the public's 
health in general and on our understanding of the risks and benefits of 
medications in particular. For example, such studies documented the 
risk of aspirin and Reye's Syndrome in children and the risk of vaginal 
cancer in daughters of women who took diethylstilbestrol (DES) while 
pregnant. Pharm-acoepidemiologic studies will continue to be important 
in the future. ISPE urges that any new laws or changes in existing laws 
aimed at further protecting data privacy be formulated with an 
acknowledgment of the value to society of pharmacoepidemiologic 
research.
    We are especially concerned about legislation relating to patient 
informed consent and the use of IRBs for certain observational research 
that uses encrypted patient data, and we pay special attention to the 
definition of ``identifiable data.'' While the development of new 
legislation presents an opportunity to strike a fair balance between 
individual privacy needs and legitimate access to information for 
research in the public's interest, there is also the opportunity to 
inadvertently stifle important research, while offering no meaningful 
new protections. We offer our help to you, your colleagues and your 
staff in the development of legislative answers to these important and 
complex issues.

            Yours sincerely,
                                      Jerome L. Avorn, M.D.
                                                          President
                               Elizabeth Andrews, Ph.D.    
                                     Chair, Ad Hoc Committee on    
                                  Data Privacy in the US and Canada

Enclosures
      

                                

International Society for Pharmacoepidemiology ISPE Fact Sheet 1997-98

                               Membership

    More than 1300 members from 45 countries
     Pharmaceutical Industry--35.6%
     Academic Institutions--40.8%
     Government Agencies--11.0%
     Clinical Practice & Consulting--12.6%
     North America--50.1%
     Europe--36.1%
     Asia--8.6%
     Other Continents--5.2%
     Correspondents in 19 Countries
     National Chapters in Argentina, Belgium, 
Netherlands
     Associate to Member of World Health Organization 
Council for International Organizations of Medical Sciences 
(CIOMS).

                          Membership Benefits

     Pharmacoepidemiologic Scientific Forums for 
Research Interchange
     Policy Fromulation Relevant to the Professional 
and Research Work
     Environments
     Enhanced Professional Communication:
    --Forum Networking Opportunities
    --Reduced Registration for Annual International Conference 
on Pharmacoepidemiology
    --Subscription to the journal
    --Reduced Subscription Price
      

                                

Society Objectives

                           Mission Statement

    The International Society for Pharmacoepidemology (ISPE) is 
a non-profit international professional membership organization 
dedicated to promoting pharmacoedpidemiology, the science which 
applies epidemiological approaches to studying the use, 
effectiveness, value and safety of pharmaceuticals. ISPE is 
firmly committed to providing an unbiased scientific forum to 
the views of all parties with interests in drug development, 
drug delivery, drug use, drug costs, and drug effects.
    A. Establishment of scientific forums.
    1. Convene an annual scientific forum where members of the 
discipline meet each other, present results of methodologic 
investigations and studies in progress, discuss public health 
policy issues concerning pharmacoepidemiology, etc.
    2. Convene periodic symposia on scientific and public 
policy issues of common interest.
    3. Sponsor industry, provider, and academic caucuses to 
address issues of particular interest to caucus members.
    4. Convene periodic consensus conferences.
    B. Dissemination of scholarly and practical information.
    1. Publish a newsletter highlighting emerging issues, news 
of the field, employment opportunities, etc.
    2. Collect information on existing curricula and aid in 
developing curricula criteria and professional training 
standards. Provide information on worldwide training 
opportunities.
    3. Sponsor/co-sponsor/co-sponsor superior quality peer-
reviewed publications.
    A. Facilitation of professional communication.
    1. Establish a clearinghouse on data resources for 
pharmacoedpidemiologic studies.
    2. Establish a directory of pharmacoedpidemiology 
consultants.
    A. Capacity building.
    1. Establish funding resources for pharmacoepidemiology 
training scholarships.
    2. Act as an advocate for the field in affecting health 
policy and the allocation of resources with government 
agencies, the pharmaceutical industry, private foundations, 
universities, other professional groups.

    [Additional material is being held in the Committee files.]
      

                                

Statement of Medical Group Management Association

    Mr. Chairman and Members of the Subcommittee, the Medical 
Group Management Association (MGMA) appreciates this 
opportunity to provide input on the general issue of patient 
confidentiality. As this issue is further developed and 
legislation is crafted, MGMA will submit a more detailed 
analysis.
    MGMA is the oldest and largest association representing 
physician group practices with more than 8,900 health care 
organizations nationwide in which just under 200,000 physicians 
practice medicine. MGMA's membership reflects the diversity of 
physician organizational structures today, including large tax-
exempt integrated delivery systems, taxable multi-specialty 
clinics, small single specialty practices, hospital-based 
clinics, academic practice plans, integrated delivery systems, 
management services organizations, and physician practice 
management companies.
    MGMA believes that the provider-patient bond is the most 
important relationship in the health care arena. Even with the 
changes occurring in the marketplace, the trust engendered in 
these encounters should remain constant. Physician practices 
have a duty to patients to ensure their medical records are 
held in confidence and are disclosed only in appropriate 
situations. The evolution of information flow, health care 
records computerization, managed care contracting, and 
organizational restructuring require an appropriate balance for 
health care systems to thrive while simultaneously safeguarding 
the confidentiality of medical records. The following 
represents MGMA's support of the highest level of medical 
records confidentiality that can be achieved without imposing 
onerous regulations on physician practices.
Applicability to Smaller Practices

    Confidentiality policy should not be predicated on new 
personnel intensive statutes or regulations, at a time when 
pressures to contain costs are forcing physician offices and 
hospitals to decrease staffing. MGMA urges Congress and the 
Administration to consider how confidentiality legislation will 
impact physician practices. There is no cookie cutter process 
for all physician offices, and certain provisions, such as 
those that are technology-based, would disproportionately 
burden small practices.

Medical and Outcomes Research

    Patient confidentiality legislation and regulations should 
not unnecessarily interfere with legitimate medical research. 
MGMA believes the confidentiality of medical records must be 
balanced against the benefits of medical research and efforts 
to improve the quality of care. Aggregating medical data, being 
able to access subjects' profiles, and possibly contacting 
subjects for follow-up information are vital components of 
medical research. Institutional review boards should be 
permitted to waive informed consent requirements for the 
minimum amount of necessary disclosure, when appropriate 
standards have been developed and have been applied to clinical 
and quality research initiatives by institutional review 
boards.

Scope of Statutes

    Anyone who improperly discloses confidential medical 
records should face civil and criminal penalties. MGMA urges 
policy makers to adopt confidentiality measures that apply to 
everyone. Whether a health care provider improperly reveals 
information to an employer, or a person finds medical records 
and reveals them publicly (e.g., to a newspaper), an individual 
suffers both emotionally and financially when a person breaks a 
medical confidence.

National Standards

    Policy makers should ensure that federal preemption is part 
of confidentiality legislation. Lawmakers should build in 
protections at the federal level to guard against specific 
types of disclosure and discrimination. This will ensure that 
every patient has the security of knowing that his or her 
records will remain confidential, and will allow providers with 
patients residing in different states to know how 
confidentiality standards apply to their practices. National 
uniformity will give physicians one set of standards and will 
make compliance feasible.

Notification Requirements

    Notifying third parties of incorrect information within a 
medical record is a shared responsibility. Health care 
providers should notify those parties they have previously 
provided with unamended information of substantial changes to a 
patient's health records. In addition, if patients notify 
health care providers that third parties are in receipt of 
incorrect information, physicians should be responsible for 
notifying the identified party of changes which substantially 
alter the insurance risk for an individual or substantially 
affect the care rendered by another health care professional. 
In contrast, asking physician practices to become the hub of a 
notification cycle between contractors and others who may be in 
receipt of incorrect information imposes unwarranted regulatory 
burdens on physician practices.

Identifying Improper Disclosure

    Statutes or regulations should define explicitly improper 
disclosure of medical records. Federal policy should carve out 
situations where disclosure is unlawful and attach appropriate 
penalties to identified improper disclosure. This contrasts 
with the assumption that all but narrowly defined disclosure is 
improper. MGMA believes that lawmakers can target prohibited 
behaviors without significantly hindering health care systems' 
operations or medical research by assuming the impropriety of 
information flow. As such, MGMA supports the approach taken in 
Representative Chris Shays' draft legislation, which would 
facilitate compliance with the statute, rather than presuming 
that all disclosure is improper.

Law Enforcement

    Law enforcement access to medical records should be 
balanced against a patient's right to privacy. Much as medical 
records confidentiality should be balanced against the above 
factors, it should be considered in light of law enforcement 
needs. While MGMA acknowledges law enforcement's investigative 
needs, we believe that law enforcement access to records should 
not be unfettered. Health care providers should release medical 
records to law enforcement officials only when police or 
investigators have obtained a court order which protects the 
information from further disclosure.
    In closing, we would like to thank the Subcommittee for its 
consideration of this issue and of MGMA's perspective. We will 
continue to provide comments as the confidentiality issue 
develops and appreciate the opportunity to comment on this 
issue.

For further information, please contact Rayna L. Richardson, 
Government Affairs Representative, at (202) 293-3450.
      

                                

Statement of National Breast Cancer Coalition

    Thank you, Mr. Chairman and members of the Committee for 
your leadership efforts to begin to address the important 
issues of patient protection and the advancement of medical 
research inherent in the medical privacy discussion as we move 
into a new era of research and information technology.
    The National Breast Cancer Coalition (NBCC) is a grassroots 
advocacy organization dedicated to eradicating breast cancer. 
We are made up of 400 member organizations and hundreds of 
thousands of individuals. The NBCC seeks to increase the 
influence of breast cancer survivors and other activists over 
research, clinical trials, and public policy and to ensure 
access to quality health care for all women.
    It is critical that as the nation begins to address issues 
of medical privacy, we also address issues of genetic 
discrimination. The NBCC strongly believes federal legislation 
is needed to establish a national policy which ensures 
confidentiality; protects individuals from genetic 
discrimination; controls the use of health information 
collected by health care payers and providers; requires 
authorization for the use of an individual's health information 
for other purposes; and does not impede the progress of 
biomedical, behavioral, epidemiological and health services 
research. We believe medical research should be encouraged and 
pursued--but in a way that protects the rights of individuals 
and enhances public trust in medical research. We want to work 
together with policy makers and the scientific community to 
strike the appropriate balance between the protection of 
individual privacy rights and the pursuit of biomedical 
research.
    The NBCC believes individual privacy rights are fundamental 
to being a citizen in this country. As breast cancer survivors, 
we believe that our illness, diagnosis, treatment and prognosis 
is very personal and intimate information. It is paramount to 
NBCC, that individuals have the right to decide to whom and 
under what circumstances their protected health information, 
including genetic information, will be disclosed and the right 
to inspect and copy their own medical records.
    In addition, the NBCC believes medical privacy and 
discrimination around genetic testing are related issues which 
must be addressed simultaneously. Genetic discrimination issues 
drive many of the underlying medical privacy concerns, so to 
try to regulate medical privacy without confronting issues of 
genetic discrimination is ludicrous. For example, to ensure 
protection against genetic discrimination, individuals should 
be able to segregate certain private information to be filed 
separately so it will not be distributed to health care payers 
with the rest of the patient's chart. Breast cancer patients 
should be able to request that genetic information such as BRCA 
1 and BRCA 2 test results are not sent to insurers or others, 
but are sent to the radiologist to ensure the results of a 
mammogram are read accordingly.
    The misuse of medical information must stop. We do not want 
to wake up like we did earlier this year to front-page 
newspaper stories about major pharmacies selling medical 
records to marketing firms without authorization. Nor should we 
be fearful of talking frankly with our physicians about our 
medical conditions because the information may end up in the 
wrong hands or cost us our health insurance or jobs. The 
increasing complexity of the current information age demands a 
public solution to protect our rights to privacy. Federal 
legislation must be enacted which will safeguard our privacy, 
prohibit the unauthorized disclosure of protected health 
information (except under very limited exceptions) and protect 
an individual's personally identified health information from 
misuse.
    We need protection against the improper use and 
unauthorized disclosure of genetic information. Everyone 
cheered the discovery of the breast cancer genes, BRCA 1 and 
BRCA 2, but if we are ever going to have the knowledge for this 
discovery to make a difference in eradicating breast cancer we 
must limit disclosure of genetic information and outlaw genetic 
discrimination in health insurance and the workplace. Such 
disclosure can cause significant harm to individuals, including 
stigmatization and discrimination by health insurers and 
employers. At the very least, the NBCC believes that an entity 
should be prohibited from disclosing genetic information 
without the prior written authorization of the individual. We 
also believe legislation should include prohibitions against 
discrimination by employers, making it unlawful to refuse to 
hire, to discharge, or to deprive individuals of employment 
opportunities based on genetic information, including an 
individual's request for genetic services. It should also 
extend such protections against genetic discrimination to 
health insurance and prohibit health plans from denying, 
canceling, refusing to renew, or changing the terms, premiums 
or conditions based on genetic information.
    In addition, federal legislation must limit authorization 
for disclosure of protected health information only to what is 
necessary for the provision of treatment and payment services. 
The ability of insurance companies to share medical information 
throughout its other divisions is a direct threat to the 
privacy and protection of medical records. Most insurance 
companies are complex financial institutions. Without 
protection, the same company that pays for health care would be 
able to share medical information across divisions, such as 
life insurance, financial planning, disability, etc. We believe 
there should be strong criminal and civil penalties for 
intentionally or negligently using individually identifiable 
health information and individuals should have a civil right of 
action against anyone who misuses their protected health 
information.
    A critical piece to protecting medical information is 
informed consent. But informed consent today affords little, if 
any, protection. These documents are rarely read because of 
their length and legal terminology. As patients seeking medical 
care, we have to sign blanket waivers allowing disclosure of 
our medical information in order to obtain treatment or payment 
for care. These authorizations do not protect us as they should 
from unnecessary disclosure because we have no idea how the 
information will be used. Women sign these documents because 
they think their signature is necessary to receive vital health 
care. The NBCC believes that any authorization should be 
limited to treatment services and payment purposes and that the 
definition of information that can be provided be construed as 
narrowly as possible. A legal obligation of confidentiality 
should be imposed on those who provide and pay for health care, 
as well as on the entities that receive that health 
information.
    Securing medical privacy rights, however, should not come 
at the expense of medical research. Despite our best efforts 
and your leadership, breast cancer is still the most common 
form of cancer in women. We still do not know the cause or have 
a cure for this dreaded disease. Over the past few years, there 
have been incredible discoveries at a very rapid rate that 
offer fascinating insights into the biology of breast cancer, 
such as the isolation of breast cancer susceptibility genes and 
discoveries about the basic mechanisms of cancer cells. These 
discoveries have brought into sharp focus some of the areas of 
research that hold promise.
    The NBCC believes that legislation protecting medical 
information and privacy should be balanced. We want to see 
federal standards that safeguard personal health information 
while protecting the ability of researchers to conduct vital 
biomedical research. We don't believe that you can have one 
without the other. Knowledge about how to prevent and cure 
breast cancer will only come if women participate in research. 
But without appropriate safeguards against misuse, public 
distrust will increase and few women will be willing to 
participate in research efforts, whether donating tissue or 
enrolling in clinical trials. Women will have the confidence to 
participate in clinical trials only if they believe that their 
individual health information will be kept private so that it 
can't be used against them by insurers or employers. In 
addition, without a guarantee of privacy, women are less likely 
to be honest with their doctors, endangering their own health 
and slowing the overall progress of improved health care for 
the general population. It can't be emphasized enough that we 
must focus our attention on building public trust. There has to 
be real, believable protection if women are to place their 
trust in the medical and research process.
    The NBCC would like to see the common rule protections 
extended beyond research funded by the National Institutes of 
Health. The NBCC believes these protections should be the same 
for all medical research whether publicly or privately funded. 
Much benefit to research could be obtained by giving research 
special privacy considerations. It may make it easier to 
distinguish research access from clinical chart access.
    The NBCC believes that ideally there should be one federal 
statue that effectively guarantees privacy rights, but given 
the reality, we think it is advisable that federal legislation 
be seen as the floor; and that states should be able to pass 
laws that allow more stringent safeguards that do not, at the 
same time, inhibit medical research from going forward.
    Mr. Chairman, and members of the Committee, thank you again 
for your leadership on this important issue. We look forward to 
working with you to restore public confidence and trust in our 
medical system, and to achieve the necessary balance between 
individual privacy and the promise of medical research.
      

                                

Statement of National Pressure Ulcer Advisory Panel, Alexandria, 
Virginia, Rita Frantz

                            I. Introduction

    My name is Rita Frantz and I am the current President of 
the National Pressure Ulcer Advisory Panel. I am also a 
Professor at the College of Nursing at the University of Iowa. 
I am submitting this testimony on behalf of the National 
Pressure Ulcer Advisory Panel (NPUAP). The NPUAP appreciates 
the opportunity to provide written comments for the record 
regarding patient confidentiality.
    The NPUAP is an independent, not-for-profit organization 
dedicated to the prevention and management of pressure ulcers. 
Formed in 1987, the NPUAP is comprised of fifteen leading 
authorities, representing various disciplines, including 
medicine, nursing, research, physical therapy and education--
all of whom share a commitment to the prevention and management 
of pressure ulcers. The NPUAP serves as a resource to health 
care professionals and, while not a membership organization, 
welcomes and encourages the participation of those interested 
in the pressure ulcer issues through utilization of NPUAP 
educational materials, participation at national conferences, 
and support of NPUAP efforts in education, public policy and 
research.
    Our organization was instrumental in developing the medical 
criteria and utilization parameters adopted by the Durable 
Medical Equipment Regional Carriers. Moreover, our panel 
members developed a definition and staging system for pressure 
ulcers. The Agency for Health Care Policy and Research used 
these guidelines when they developed their publication, 
``Pressure Ulcers in Adults: Prediction and Prevention.''
    The goal of the NPUAP is to assist health care 
professionals in reducing the incidence of pressure ulcers by 
50%. In order to achieve this goal, our panel members, 
independent of the NPUAP, conduct extensive clinical trials and 
research. The impending patient confidentiality issue greatly 
impacts the clinical trials and research of our members. The 
NPUAP supports respecting and preserving patient 
confidentiality. There is a need for enforcing privacy in 
medical records. Any privacy initiatives, however, should not 
be so restrictive as to hamper quality assurance, vital health 
care research and education.
    Specifically, NPUAP is concerned that while protecting a 
patient's rights to privacy, Congress's actions may 
inadvertently harm the interests of patients by unnecessarily 
restricting access to information needed by researchers and 
clinicians to (1) determine the safety and effectiveness of 
medical treatments, (2) assess the usefulness of diagnostic 
tests, (3) identify disease risk factors, (4) monitor the cost 
effectiveness of new interventions, (5) educate those entering 
the medical profession, and (6) ensure quality assurance/ 
improvements. Such information is necessary to continue 
providing the public with health care.

                           II. Authorization

    The first issue of concern for the NPUAP regards proposed 
language that requires authorization every time a patient's 
record is accessed. The NPUAP agrees that patient authorization 
is necessary. We believe that a patient's authorization should 
be required in order to use a patient's medical record for a 
clinical or chart review study before beginning to conduct the 
study. However, we believe that only one authorization is 
necessary per study. If the focus of the study changes a new 
authorization should be sought. Requiring authorization every 
time the patient's record is accessed will greatly impact 
quality assurance, research and development and clinical trials 
as discussed in more detail below.

Quality Assurance

    Quality assurance is required by JCAHO in every care 
setting that it accredits. Some state health departments or 
licensing agencies also require quality assurance activities in 
all nursing homes and home health agencies. Quality assurance 
is a standard of care. Most quality assurance activities 
involve chart review or collecting clinical information to 
improve the quality or delivery of care. Requiring patient 
authorization for every quality assurance activity would 
dramatically affect quality assurance efforts due to 
substantial burdens on time and labor. Furthermore, restricting 
data as inputs to quantitative studies minimizes the 
statistical significance of the resulting conclusions.
    Quality improvement review of a patient's record requiring 
authorization would exclude many patients who are demented or 
confused and who do not have a legal guardian. These are the 
very patients for whom this kind of research is important. If 
we are unable to collect data on them because of the lack of a 
legally appointed guardian, a large number of patients will be 
omitted from studies.
    Chart review studies within facilities designed to monitor 
quality of care, track outcomes, provide data to develop 
critical pathways or improve care are not truly ``Institutional 
Review Board (IRB) reviewed studies.'' They also do not fit 
into the category of ``treatment or payment'' as defined in the 
draft legislative proposals or in the Secretary's 
recommendations. This access to medical records is an important 
quality improvement mechanism. Currently, there is no 
authorization requirement if the chart review is for quality 
assurance purposes. There should not be additional safeguards 
placed on facilities monitoring quality assurance or 
improvement. The NPUAP believes that quality assurance 
monitoring or studies should be excluded from any new or 
additional requirements.
    If the study is an IRB reviewed study, upon obtaining 
informed consent, the IRB must approve the chart review 
process. Technically, this requires re-review for any new 
survey questions or tests that may be added on as an after 
thought. If the data gathered is from a previous chart review 
and it will be used for new or different analysis compared to 
the original study's intent, a new consent is required. For 
example, if a chart is reviewed to determine risk factors for 
pressure ulcers and later decide to re-analyze the same data 
and publish a paper on socio-economics, a new consent is 
required. The NPUAP supports the current IRB system and would 
like to see it maintained. IRB review is specifically designed 
to protect the rights of subjects, including the right of 
confidentiality.

Research and Clinical Trials

    Innovations in medicine and medical technology continually 
revolutionize health care research. Continued progress depends 
on research and clinical trials. Frequently, the clinical 
trials and research involve collaboration with providers to 
study the safety of products utilized in clinical practice for 
treatment and prevention of pressure ulcers. In addition, 
results of research studies help design new clinical trials and 
monitor how well treatments work in clinical practice.
    There is a requirement to obtain authorization for human 
subjects prior to enrolling them in a research study. All 
institutions that receive some type of federal funding must 
provide for review of research involving human subjects and 
must ensure that investigators obtain consent from subjects 
used in their research.
    Chart review studies are a rich source for research. Many 
of the studies that the Agency for Health Care Policy and 
Research (AHCPR) panel used in the development of the 
``Guideline for Pressure Ulcer Treatment and Prevention'' were 
either chart review studies or clinical trials that were built 
on information gained with pilot chart review studies. For 
example, much of what we know about risk factors for pressure 
ulcer development is based on chart review studies. Chart 
review studies are currently approved by IRB's without 
individual patient authorization provided confidentiality is 
maintained and there are no individual patient identifiers in 
the results.
    In general the IRBs do a good job of reviewing each 
proposal on its own merits and helping to design a process that 
protects subjects confidentiality and safety, while trying to 
facilitate rather then block research. Each proposal is 
reviewed based on the overall risk to patients and the true 
need for the information. Therefore, in a clinical trial the 
patient expressly consents to the researcher's use of their 
medical information. As a result, the NPUAP does not believe 
that there is any need to require any further safeguards in 
this area. IRB monitored chart review research should continue 
without individual patient authorization...given the protective 
restrictions that currently apply.

                             III. Encoding

    The second topic NPUAP would like to address is the 
encoding issue. NPUAP believes that if patient identifiable 
information is used in research or clinical studies, it should 
be encoded: replacing identifying information by a code. The 
identity of the patient is not apparent from the information 
itself, but from the code issued.
    If the patient's record is non-identifiable and the study 
contains no patient identifiable information, no consent is 
currently necessary. In this case, a medical record person, not 
connected with the study, makes a copy of the chart, goes 
through each page and blacks out any reference to patient 
identification. Non-identifiable patient specific information 
is also information that has been aggregated in such a manner 
that the identities of the subjects can not be identified under 
any circumstances. Under these circumstances, the charts can be 
used for any purpose desired by the researcher. This process is 
extremely labor intensive and expensive. Non-identifiable 
patient informational data is generally not as useful for 
research as it lacks the detail that is required for meaningful 
or sophisticated analysis. A researcher could not recheck the 
chart or gather additional information for their particular 
study with non-identifiable patient information. A researcher 
could not notify the patient if they identified a problem in 
the patients care plan or treatment.
    For clinical studies patient authorization documents should 
state that the researcher might need access to the patient's 
medical information for auditing and source verification. 
Furthermore, the authorization document should include a 
statement that the patient identifiable information will remain 
confidential. By signing the consent, the patient, or the 
patient's representative, has given their approval to review 
the medical record.
    Once the authorization is obtained, patient's information 
becomes randomized. A subject number is assigned to a patient. 
This number is provided in an envelope, along with the 
treatment assigned by the clinical product number. The 
principal researcher then cites the subject number and their 
initials on each case report form for the patient. Only subject 
numbers are used in the data listings and subsequent reports. 
The identity of each patient can only be determined by the 
researcher. NPUAP believes this process for research is 
practical.

                             IV. Preemption

    The NPUAP believes that the standards imposed by any 
legislative proposal should be universally applied. The NPUAP 
believes that there should be preemption of state laws. Uniform 
standards that preserve patient rights and that foster high 
quality clinical research efforts should be adopted.

                           V. Clarifications

    In the Secretary's recommendations, and in some of the legislative 
drafts, there has been language suggesting that a patient can amend 
their medical record. It is unclear what type of amendments a patient 
would be permitted to make. If a patient is simply amending 
administrative items (address, phone number) that is acceptable. 
However, the NPUAP strongly disagrees with any language allowing a 
patient to amend medical or diagnosis information. The NPUAP believes 
that you should either prohibit a patient from amending their medical 
records or clarify this language to reflect what type of amendments a 
patient could make to their record. By not having this clarification 
and stating that a patient can amend their medical records, you imply 
they can amend their medical or diagnosis information. Besides the 
impending medical malpractice that would result, a patient should not 
be able to amend their medical information. NPUAP urges you to clarify 
the language so a patient is prohibited from amending any medical or 
diagnosis information contained in their medical record.
    In the Secretary's recommendations and in drafted legislative 
proposals authorization is not required for disclosure of protected 
health information for payment purposes. It is unclear what is included 
in the term ``payment purposes.'' If a provider of services were 
required to obtain a certificate of medical necessity, which includes 
patient identifiable information in order to be paid, would they be 
permitted to obtain the information without authorization?
    A patient's record must be accessible to providers to the extent 
the information is needed to facilitate billing and care plan 
development. Failing to keep these records available could lead to 
duplication of services, missed diagnosis, and possibly abusive billing 
practices. Without the data required to establish medical necessity a 
provider would either not get paid or they could not successfully 
appeal any denials. The NPUAP believes a provider should be required to 
obtain a one time billing authorization. However, to require providers 
to obtain an authorization every-time a provider needed information for 
billing or appeals purposes would be a costly burden. The definition 
for ``payment purposes'' must be clarified.

                             VI. Conclusion

    In summary, as your Subcommittee considers patient medical 
records privacy and confidentiality standards, the NPUAP 
implores you to remember how vital medical and records research 
is to maintaining and improving health care. Research on 
prevention, new treatments and products depends on patient's 
participation in clinical trials and researcher's access to 
their relevant medical information as well patient databases.
    Blanket signed authorizations allowing transfers of medical 
information to insurance companies, credit organizations, 
employers, etc. is problematic. This information can be either 
sold or transferred to national data banks where information 
may be used against the consumer or used for discriminatory 
purposes. This process should be stopped and medical 
information should be protected.
    The NPUAP supports reasonable protections with appropriate 
safeguards. The NPUAP supports legislative language requiring 
patient authorization. However, we believe the requirements of 
the IRB are stringent enough and therefore, clinical research 
should be exempt from any new or additional requirements. The 
NPUAP also believes that access to encoded data should be 
excluded from any new requirements or restrictions applicable 
to information that identifies the patient. Only data sources 
or collections of samples that directly identify individuals 
should be subject to confidentiality protections. Finally, 
uniform national standards that preempt state laws concerning 
confidentiality are necessary.
    The NPUAP thanks you for the opportunity to submit this 
written testimony. We would be happy to provide you with any 
additional information or answer any questions you may have.
      

                                

Statement of Congressman Christopher Shays

    Thank you Mr. Chairman and Members of the Committee for the 
opportunity to provide you with my thoughts on medical records 
confidentiality.
    On September 11, Secretary Shalala testified that 
protecting the confidentiality of medical records is critical 
as our health system enters the 21st century. I couldn't agree 
more.
    Under the Health Insurance Portability and Accountability 
Act, known as HIPAA or Kassebaum-Kennedy, Congress set a 
schedule for action on this issue. Should Congress fail to 
enact comprehensive legislation to protect the confidentiality 
of patients' medical records by August of next year, the 
Secretary will promulgate regulations by February 2000. I do 
not welcome the prospect that the Secretary will impose 
regulations--without Congressional debate or review--that could 
impact all facets of our health care system.
    I want to recognize the efforts of Senators Bennett and 
Jeffords to move forward in this area. Their recognition that 
this is a serious problem has elevated the debate to a ``must 
do'' issue. Generally, the Senate has been driving the debate 
on legislation to protect the confidentiality of medical 
records. I am concerned, however, that the approach currently 
being devised by the Senate Labor Committee is overly 
burdensome. That is why I have been working on a different 
approach to spark discussion on this side of Capitol Hill. It 
is an important effort that I hope this subcommittee examines 
carefully.
    Mr. Chairman, this is a complex problem that spans a broad 
spectrum of interests. In general, there are two opposing camps 
with very distinct and legitimate claims. One seeks to secure 
absolute privacy that would make it difficult, if not 
impossible, to coordinate the delivery of health services. The 
other seeks to protect the confidentiality of medical records 
and maintain largely untouched the current low standard of 
protections currently afforded to health information. I believe 
the solution lies somewhere in between.
    Those who seek to secure absolute privacy in a health 
context are prescribing a disaster for our health delivery 
system. We need to balance competing interests, between a 
person's legitimate expectation of confidentiality and a 
business's need to know what it is paying for. In my judgment, 
the way to accomplish this is to leave the computer databases 
alone--and criminalize misuse of their data, recognizing there 
are both appropriate and inappropriate uses for medical 
information.
    Unfortunately, there is no guiding legal principle in this 
area. Instead, there is a patchwork of state and federal law 
that protects people in some states with some diagnoses but not 
others. A strong, uniform law is necessary to preempt the quilt 
of state protections that treat medical records differently. 
Multi-state health plans that submit bills to clearinghouses 
who then forward claims to separate payors cannot operate 
through a maze of differing standards, regulations and 
restrictions.
    The bill I intend to introduce next week, hopefully with 
the Chairman's support, will protect the confidentiality of 
medical records while protecting legitimate uses. The 
legislation will delineate the inappropriate uses of medical 
information--such as intentional or negligent disclosure, sale 
or commercial publication, or the use of fraud, deceit or 
misrepresentation to access information. These prohibitions 
relate specifically to individually identifiable information. 
Use of anonymous information will not be affected, unless 
intentionally decoded.
    In addition, my bill will allow patients to inspect, copy 
and, where appropriate, amend their medical records. Finally, 
the bill will impose strong criminal and civil penalties for 
inappropriate disclosures, and will preempt state law, creating 
a uniform system. Combined, these proposals should enhance the 
security of the patient medical record without jeopardizing 
advances in quality health care.
    With current technology and future advances there are both 
real dangers and substantial opportunities with respect to 
protected health information. Absent strong, practical and 
workable standards, many will fall victim to those dangers and 
opportunities will be missed.
    Innovative developments in the delivery of health services 
and technological advancements mean health information is both 
more important and more vulnerable. While we can all agree that 
sensitive information such as psychological evaluations and 
drug abuse counseling needs to be kept private, we also need to 
allow health plans and researchers to review health information 
to improve education and treatment.
    It is my hope we can pass a national confidentiality law 
assuring patients' rights, while balancing the interests of 
payors and providers, data processors, law enforcement 
agencies, and researchers. Congress should pass legislation to 
secure the confidentiality of medical records, and it should be 
done this year.
    Mr. Chairman, I appreciate the opportunity to share these 
views with you.

                                   -